{"id":87557,"date":"2019-02-15T15:33:57","date_gmt":"2019-02-15T10:03:57","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87557"},"modified":"2019-02-15T15:33:57","modified_gmt":"2019-02-15T10:03:57","slug":"gandcrab-riding-emotets-bus","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/gandcrab-riding-emotets-bus\/","title":{"rendered":"GandCrab Riding Emotet\u2019s Bus!"},"content":{"rendered":"

Emotet Known for constantly changing its payload and infection vectors like spam mail, Malicious Doc and even\u00a0Malicious JS files<\/a>. It compromised a very high number of websites on the internet. Emotet<\/a> malware campaign has existed since 2014. It comes frequently in intervals with different techniques and variants to deliver malware on a victim\u2019s machine. Most of the websites are genuine but somehow tricked into delivering Emotet. But this time, some of these websites were seen delivering GandCrab Ransomware V 5.1<\/strong> for some time.<\/p>\n

The payload was downloaded through a malicious doc on the victim\u2019s computer using VBA macro. The PowerShell script from macro connected to the compromised website and downloaded GandCrab Ransomware from the URL. It is observed that the same website was used in other malicious campaigns and served different purposes over time.<\/p>\n

Infection Vector:<\/strong><\/p>\n

\"\"
Fig. 1 Attack Chain<\/figcaption><\/figure>\n

Technical Analysis:<\/strong><\/p>\n

The Microsoft Office Doc file was named \u2018Urgent notice.doc\u2019 and had only text \u2018Urgent notice\u2019.<\/p>\n

\"\"
Fig. 2 Document File<\/figcaption><\/figure>\n

After opening the file, it asks to enable macros to perform downloading tasks.<\/p>\n

Macro:<\/strong><\/p>\n

The Malicious Macro contained 3 modules and one form. Form named \u2018f\u2019 contains the obfuscated PowerShell data and 3 modules having random names like cBbOFw, BJXTRQZOY, lC0gFL58m contain code to execute de-obfuscated PowerShell script.<\/p>\n

\"\"
Fig. 3 Modules and Form<\/figcaption><\/figure>\n

Form:<\/strong><\/p>\n

\"\"
Fig. 4 Obfuscated Macro<\/figcaption><\/figure>\n

This can be de-obfuscated by simply replacing \u20185820.5840869546\u2019 with null (i.e. removing ‘5820.5840869546’ from the string)<\/p>\n

Output:<\/strong><\/p>\n

\"\"
Fig. 5 De-obfuscated Macro<\/figcaption><\/figure>\n

This output is prepended by the first three characters \u2018P\u2019, \u2019o\u2019 and \u2018w\u2019 using variables at the start of it. Hence, this forms initial word PowerShell then used by function love () and is executed to download and launch the payload.<\/p>\n

\"\"
Fig. 6 PowerShell Execution<\/figcaption><\/figure>\n

After execution of this PowerShell script, putty.exe which is the GandCrab payload was downloaded to \u2018C: \\Windows\\Temp\u2019 directory of victim\u2019s machine and same was executed.<\/p>\n

\u00a0<\/strong>GandCrab<\/strong> Payload:<\/strong><\/p>\n

On execution, it encrypted all files and showed the GandCrab wallpaper. From ransom note, it is clear that the payload was of GandCrab V 5.1 ransomware.<\/p>\n

\"\"
Fig. 7 Ransom Note<\/figcaption><\/figure>\n

GandCrab finds AV processes on victim\u2019s computer, also it tries to kill other running processes like SQL database servers to ensure encryption of important files. GandCrab then encrypts all files with Salsa20 Encryption Algorithm and this Salsa20 key is encrypted with RSA-2048 and appended to file after data. It is not feasible to decrypt the data without the private key. It is observed that it collects all data related to the user like username, computer name, workgroup, IP address. This data is encrypted with the RC4 encryption algorithm and sends to the C&C server.<\/p>\n

The GandCrab v5 ransomware has started using Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.<\/p>\n

After encryption, it asks for $700 in dash\/bitcoin cryptocurrency; also 10% charges are applicable for miner fees\/commission. In the past, if the victim could not pay the full ransom amount, he\/she was offered some discount to decrypt the files.<\/p>\n

\"\"
Fig. 8 GandCrab Ransom Page<\/figcaption><\/figure>\n

It is observed that in the end, GandCrab tries to connect with the number of compromised domains having a particular URL formation algorithm as discussed previously<\/a>. This behavior shows a similarity with Emotet campaign<\/a>.<\/p>\n

After a few hours, the same domain started serving pornographic phishing content.<\/p>\n

Indicator of Compromise:<\/strong><\/p>\n

Doc File (Urgent notice.doc): 64F3F3CC1E121B295DA1FF74CC180473<\/p>\n

Exe File (Putty.exe): 5B1B6AF59E29D9A2AA120277CAB14D0C<\/p>\n

Precautions:<\/strong><\/p>\n