{"id":88669,"date":"2020-03-03T15:24:12","date_gmt":"2020-03-03T09:54:12","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=88669"},"modified":"2020-03-03T15:24:13","modified_gmt":"2020-03-03T09:54:13","slug":"mailto-ransomware-hiding-under-explorer-exe","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/mailto-ransomware-hiding-under-explorer-exe\/","title":{"rendered":"Mailto Ransomware under the skin of explorer.exe"},"content":{"rendered":"

All of us, at some point in time, \u00a0must have heard the story of Wolf and the flock of sheep. The fooling trick used by the wicked wolf of pretending to be a sheep is still in use by many malware authors. They pretend to be genuine processes to achieve their villainy activities.<\/p>\n

Such a case has been recently observed in Mailto<\/em> ransomware wherein it is making \u00a0use of legitimate windows process known as \u2018explorer.exe\u2019<\/em>.<\/p>\n

Now, how are hackers doing this?<\/p>\n

The closest answer is, process code injection!<\/p>\n

That is correct, but this time the technique used for injection is not very \u00a0common.<\/p>\n

The Mailto<\/em> or Netwalker<\/em> performs process hollowing in explorer.exe. <\/em>This helps in evading the Anti-Virus software (AVs) to \u00a0easily perform the encryption.<\/p>\n

In process hollowing, usually, the target process is created in suspended mode and the injection is carried out. But here the process is not created in suspended mode\u2014 rather it uses the \u2018Debug\u2019 mode<\/strong>.<\/p>\n

\"\"<\/p>\n

Fig.1: Mailto Creates the Process in Debug mode<\/em><\/p>\n

 <\/p>\n

To perform further injection activity, it gets the process and thread details using debug APIs like WaitForDebugEvent. <\/em><\/p>\n

\u00a0\"\"<\/em><\/p>\n

\"\"\u00a0<\/em><\/p>\n

Fig.2: API to get the process and thread details<\/em><\/p>\n

\u00a0<\/em><\/p>\n

Then, a section is created with a size similar to that of the sample using ZwCreateSection <\/em>and its view is mapped in the current process using ZwMapViewOfSection<\/em>.<\/p>\n

 <\/p>\n

In this view, the sample file is copied, and manual relocation is performed.<\/p>\n

\"\"<\/p>\n

Fig.3: Relocation of Hardcoded addresses<\/em><\/p>\n

The view of this section is then unmapped using ZwUnmapViewOfSection<\/em>. The thread context of the process created (explorer.exe<\/em>) is retrieved and changes are made, setting the start address of the thread from where the execution is intended to begin.<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

Fig.4: Setting the Start address of injected code<\/em><\/p>\n

 <\/p>\n

 <\/p>\n

Finally, call to ContinueDebugEvent <\/em>and DebugActiveProcessStop<\/em> makes the execution of the thread \u2018start\u2019 that will be responsible for the encryption of the files. The process tree is shown in the below image.<\/p>\n

\"\"<\/p>\n

Fig.5: Process Tree<\/em><\/p>\n

 <\/p>\n

When we decrypt the encrypted data present in the .rsrc<\/em> section, we get all the important information present in JSON format. This information contains base64 <\/em>encrypted ransom note, e-mail addresses used in the ransom note, processes that need to be killed if in execution, whitelisted paths, file names and extensions, etc.<\/p>\n

\"\"<\/p>\n

Fig.6: Decrypted data<\/em><\/p>\n

 <\/p>\n

Injected explorer.exe Activity<\/h2>\n

After injection, the malware (i.e. injected explorer.exe<\/strong>) drops its copy at \u2018%ProgramFiles%\\<8 Alphanumeric characters>\\<8 Alphanumeric characters>.exe<\/em>\u2019 and sets the RUN entry for its persistence.<\/p>\n

\"\"<\/p>\n

Fig.7: RUN Entry<\/em><\/p>\n

\u00a0<\/em><\/strong>Further, it deletes the shadow copies of the system using the command:<\/p>\n

\u2018%system32%\\vssadmin.exe delete shadows \/all \/quiet<\/em>\u2019<\/em><\/p>\n

\u00a0<\/strong><\/p>\n

ID Generation<\/strong><\/p>\n

The ID is the extension that will be used for newly encrypted files and as \u00a0the name of ransom note file. It is generated using the key kept under the tag \u2018mpk\u2019<\/strong> in decrypted JSON, the retrieved computer name and the hardware profile information about the machine being infected (through GetCurrentHwProfileW <\/em>Windows API).<\/p>\n

 <\/p>\n

SHA-256 of these components is calculated and the first five characters of the output are used as the new extension of encrypted files. Its first eight characters are used as the name of the directory and as the filename when the self-copy is dropped at \u2018%ProgramFiles%\u2019.<\/em><\/p>\n

\u00a0<\/em><\/p>\n

SHA-256 Output:<\/strong><\/p>\n

\"\"<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig.8: Encrypted Files with Extension generated above<\/em><\/p>\n

The files are encrypted with SALSA20 algorithm and the filename is appended with \u2018.mailto[<mail-id>].<ID generated above(I.e extension)>\u2019.<\/em><\/p>\n

After encryption, the \u2018explorer.exe\u2019<\/strong> kills the parent process and deletes the original sample, the file dropped at %ProgramFiles%<\/em> and also the RUN entry, eradicating \u00a0the traces of its existence.<\/p>\n

The Infection Vector is not clear as yet , but most likely the attacker may have used spam mails for propagation.<\/p>\n

A ransom note is dropped with the name \u2018<ID>-Readme.txt\u2019 containing the ransom payment details on every encrypted location.<\/p>\n

\"\"<\/p>\n

Fig.9: Ransom Note<\/em><\/p>\n

\u00a0<\/em><\/p>\n

Conclusion<\/strong><\/p>\n

Several old stories educate \u00a0us to be aware of roguery intentions of those whom we trust easily \u2014one should take care and should not completely trust the processes that appear to be legitimate that \u00a0ultimately might \u00a0help malware to bypass security products.<\/p>\n

Here, the injection through process hollowing is done in explorer.exe<\/em> which itself makes it very difficult to make its presence perceptible. Moreover, while creating the process for injection, instead of using a suspended mode, it is using the not so commonly used \u2018Debug\u2019 mode. This makes AV prevention techniques to fail.<\/p>\n

 <\/p>\n

How Quick Heal protects its users from the Mailto Ransomware?<\/h2>\n

Quick Heal successfully blocks Mailto ransomware with the following protection layers:<\/p>\n

    \n
  1. Virus Protection<\/li>\n
  2. Behavior Detection<\/li>\n<\/ol>\n

    \"\"<\/p>\n

    Fig.10: Virus Protection<\/em>\"\"<\/p>\n

    Fig.11: Behavior Detection<\/em><\/p>\n

     <\/p>\n

    IOCs:<\/strong><\/p>\n

    207D2A5AA3A00B8C908B6CFFCF6DDED8<\/em><\/p>\n

    3D6203DF53FCAA16D71ADD5F47BDD060<\/em><\/p>\n

    775F5027ABC97C0EC8E9202A4ED4CC14<\/em><\/p>\n

    B0008E752F488D7E97A8D2452411527E<\/em><\/p>\n

    73DE5BABF166F28DC81D6C2FAA369379<\/em><\/p>\n

    D7D7F3C95D03367C61BCFDFE4E7AB47A<\/em><\/p>\n

     <\/p>\n

    Subject Matter Expert:<\/strong><\/p>\n

    Priyanka Shinde, Umar Khan |\u00a0Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

    All of us, at some point in time, \u00a0must have heard the story of Wolf and the flock of sheep. The fooling trick used by the wicked wolf of pretending to be a sheep is still in use by many malware authors. They pretend to be genuine processes to achieve their villainy activities. Such a […]<\/p>\n","protected":false},"author":72,"featured_media":88694,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910],"tags":[534,1722,50],"class_list":["post-88669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-cybersecurity","tag-mailto","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88669"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/72"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88669"}],"version-history":[{"count":9,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88669\/revisions"}],"predecessor-version":[{"id":88695,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88669\/revisions\/88695"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88694"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}