{"id":87426,"date":"2019-01-24T17:24:00","date_gmt":"2019-01-24T11:54:00","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87426"},"modified":"2023-09-25T16:01:28","modified_gmt":"2023-09-25T10:31:28","slug":"gandcrab-ransomware-along-monero-miner-spammer","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/gandcrab-ransomware-along-monero-miner-spammer\/","title":{"rendered":"GandCrab Ransomware along with Monero Miner and Spammer"},"content":{"rendered":"

Recently we saw a new campaign through spam mail attachment- zip file. It contains JavaScript file which delivers a bundle of GandCrab Ransomware, Monero miner and Spammer. This bundle of multiple malware variants is nothing new, it is common for ransomware to be paired with miner and spammer. This type of attacks helps hackers increase their chances of profit. In case the victim does not pay the ransom, then hackers use Monero miner and spammer, ultimately attacker’s intention is to get control over the victim’s system and get the ransom.<\/p>\n

\"Fig.1
Fig.1 Attack chain<\/figcaption><\/figure>\n

Spam mail is the infection source of this campaign; attackers use such a type of subject name so that victim is convinced to open the mail and then the attachment. Subject name is such as \u201cGreeting Card\u201d, \u201c<\/i><\/em>My letter just for you\u201d,\u201d Always thinking about you\u201d,\u201d This is my love letter to you\u201d,\u201d Just for you!\u201d,\u201d Wrote my thoughts down about you\u201d,\u201d I love you\u201d,\u201d Felt in love with you!\u201d.<\/i><\/em><\/p>\n

JavaScript is highly obfuscated with base64 encode and URL encode. It uses bitsadmin.exe and PowerShell.exe to download artifacts from Hosted malware domain.<\/p>\n

\"Fig.2
Fig.2 Deobfuscated JavaScript<\/figcaption><\/figure>\n

The initial payload downloaded is just a downloader file which creates its self-copy, terminates itself and runs from a new location. This file downloads three new components containing Mail Spammer, Monero miner and GandCrab Ransomware.<\/p>\n

\"Fig.3
Fig.3 Process Tree.<\/figcaption><\/figure>\n

Spammer <\/b><\/strong><\/p>\n

1st\u00a0<\/b><\/strong>stage malware is a mail spammer whose task is to send mails to different emails. It downloads and sends JavaScript (initial vector) as an attachment and sends it from different email ids. It performs a dictionary attack on those email ids which are already stored in a binary file and there is also a list of subject names which it picks up from the list and having common mail body used to create mail. Email id is created in such a way that it chooses a name from the list and appends a digit or character to it.<\/p>\n

Following are the figures which show a list of subject names and user email names.<\/p>\n

\"Fig.4
Fig.4 Subject name list<\/figcaption><\/figure>\n
\"Fig.5
Fig.5 User name list<\/figcaption><\/figure>\n

Binary then try to connect with hxxp:\/\/icanhazip.com\u00a0<\/b><\/strong>this site is not malicious\u00a0<\/b><\/strong>this website it just tells your public facing IP in the response.<\/p>\n

Added persist entry in \u201cHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d<\/p>\n

Spammer gets the mail id list from its CnC server and uses this to send multiple spam mails to spread attachment, containing the same JavaScript file. A list has around 20000 mail ids. On every execution, it gets new mail id list from the server.<\/p>\n

\"Fig.6
Fig.6 Getting Mailing list from CnC Server<\/figcaption><\/figure>\n

ESMTP is user configurable relay-only Mail Transfer Agent (MTA) with send-mail compatibility. MTA is used to transfer electronic mail messages from one computer to another using SMTP. \u00a0Users in SMTP are not verified when a connection is established, \u00a0meaning the email doesn\u2019t have to trustworthy, which is the advantage of SMTP. Open SMTP relays are often used to send high volume\u00a0spam campaigns.<\/p>\n

Here in this packet, we can see how server-client communication happens.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Server: \u201c220 smtp.example.com ESMTP Postfix\u201d is established.<\/td>\n(Then client server communication happens.)<\/td>\n<\/tr>\n
Client: HELO [relay.example.com]<\/td>\n(SMTP client logs on with its hostname)<\/td>\n<\/tr>\n
Server: \u00a0250 smtp.example.com hello[hostname], pleased to meet you<\/td>\n(Server confirms login)<\/td>\n<\/tr>\n
Client: MAIL FROM:<Name@randomNumber.com><\/td>\n(Client specifies the sender address)<\/td>\n<\/tr>\n
Server: 250 Sender ok<\/td>\n(Server confirms)<\/td>\n<\/tr>\n
Client: RPCT TO:<receiver@mail.com><\/td>\n(Client specifies the sender address)<\/td>\n<\/tr>\n
Server: 250 Recipient ok<\/td>\n(Server confirm)<\/td>\n<\/tr>\n
Client: DATA<\/td>\n(Client initiates the transmission of the email)<\/td>\n<\/tr>\n
Server: 354 End data with<CR><LF>. <CR><LF><\/td>\n(The server begins the reception and indicates<\/p>\n

that e-mail text should be closed with a dot (\u201c.\u201d))<\/td>\n<\/tr>\n

Client: FROM:<Name@randomNumber.com<\/a>><\/p>\n

TO<receiver@mail.com<\/a>><\/p>\n

Date: Day Month Year, Time<\/p>\n

Subject:<\/p>\n

Message body<\/td>\n

(The client transmits email txt with \u201csubject name\u201d and ends with desired dot)<\/td>\n<\/tr>\n
Server: OK<\/td>\n(The server confirms it has successfully received the email)<\/td>\n<\/tr>\n
Client: QUIT<\/td>\n(The client signals end of session)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For more details about SMTP refer here<\/u><\/a>.<\/p>\n

Here is the mail sent using SMTP<\/p>\n

\"Fig.7
Fig.7 Sending Spam mail using SMTP<\/figcaption><\/figure>\n

Miner<\/b><\/strong><\/p>\n

The 2nd<\/sup>\u00a0stage payload is Monero(XMRig) miner. The cryptonight algorithm is used by Monero miner. When miner gets executed, it creates one folder with hidden attributes and drops its self-copy with a configuration file in JSON format which is already encoded by base64. It also drops VBS file which starts lookup to a compromised server and downloads new variants. This script gets deleted after execution.<\/p>\n

\"Fig.8
Fig.8 Drops files<\/figcaption><\/figure>\n

To stay in the machine, it drops internet shortcut file in the startup folder which has codes to call self-copy of malware.<\/p>\n

\"Fig.9
Fig.9 Shortcut file<\/figcaption><\/figure>\n

Following is the screenshot of a decoded configuration file.<\/p>\n

 <\/p>\n

\"Fig.10
Fig.10 Miner JSON.<\/figcaption><\/figure>\n
\"Fig.11
Fig.11 AV-List in Miner<\/figcaption><\/figure>\n

This miner also searches for some Anti-Virus processes but there is a flaw in the code of the miner that if it finds any AV process then it doesn\u2019t do any activity loop. It continues to search for the next process.<\/p>\n

This miner process doesn\u2019t do any malicious activity related to a miner, it hollows its code to wupp.exe (for 32-bit OS) or notepad.exe (for 64-bit OS) process and that performs further mining activity using the configuration file.<\/p>\n

\"Fig
Fig 12. Injected code in wupp.exe<\/figcaption><\/figure>\n

There is another loop in this miner which continuously runs and checks if taskmgr.exe is running or not. If found, then it terminates the wupp.exe\/notepad.exe process. If the taskmgr.exe process gets killed then it again hollows its code and starts mining.<\/p>\n

\"Fig.13
Fig.13 Check for taskmgr.exe<\/figcaption><\/figure>\n

Following image shows how miner hides itself from the task manager.<\/p>\n

\"Fig.14<\/a>
Fig.14 Hide from task manager<\/figcaption><\/figure>\n

The following traffic shows the XMRig Monero mining activity.<\/p>\n

\"Fig.15
Fig.15 XMRig traffic<\/figcaption><\/figure>\n

GandCrab Ransomware<\/b><\/strong><\/p>\n

The 3rd<\/sup>\u00a0stage payload downloaded on the system contains GandCrab Ransomware. After execution, this file checks for Russian keyboard layout using RegKey entry, if found, then the process gets terminated.<\/p>\n

\"Fig.15
Fig.15 Fetch RegKey<\/figcaption><\/figure>\n
\"
Fig.16 Compare value<\/figcaption><\/figure>\n

Ransomware also searches if the Anti-Virus is running or not.<\/p>\n

We have already published blog<\/u><\/a>\u00a0post\u00a0related to GandCrab Ransomware. We found the same behavior as discussed in the previous blog.<\/p>\n

Ransom-note is shown in the following image.<\/p>\n

\"Fig17.
Fig17. GandCrab Encrypted file note<\/figcaption><\/figure>\n

Quick Heal Detection<\/b><\/strong><\/p>\n

Quick Heal successfully detected such campaigns with various detection levels.<\/p>\n

IOC’s<\/strong><\/p>\n

a14a3a3036a1706408443e28399a15c1
\n916cdbc267ca752999365467c05d573b
\neb30145e2cb82687f8dac728be1e4b91
\ne0e5164cf5b19d56f33520cd44875c95<\/p>\n

Conclusion<\/b><\/strong><\/p>\n

JavaScript is already used to deliver different malware as the initial attack vector in spam mail campaigns. \u201cLOVE YOU\u201d tag is used to catch the user\u2019s attention and prompt him to open the attachment which invariably infects the machine. So beware of such kind of spam emails and attachments.<\/p>\n

Subject Matter Expert:<\/b><\/strong><\/p>\n

Prashant Tilekar, Aniruddha Dolas\u00a0| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently we saw a new campaign through spam mail attachment- zip file. It contains JavaScript file which delivers a bundle of GandCrab Ransomware, Monero miner and Spammer. This bundle of multiple malware variants is nothing new, it is common for ransomware to be paired with miner and spammer. This type of attacks helps hackers increase […]<\/p>\n","protected":false},"author":54,"featured_media":87472,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1613,164,21,133,24,910,293],"tags":[],"class_list":["post-87426","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptojacking","category-cyber-crime","category-email","category-hacker","category-malware","category-ransomware","category-spam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87426"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87426"}],"version-history":[{"count":19,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87426\/revisions"}],"predecessor-version":[{"id":92088,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87426\/revisions\/92088"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87472"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}