{"id":88591,"date":"2020-02-18T15:15:17","date_gmt":"2020-02-18T09:45:17","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88591"},"modified":"2023-06-16T17:14:12","modified_gmt":"2023-06-16T11:44:12","slug":"ouroboros-following-new-trend-ransomware-league","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/ouroboros-following-new-trend-ransomware-league\/","title":{"rendered":"Ouroboros: Following A New Trend In Ransomware League"},"content":{"rendered":"

Ransomware authors keep exploring new ways to test their strengths against various malware evasion techniques. The ransomware known as \u201cOuroboros\u201d is intensifying its footprint in the field by bringing more and more advancements in its behavior as it updates its version. This analysis provides the behaviour of version 6, few earlier variants of it and some insights on the recent Version 7. This Ransomware<\/a> not only applies conventional methods but also adopts some new techniques making it very difficult to analyze.<\/p>\n

Infection Vector<\/strong>
\nOuroboros has been around from a year now and it spreads through RDP Bruteforce attacks, deceptive downloads, and through Server Message Block (SMB), which is generally used for file sharing and some administrative tasks on Windows endpoints connected over a network.<\/p>\n

Technical Analysis<\/strong>
\nDuring analysis, we found that initially, it stops SQL process ( SQLWriter, SQLBrowser, MSSQLSERVER, MSSQL$CONTOSO1, MSDTC, SQLSERVERAGENT, MySQL etc ) in order to encrypt those files which are open in a database by creating process cmd.exe with \u201cnet stop\u201d command as shown in fig below.<\/p>\n

\"\"
Fig.1 Code snippet for stopping SQL process through cmd<\/figcaption><\/figure>\n

It also stops some other sql process like sqlserver.exe, sqlagent.exe etc but uses another method to terminate.<\/p>\n

\"\"
Fig.2 Adopting different method to stop other SQL processes<\/figcaption><\/figure>\n

Resemblance To LockerGoga<\/strong>
\nIt forms 0x40 bytes key stack consisting of 0x20 key bytes generated from CryptGenKey Crypto API and combines it with 0x20 bytes which are already present in the file. Then it performs AES operations on them similar to LockerGoga. Ouroboros and LockerGoga use crypto++ library which makes the analysis difficult. While steps for encrypting the data is same, both use different encryption modes<\/a>. LockerGoga uses AES in CTR mode, while Ouroboros uses AES in CFB mode.
\nBoth the samples are using aesenc\/aesenclast instructions, which are part of the AES-NI Instruction Set introduced by Intel around 2009.<\/p>\n

\"\"
Fig.3 Instruction set used by malware<\/figcaption><\/figure>\n

Encryption Procedure<\/strong>
\nAs explained above, after making 0x40 bytes key stack, it expands the key using Rijndael key expansion from 0x20 (256 bit) to 240 bytes by performing 15 rounds of various mathematical expressions.<\/p>\n

\"\"
Fig.4 Expanded key Using Rijndael Expansion<\/figcaption><\/figure>\n

It builds initial block cipher using the instruction set shown in (fig.3) by using expanded key and IV.<\/p>\n

\"\"
Fig.5 Initialization Vector<\/figcaption><\/figure>\n

After forming the initial block cipher of 0x40 bytes, it is used to encrypt file data by reading bytes from a file and performing operations on them. These encrypted bytes are stored in memory and then copied to file by using WriteFile API.<\/p>\n

\"\"
Fig.6 XORing block cipher bytes with file bytes and storing them<\/figcaption><\/figure>\n

This ransomware keeps 0x100 bytes PEM encoded RSA public key in a file. It encrypts AES key with this RSA public key and appends it at the end of the file as shown in (Fig.7).<\/p>\n

\"\"
Fig.7 Appending key at the end of file<\/figcaption><\/figure>\n

Ransom Note<\/strong>
\nOn host machine, files are encrypted with extension [original file name].Email= [*.com]ID=[XXXXXXXXX].odveta<\/p>\n

\"\u3000\u3000\u3000\u3000\u3000Fig.8
Fig.8 Extension Format<\/figcaption><\/figure>\n

After encryption, it drops Unlock-Files.txt in each folder as a ransom note.<\/p>\n

\"\"
Fig.9 Ransom note<\/figcaption><\/figure>\n

Network Analysis<\/strong>
\nBefore connecting to CnC server, it performs DNS query on sfml-dev.org and makes HTTP Get Request to url \/ip-provider.php and receive victim\u2019s host\/system public IP in response as shown in below figures.<\/p>\n

\"\"
Fig.10 DNS query to get the public address of sfml<\/figcaption><\/figure>\n
\"\"
Fig.11 Query to get public of host<\/figcaption><\/figure>\n

It then initiates a connection to CnC (IP: 92.222.149.118) over port 18 but may not connect due to a closed port.
\n\u201cThere was no response from the server when we tried to connect via telnet over port number 18, but as we were trying to connect over other ports, it gave successful response for port number 22 (SSH) .\u201d<\/p>\n

The network connection happens before encryption starts and in earlier versions, it was not clear what malware intends to achieve. But in version 7, we have observed that after a successful connection to CnC (though IP address is different), it sends locally generated RSA private key over CnC which might be the case of version 6.<\/p>\n

Evoloution of Ouroboros<\/strong><\/p>\n

\"\"<\/p>\n

Analysis of Ouroboros version 7<\/strong>
\nIn this version, CnC ( 80.82.69.52 ) was live , so we were able to perform network analysis.<\/p>\n

Before it establishes the connection, it checks for ids.txt, if it is already present in ProgramData then it skips the connection and does the encryption with an offline key.
\nBut if ids.txt is not present, it connects with CnC and resolves the public address of the host, same as in version 6.<\/p>\n

After resolving public address of the host, it generates RSA key, not using any kind of library for its generation but it has implemented the whole algorithm and has locally generated the public and private key.<\/p>\n

Following is the part where the key gets generated.<\/p>\n

\"\"
Fig.12 Private key locally generated<\/figcaption><\/figure>\n

After forming a private key, it sends the same to CnC and gives the response as \u201cActive\u201d.<\/p>\n

\"\"
Fig.13 Private key send over CnC<\/figcaption><\/figure>\n

Ransom Note in Version 7<\/strong>
\nAfter encryption, it drops info.txt and uiapp.exe in C:\\ProgramData and deletes the pKey.exe.Uiapp.exe is the .Net file is created in order to drop the ransom note.<\/p>\n

\"\"
Fig.14 Ransom note Version 7<\/figcaption><\/figure>\n

Quick Heal provides multilevel protection for this family. It detects and deletes it in real-time scenario as well as in behaviour base detection and ARW module.<\/p>\n

Conclusion<\/strong>
\nRansomwares are now not only using packers but also using libraries as well as different instruction set to make the analysis difficult. And noticing that other ransomwares (LockerGoga) have also used similar techniques, we can say that this trend will be followed in the future.<\/p>\n

IOCs<\/strong>
\nVersion6:<\/p>\n

1E73E78E60E3A2255C37D7181ADF16E6
\n1EA66E610493B9DB3F5AA6DA82CA2CE7
\n560EE81F4250138CE063FEC3F387690C
\nB316DB79241100B0E86C11352DD169A0
\n6330639300E22E956CC50CCBD4FD027E<\/p>\n

Version7:
\n117C3707F4D8DB004A0E7EF86350612B
\n15F32A4EE7B75AEFA308866B4BD79539<\/p>\n

Subject Matter Expert<\/strong>
\nManisha Prajapati, Pooja Birajdar | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

Ransomware authors keep exploring new ways to test their strengths against various malware evasion techniques. The ransomware known as \u201cOuroboros\u201d is intensifying its footprint in the field by bringing more and more advancements in its behavior as it updates its version. This analysis provides the behaviour of version 6, few earlier variants of it and […]<\/p>\n","protected":false},"author":70,"featured_media":88592,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1671,910,1661],"tags":[49,50],"class_list":["post-88591","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption","category-ransomware","category-rdp","tag-malware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88591"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/70"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88591"}],"version-history":[{"count":28,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88591\/revisions"}],"predecessor-version":[{"id":91760,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88591\/revisions\/91760"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88592"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}