{"id":87490,"date":"2019-01-29T11:39:49","date_gmt":"2019-01-29T06:09:49","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87490"},"modified":"2023-09-25T15:44:55","modified_gmt":"2023-09-25T10:14:55","slug":"anatova","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/anatova\/","title":{"rendered":"Anatova, A modular ransomware"},"content":{"rendered":"

While everyone was engaged in new year celebrations, malware authors were busy creating new ransomware for 2019. Quick Heal Security Labs has observed the first ransomware of 2019 — Anatova.<\/p>\n

During our analysis, we found that Anatova is not just ransomware but a modular one. By modular ransomware we mean, though the main activity of this ransomware will be encrypting the data, it can also be used to infect user\u2019s PC in many ways as it has that provision as well.<\/p>\n

Anatova has a different algorithm and execution techniques. That tells us, Anatova Malware authors are skilled and might have already set plans to infect more in future using modular techniques.<\/p>\n

As this malware is coded with high intelligence and found to be destructive, we decided to come up with a detailed analysis report and its prevention techniques.<\/p>\n

Quick Heal Security Lab Analysis<\/strong><\/p>\n

Unlike other ransomware, Anatova encrypts the files but doesn\u2019t add any extension to the encrypted files. It encrypts all the files except from the folders which are present at the important location of the system such as \u2018windows\u2019, \u2018program files\u2019, \u2018program files(x86)\u2019,\u2019boot\u2019 etc.<\/p>\n

Further, while traversing directories to encrypt files, it skips few files of windows and those are desktop.ini, boot init, pagefile.sys etc. It also skips few of the extensions i.e. .exe, .cmd, ini & .dll etc.<\/p>\n

Smartly, this ransomware encrypts files whose size is =<1MB, and if the size is more than 1 MB then it will only encrypt the data of 1 MB from that file, we suspect that it does it to take lesser time for encryption and to avoid the detection from the security software.<\/p>\n

After encryption, Anatova demands ransom payment in cryptocurrency<\/a> of 10 DASH which calculates to somewhere around $700 USD.<\/p>\n

Anatova lures users into downloading the ransomware with its game like icon. The hashes we analyzed were 64bit applications build in January 2019 and requires administrative privileges as shown in the below snippet.<\/p>\n

\"\"<\/p>\n

Fig 1: Require Administrative Privileges<\/em><\/p>\n

Though the samples had different sizes, the main payload had 307 KB size which included resources (a game like icons). Researchers also found an uncommon behavior during analysis which is, malware already had created set of arrays which holds mostly used functions of windows library in encrypted format, as and when required, it uses decryption loop that allocates runtime memory to decrypt the encrypted strings, gain the function name, get the address of decrypted string using \u201cGetProcAddress\u201d function and release the memory once the process is completed, initially, it decrypts kernel32.dll library and its functions.<\/p>\n

This behavior pattern wasn\u2019t observed in any other ransomware.<\/p>\n

The decryption loop has been explained in the following snippet<\/p>\n

\"\"<\/p>\n

Fig 2: Decryption loop<\/p>\n

Once the ransomware enters the system, it uses anti-analysis technique for this it\u2019ll firstly gain system information, gets user name using \u2018GetUserName<\/strong>\u2019 API, it compares the username with the stored blacklisted usernames, for which it decrypts the blacklisted usernames using decryption loop as mentioned earlier. If it finds the matching usernames, ransomware will move for cleanup and exit the process without performing any activity. Hard-coded user names are as follows: –<\/p>\n\n\n\n\n\n\n\n
LaVirulera<\/td>\n<\/td>\n<\/tr>\n
tester<\/td>\nTester<\/td>\n<\/tr>\n
analyst<\/td>\nAnalyst<\/td>\n<\/tr>\n
lab<\/td>\nLab<\/td>\n<\/tr>\n
malware<\/td>\nMalware<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Hardcoded part is shown below in snippet<\/strong><\/p>\n

\"\"<\/p>\n

Fig 3: Hardcoded User Names<\/em><\/p>\n

The thing to note is, upon entering into user\u2019s PC, it generates constant mutex which tells that the system is already infected with Anatova or not. Ransomware has a code to verify constant mutex using \u201cGetLastError\u201d function, which returns error code \u20180xB7\u2019 indicating \u2018Error_Already_Exits\u2019 which means that same mutex has already created before and the process should be terminated as shown in the below snippet.<\/p>\n

\"\"<\/p>\n

Fig 4: \u00a0Mutex check.<\/em><\/p>\n

Anatova uses \u201cGetSystemDefaultUILangauge<\/strong>\u201d api to gain the system\u2019s default language which is set at the time of first installation of Operating System, depending on the default language it decides whether to perform the activity or not as it has skipped few countries where it\u2019ll not do any harm. The snippet below shows the code part<\/p>\n

\"\"<\/p>\n

Fig 5: Gets Default Language.<\/em><\/p>\n

Moreover, it has a check to verify 38 processes and if found, ransomware terminates them to encrypt the files associated with them.<\/p>\n

The processes are as shown below<\/p>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
msftesql.exe<\/td>\nagntsvc.exeisqlplussvc.exe<\/td>\nocomm.exe<\/td>\nonenote.exe<\/td>\n<\/tr>\n
sqlagent.exe<\/td>\nxfssvccon.exe<\/td>\nmysqld.exe<\/td>\noutlook.exe<\/td>\n<\/tr>\n
sqlbrowser.exe<\/td>\nmydesktopservice.exe<\/td>\nmysqld-nt.exe<\/td>\npowerpnt.exxe<\/td>\n<\/tr>\n
sqlwriter.exe<\/td>\nocautoupds.exe<\/td>\nmysqld-opt.exe<\/td>\nsteam.exe<\/td>\n<\/tr>\n
sqlservr.exe<\/td>\nagntsvc.exeagntsvc.exe<\/td>\ndbeng50.exe<\/td>\nthebat.exe<\/td>\n<\/tr>\n
ocssd.exe<\/td>\nagntsvc.exeencsvc.exe<\/td>\nsqbcoreservice.exe<\/td>\nthebat64.exe<\/td>\n<\/tr>\n
oracle.exe<\/td>\nfirefoxconfig.exe<\/td>\nexcel.exe<\/td>\nthunderbird.exe<\/td>\n<\/tr>\n
dbsnmp.exe<\/td>\ntbirdconfig.exe<\/td>\ninfopath.exe<\/td>\nvisio.exe<\/td>\n<\/tr>\n
synctime.exe<\/td>\nmydesktopqos.exe<\/td>\nmsaccess.exe<\/td>\n<\/td>\n<\/tr>\n
winword.exe<\/td>\nwordpad.exe<\/td>\nmspub.exe<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

How Encryption takes place?<\/strong><\/p>\n

After all, checks are satisfied, Anatova finally does the encryption activity using a combination of RSA and Salsa 20 Algorithm. To save the hassle and not to encrypt the same file again, it adds a marker of the encrypted content of 4 bytes at the end of the file (Refer fig.no 7 & 8). While traversing each file for encryption it first checks the 4 bytes at the end of the file so the same file doesn\u2019t get encrypted again and in turn saves time.<\/p>\n

Anatova has used cryptencrypt\u00a0API to encrypt the files as shown below<\/p>\n

\"\"<\/p>\n

Fig 6: API used for encryption.<\/p>\n

Code part for the same is shown in below snippet: –<\/p>\n

\"\"<\/p>\n

Fig 7: Encryption for marker<\/p>\n

\"\"<\/p>\n

Fig 8: Highlighted Encrypted String and hex address<\/em><\/p>\n

Anatova not only encrypts system drives but also checks remote location to encrypt. It checks for all instances, DRIVE_FIXED to check the local drives and DRIVE_REMOTE to verify remote(network) location.<\/p>\n

\"\"<\/p>\n

Fig 9: Check Drive Type<\/em><\/p>\n

In the end, Anatova deletes windows shadow copies using the vssadmin program as shown in below snippet<\/p>\n

\"\"<\/p>\n

Fig 10: VSSAdmin command<\/i><\/p>\n

After encryption and deleting the shadow copies, ransomware deletes itself as shown below.<\/p>\n

\"\"<\/p>\n

Fig 11: Self-deletion<\/i><\/p>\n

After encryption, it drops ransom note mentioning the email-ids and ransom to pay.<\/p>\n

\"\"<\/p>\n

Fig.12: Ransom note<\/p>\n

Good news, Quick Heal users are safe.<\/strong><\/p>\n

Quick Heal successfully blocks Anatova ransomware with the following protection layers:<\/p>\n

    \n
  • Virus Protection<\/li>\n
  • Behavior-based Detection<\/li>\n
  • Anti-Ransomware<\/li>\n<\/ul>\n

    \"\"<\/p>\n

    Fig 13: Quick Heal Virus Protection<\/em><\/p>\n

    \"\"<\/p>\n

    Fig 14: Anti-ransomware Protection<\/em><\/p>\n

    \"\"<\/p>\n

    Fig 15: Behavior detection Protection<\/em><\/p>\n

    How to stay safe from ransomware attacks:<\/strong><\/p>\n

      \n
    • Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.<\/li>\n
    • Do not install any freeware or cracked versions of any software.<\/li>\n
    • Do not open any advertisement pages shown on websites without knowing that they are genuine.<\/li>\n
    • Disable macros while using MS Office.<\/li>\n
    • Update your antivirus to protect your system from unknown threats.<\/li>\n
    • Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.<\/li>\n<\/ul>\n

      Indicators of compromise:<\/strong><\/p>\n

      \u00a0<\/strong>SHA\u2019s: –<\/strong><\/p>\n

        \n
      • 170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0<\/li>\n
      • 75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820<\/li>\n
      • 97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93<\/li>\n
      • ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69<\/li>\n
      • bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce<\/li>\n<\/ul>\n

        Ransomnote.txt as shown in fig. 12<\/strong><\/p>\n

         <\/p>\n

        Subject Matter Experts:<\/strong><\/p>\n

        Poonam Dongare , Nagesh Lathkar | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

        While everyone was engaged in new year celebrations, malware authors were busy creating new ransomware for 2019. Quick Heal Security Labs has observed the first ransomware of 2019 — Anatova. During our analysis, we found that Anatova is not just ransomware but a modular one. By modular ransomware we mean, though the main activity of […]<\/p>\n","protected":false},"author":39,"featured_media":87511,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,133,24,303,910,5],"tags":[163,22,50,47],"class_list":["post-87490","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email","category-hacker","category-malware","category-phishing","category-ransomware","category-security","tag-cyber-crime","tag-email-malware","tag-ransomware","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87490"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87490"}],"version-history":[{"count":15,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87490\/revisions"}],"predecessor-version":[{"id":92085,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87490\/revisions\/92085"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87511"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}