Interestingly, users can easily get infected by this Nodera ransomware while browsing online, either by clicking on a malicious HTA file or when served as a malvertisement.<\/p>\n
Analysis Details :<\/b><\/strong><\/p>\n The sample received in our lab was a VBS script that has multiple embedded js scripts. On execution, it creates a directory \u201cGFp0JAk\u201d<\/em> at location \u201c%userprofile%\\AppData\\Local\\\u201d<\/em>.<\/p>\n It also creates a sub-directory \u201cnode_modules\u201d<\/em> for storing Node.js libraries required to execute the JS payload. Finally, for the execution of those scripts, it requires node.exe,<\/em> which will be downloaded from the below URL.<\/p>\n https:\/\/nodejs.org\/download\/release\/latest-v8.x\/win-x86\/node.exe<\/u><\/em><\/p>\n Downloaded node.exe is stored as GFp0JAk.exe<\/em> at \u201c%userprofile%\\AppData\\Local\\GFp0JAk\u201d.<\/em><\/p>\n It further creates 3 different registry keys, \u201cMicrosoft Office\u201d<\/em>,\u00a0\u201cStartup\u201d, <\/em>and\u00a0\u201cWindows\u201d<\/em> at \u201cHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\u201d<\/em> to make its persistence in the system.<\/p>\n Fig 1: Registry Entry<\/em><\/p>\n <\/p>\n It then drops some required libraries such as fs.js,\u00a0graceful-fs.js,\u00a0legacy-streams.js,\u00a0package.json,\u00a0polyfills.js at “%userprofile%\\AppData\\Local\\GFp0JAk\\node_modules\\\u201d<\/em> and also the malicious JS \u201clLT8PCI.js\u201d<\/em> at \u201c%userprofile%\\AppData\\Local\\GFp0JAk\\\u201d<\/em>.<\/p>\n Once all required modules\u00a0are\u00a0in place, it checks for \u201c%userprofile%\\AppData\\Local\\GFp0JAk\\GFp0JAk.exe\u201d<\/em>. If it is present, it will start executing the script by invoking<\/p>\n oShell.Run(strExe & ” ” & outWorkingDir & “\\” & strEntPoint, 0, true)<\/em><\/p>\n where strExe\u00a0= \u201c%userprofile%\\AppData\\Local\\GFp0JAk\\GFp0JAk.exe\u201d <\/em><\/p>\n outWorkingDir\u00a0= \u201d%userprofile%\\AppData\\Local\\GFp0JAk\\\u201d<\/em><\/p>\n strEntPoint\u00a0=\u00a0\u201c%userprofile%\\AppData\\Local\\GFp0JAk\\lLT8PCI.js\u201d <\/em><\/p>\n The actual payload is the \u201clLT8PCI.js\u201d script which performs all ransomware related activities.<\/p>\n In this script, for every user-defined function, the author has used Async-Await Generators and Promises. These two are the most powerful concepts of the Node.js framework. Defining any function prefix with Async keywords allows synchronously writing asynchronous code. The return value from the asynchronous function is called the promise, which checks for the completion status of a given function.<\/p>\n Fig 2: Initialization of variables and Public key<\/em><\/p>\n <\/p>\n JS script starts with the initialization of some variables like \u201cbitcoinAddress\u201d and its price. \u00a0Also, it embeds the RSA public key of 4096 bit in PEM format, as shown in Fig 2.<\/p>\n Fig 3: Functions used in the script<\/em><\/p>\n <\/p>\n Initially, it checks for admin rights in “%WinDir%”<\/em> by trying to create a file with name format {randomname_of_len_4}.{randomname_of_len_2}<\/em>. \u201cgenerateKey\u201d function is used to generate random file name and extension.<\/p>\n Fig 4: Generate file name and extension<\/em><\/p>\n Next, it invokes the scan function, which enumerates all the drives present in the system and creates a list. Only for the “C:”<\/em> drive it has made some exclusion. It considers only the directories which contain user-specific files.<\/p>\n Fig 5: Targeted Directories<\/em><\/p>\n <\/p>\n It will generate a file with the name \u201c{randomname_of_len_6}.key\u201d,<\/em> which is used to store RSA encrypted AES-256 key. The AES key is generated by using the \u201cgenerateKey\u201d function.<\/p>\n Fig 6: All Modules<\/em><\/p>\n Before encrypting the files, it kills the process as shown in the below fig and deletes volume shadow copy.<\/p>\n Fig 7: Process Killing<\/em><\/p>\n After encrypting a file, it appends the extension \u201c.encrypted\u201d<\/em>.<\/p>\n Then it drops two files :<\/p>\n “%userprofile%\\AppData\\Local\\GFp0JAk\\\u201cHow-to-buy-bitcoins.html\u201d <\/em><\/p>\n \u201c%userprofile%\\Desktop\\Decrypt-your-files.bat\u201d. <\/em><\/p>\n Fig 8: Ransom Note \u2013 How-to-buy-bitcoins.html<\/em><\/p>\n The HTML file is a ransomware note and batch file containing the command to execute the same JS script with the parameter \u201cdecryptStatic\u201d, which invokes the decryption routine.<\/p>\n Fig 9: Encrypted Files<\/em><\/p>\n <\/p>\n This ransomware seems to be in the development phase and has some flaws, as mentioned below:<\/p>\n Although it seems to be written by an amateur developer, it is an interesting work, and the probability of it becoming popular in the future is quite high.<\/p>\n <\/p>\n How Quick Heal protects its users from such attacks :<\/b><\/strong><\/p>\n Quick Heal products are built with the following multi-layered security that helps counter such attacks.<\/p>\n Specially designed to counter ransomware attacks. This feature detects ransomware by tracking its execution sequence.<\/p>\n Blocks malicious attempts to breach network connections.<\/p>\n Detects RDP brute force attempts and blocks the remote attacker IP for a defined period.<\/p>\n Online virus protection service detects the known variants of the ransomware.<\/p>\n Tracks the activity of executable files and blocks malicious files.<\/p>\n Helps you take regular backups of your data and restore it whenever needed.<\/p>\n Io<\/b><\/strong>C<\/b><\/strong>s\u00a0<\/b><\/strong>:<\/b><\/strong><\/p>\n 7265C1FB74EB9EA3CD98358475620CE54B9033421BA042957135BDEFD078B366 53A95C9126BE8262AFB0821DA4D7137E6C8A4D9B363F91298249CA134D394BF4<\/p>\n Detection name :<\/b><\/strong><\/p>\n VBS.NoderaRansom.36592<\/p>\n JS.NoderaRansom.36593<\/p>\n","protected":false},"excerpt":{"rendered":" Recently while threat hunting, Quick Heal Security Labs came across an unusual Node.js framework based on Nodera ransomware. The use of the Node.js framework is not seen commonly across malware families. However, the latest development by threat actors reveals nasty and one-of-its-kind ransomware being created, one that uses the Node.js framework, which enables it to […]<\/p>\n","protected":false},"author":66,"featured_media":88375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1671,910],"tags":[1701,1700,1699,1698,50],"class_list":["post-88372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption","category-ransomware","tag-encrypted","tag-btc","tag-microsoft-windows","tag-nodejs","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88372"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/66"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88372"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88372\/revisions"}],"predecessor-version":[{"id":92081,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88372\/revisions\/92081"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88375"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Registry-Entry-650x65.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Initialization-of-variables-and-Public-key-650x284.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Functions-used-in-script-650x381.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Generate-file-name-and-extension-650x52.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Targeted-Directories-650x209.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/All-Modules-650x249.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Process-Killing.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Ransom-Note-How-to-buy-bitcoins.html-650x288.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/01\/Encrypted-Files-650x318.png\")
<\/p>\n\n
\n
\n
\n
\n
\n
\n