{"id":84677,"date":"2017-08-11T12:04:51","date_gmt":"2017-08-11T06:34:51","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84677"},"modified":"2017-08-11T12:24:19","modified_gmt":"2017-08-11T06:54:19","slug":"technical-analysis-globeimposter-ransomware-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/technical-analysis-globeimposter-ransomware-quick-heal-security-labs\/","title":{"rendered":"An analysis of GlobeImposter Ransomware by Quick Heal Security Labs"},"content":{"rendered":"

GlobeImposter Ransomware<\/strong> has been increasingly active and observed recently to be appending different suffixes to files it encrypt. A few patterns observed are using 3 random numbers such as \u201c.492, .490, .725, .726, and .707\u201d, random alphanumeric words such as \u201c.p1crypt, .A1crypt, .BRT92, and .mtk118\u201d and suffixes like \u201c.OCEAN, .SEA, .ROSE, .ASTRA, and .DECODED\u201d.<\/p>\n

Earlier, GlobeImposter Ransomware used to employee RDP (Remote Desktop Connection) hack only, but for the last couple of weeks, we have been observing it to be using malspam campaigns.<\/p>\n

Most script files observed in previous malspam campaigns used multiple URLs as backup to download the payload through Windows Script Host (WSH) and\/or use of Powershell for evasion. The GlobeImposter propagation has been largely through Blank the Slate Malspam Campaign mostly featuring JS\/VBS script files.<\/p>\n

Read more on Blank Slate Malspam Campaign<\/a><\/p>\n

We have observed several domains being used for delivering the malicious payload through the script files received by Quick Heal Security Labs. The payload on the malicious domains has been observed to vary and also seems to encrypt files with different suffixes. The domains observed in the script files are either compromised or are newly registered for malicious purposes.<\/p>\n

We have debugged heavily obfuscated malicious JS files for understanding the malicious code which is being used for the payload delivery. Below is one of the script files \u201c31408.js\u201d<\/strong> received from the malspam campaign for our analysis.<\/p>\n

\"Fig
Fig 1. Obfuscated JavaScript File<\/figcaption><\/figure>\n

Interestingly, the script had a fail-safe – an \u201cException Handler\u201d. The script file initially used Windows Script Host to deliver the payload, however, in case if there was an exception due to uncertain reasons it will invoke the exception handler which executes PowerShell to deliver the ransomware payload.<\/p>\n

\"Fig
Fig 2. De-obfuscated JavaScript Code<\/figcaption><\/figure>\n

The de-obfuscated code has a domain (marked in red as seen in figure 2) which is the same for both the main codes which used HTTP Get Request and the exception code which delivered the payload by PowerShell. Quick Heal Browsing Protection<\/strong> blocks the malicious URL and prevents the download of the payload.<\/p>\n

\"globeimposter-ransomware3\"<\/p>\n

The code for the WSH downloaded the payload to,<\/p>\n

C:\\Users\\<user>\\AppData\\Roaming Microsoft\\Windows\\Templates\\{6_RandomNumbers}.exe, <\/strong>while in case the script file hits an exception the payload is downloaded to,<\/p>\n

C:\\Users\\<user>\\AppData\\Roamingrnd.exe<\/strong><\/p>\n

Furthermore, a minor mistake was observed in the PowerShell code. The code has a target download location \u2018%appdata%rnd.exe\u2019 <\/strong>which is supposed to be \u2018%appdata%\\rnd.exe\u2019. <\/strong>Thus, payload gets downloaded at \u201cC:\\Users\\<user>\\AppData\\Roamingrnd.exe<\/strong>\u201d instead of inside the Roaming Folder giving the payload its name as Roamingrnd.exe<\/strong> instead of rnd.exe.<\/strong><\/p>\n

When we executed the \u201c31408.js<\/strong>\u201d, the GlobeImposter payload was downloaded from \u201chxxp:\/\/foolerpolwer.info\/admin.php?f=3\u201d<\/strong>. <\/strong>In our test environment, the downloaded file name was 725947.exe. <\/strong>As seen from the image below, the script file put up an HTTP request to the malicious domain, which received a PE file<\/strong> (Executable) with the filename \u201c3\u201d.<\/strong> The file is further renamed and moved to the below location and the new file name is generated using Math.Random() function as seen in fig 2.<\/p>\n

\"Fig.
Fig 4. HTTP Request\/Response for Payload<\/figcaption><\/figure>\n

When the dropped payload is executed, it de-obfuscates the malicious code inside memory from its resource section and is responsible for carrying out the ransomware activity. It further creates a child process with \u201cCREATE_SUSPENDED\u201d flag, does memory code injection with de-obfuscated code using \u2018WriteProcessMemory\u2019 and resumes the thread\/process.<\/p>\n

\"Fig
Fig 5. Creation of child process with CREATE_SUSPENDED Flag.<\/figcaption><\/figure>\n

Before the encryption activity begins, the injected process executes a routine where it terminates the processes: outlook, ssms, postgre, 1c, SQL, excel, and word using taskkill.<\/p>\n

Terminating the above applications gives the payload access to more files as the files held by the processes are released.<\/p>\n

\"Fig.
Fig 6. De-Obfuscated PE File in Buffer address dump<\/figcaption><\/figure>\n

In order to explain the malware execution, we have put up a process tree for the GlobeImposter Ransomware payload after execution. As mentioned earlier, we can see that after the script downloads the payload which invokes a child process.<\/p>\n

\"Fig
Fig 7. GlobeImposter Execution Process Tree<\/figcaption><\/figure>\n

The child process also drops a batch file which is executed after the encryption activity is completed. The batch file observed in our test environment \u201c__t8D.tmp.bat\u201d <\/strong>is responsible for deleting Volume shadow copies, Remote Desktop information stored in system registries and the file present at %UserProfile%\\Documents\\Default.rdp. <\/strong>The batch file also removes all traces from the Event Viewer Logs using wevutil.exe.<\/strong><\/p>\n

\"Fig
Fig 8. Dropped Batch File<\/figcaption><\/figure>\n

Another change we observed in the GlobeImposter was the use of persistence. A registry was dropped in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce <\/strong>so that on restart, the payload is executed again.<\/p>\n

This seems very odd as the ransomware used wevutil.exe<\/strong> to remove traces from event logs and further had a self-delete routine after completing the execution and keep the RunOnce AutoStart persistence.<\/p>\n

\"Fig
Fig 9. Persistence Technique (Dropped Registry)<\/figcaption><\/figure>\n

The files encrypted were appended \u201c.492\u201d<\/strong> as a suffix to the original file name and extension, however, during later hours, we observed a different payload with similar activity appending \u201c.astra\u201d<\/strong> as a suffix. The ransom note still had the name \u201chere_your_files!.html<\/strong>\u201d in both the variants. The malicious payload also seems to have a valid Digital Signature which might also help the malware evade detection by a few security products.<\/p>\n

\"Fig
Fig 10. Digital Signature<\/figcaption><\/figure>\n

GlobeImposter seems to have evolved after it was previously observed only as an RDP Hack exclusive malware mainly because of its RAAS nature.<\/strong> Now the outbreak campaigns seem like it wants to be there with the other big ransomware such as Locky, Cerber, and Troldesh. Only time will tell if we could get our hands on with a decryptor as it has been the case with previous GlobeImposter variants.<\/p>\n

Quick Heal Detection \u00a0<\/strong><\/p>\n