{"id":88898,"date":"2020-04-09T19:16:31","date_gmt":"2020-04-09T13:46:31","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88898"},"modified":"2020-04-09T19:16:31","modified_gmt":"2020-04-09T13:46:31","slug":"dharma-targeting-covid-19","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/dharma-targeting-covid-19\/","title":{"rendered":"Dharma Ransomware Variant Malspam Targeting COVID-19"},"content":{"rendered":"

Since the outbreak of the Novel Coronavirus pandemic, many malware have been seen trying to lure people to open malicious emails, malicious domains and run other malware, etc. Some of these malicious domains are fully functional and provide real-time mapping of COVID-19 stats across the globe. However, they deliver malware on the system of victims visiting the site who are unaware of any suspicious events. They can steal personal and financial information stored on the browser by executing malicious Javascript on the visit.<\/p>\n

\"Malicious<\/p>\n

Fig: Malicious domain with a fully functional map<\/p>\n

Few other malware are using spear-phishing emails impersonating WHO or other authentic organizations, providing safety measures about COVID-19 pandemic along with a means of malicious code execution.<\/p>\n

One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.<\/p>\n

The main payload is attached as \u20181covid.exe\u2019 \u2014 on the execution of the \u20181covid.exe\u2019, it begins to encrypt the files and the following ransom note is displayed on the screen. The extension of files after encryption is .ncov supposedly named after the Novel Coronavirus.<\/p>\n

\"Ransom<\/p>\n

Fig: Ransom Note<\/p>\n

The ransom note is dropped in various formats. After encrypting the files, a ransom note asks the user to write an email to “coronavirus@qq.com”<\/u>\u00a0to restore their files.<\/p>\n

\"txt<\/p>\n

Fig: A text version of the ransom note<\/p>\n

Sample MD5: 62D3E2CA818E515EDBB44CAD8355C91D<\/b><\/strong><\/p>\n

Technical Analysis:<\/b><\/strong><\/p>\n

The Ransomware does not employ any UAC bypass and presents with the prompt to execute. The malware is not packed but it has encrypted API and library names. It decrypts the API and library names using the rc4 algorithm and after that, it loads libraries and resolves all APIs using Loadlibrary and Getprocaddress functions respectively.<\/p>\n


\n\"rc4<\/b><\/strong><\/p>\n

Fig: Decrypting names using rc4<\/p>\n

\"Functions<\/p>\n

Fig: Function used to resolve the APIs<\/span><\/p>\n

After that, it creates the mutex name and checks if it is already present \u2014 if present it terminates itself. The mutex name is a combination of string \u2018Global\\\\syncronize_\u2019 and \u201c5GW7SU(U\/A)\u201d where the latter is a unique hard-coded sample id.<\/p>\n

\"Mutex<\/p>\n

Fig: Mutex name<\/span><\/p>\n

The ransomware manages a list of recognized valuable extensions to it as below<\/p>\n

    \n
  1. Doc<\/li>\n<\/ol>\n

    (.doc;.docx;.pdf;.xls;.xlsx;.ppt;)<\/p>\n

      \n
    1. Arc<\/li>\n<\/ol>\n

      (.zip;.rar;.bz2;.7z;)<\/p>\n

        \n
      1. Dbf<\/li>\n<\/ol>\n

        (.dbf;)<\/p>\n

        1c8(.1cd;)<\/p>\n

          \n
        1. Jpg<\/li>\n<\/ol>\n

          (.jpg;)<\/p>\n

           <\/p>\n

          It carries a list of processes to kill so that there is blocking of files related to them during encryption.<\/p>\n

          \u201c1c8.exe, 1cv77.exe, outlook.exe, postgres.exe, mysqld-nt.exe, mysqld.exe, sqlservr.exe;\u201d<\/u><\/p>\n

          \"Function<\/p>\n

          Fig: Function to kill predetermined list of processes<\/p>\n

          Following list of services are killed if found: \u201cFirebirdGuardianDefaultInstance, FirebirdServerDefaultInstance, sqlwriter, mssqlserver and sqlserveradhelper\u201d<\/p>\n

          \"Function<\/p>\n

          Fig: Function to kill the services<\/p>\n

          Further, it uses multiple ways to instantiate persistence.<\/p>\n

          Persistence Techniques:<\/b><\/strong><\/p>\n

            \n
          1. Drop a self-copy to %windir%system32<\/li>\n
          2. Set HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with above entry %windir%system32<\/li>\n
          3. Read registry entry \u2018startup\u2019 in “Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders” and drop a self-copy in retrieved path i.e. in “%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\\u201d<\/li>\n
          4. Read registry entry \u2018common startup\u2019 in \u201cSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\u201d and drop a self-copy in retrieved path I.e in “%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup”<\/li>\n<\/ol>\n

            The main process creates cmd.exe and pipes the command to delete the shadow copy using the vssadmin tool.<\/p>\n

            \"Deleting<\/p>\n

            Fig: Deleting shadow copy<\/p>\n

            The process flow of the executable is shown in the below figure.<\/p>\n

            \"Process<\/p>\n

            Fig: Process flow of sample<\/p>\n

            Encryption Technique:<\/b><\/strong>\u00a0<\/b><\/strong><\/p>\n

            The ransomware uses AES-256 (128-bit block + 256-bit key) in CBC mode along with the RSA algorithm. The below image shows the function used for encrypting the given data with AES in CBC Mode.\u00a0<\/b><\/strong><\/p>\n

            \"Algorithm<\/p>\n

            Fig: AES algorithm in cbc mode<\/p>\n

            The 32-bit AES key is generated by a function gen_key_random. The RSA public key is decrypted from the sample and imported via RSA_pub_key_new function which is further used for encrypting the previously generated 32-bit AES key. The same gen_key_random function is used for generating the 16-bit Initialization Vector for AES CBC mode.<\/p>\n

            \"random<\/p>\n

            Fig: random key generation<\/p>\n

            The implementation of AES and RSA algorithms are done using a static library which can found at\u00a0https:\/\/github.com\/joyent\/syslinux\/blob\/master\/gpxe\/src\/crypto\/axtls\/aes.c<\/a>\u00a0 and https:\/\/github.com\/joyent\/syslinux\/blob\/master\/gpxe\/src\/crypto\/axtls\/rsa.c<\/a> respectively.<\/p>\n

            \"\"<\/p>\n

            Fig: Function responsible for rsa encryption<\/p>\n

            The ransomware also encrypts the drives and network shares. There is a separate thread for encrypting the Network shares using the WNetOpenEnumW API family.<\/p>\n

            \"Enumerating<\/p>\n

            Fig: Enumerating Network shares<\/p>\n

            The mitre attack vector mapping of this ransomware is as follows.<\/p>\n

            \"Mitre<\/p>\n

            Fig: Mitre techniques touched by this malware<\/p>\n

            Quick Heal detects this malware as Ransom.Crysis.A3. <\/b><\/strong>Apart from real-time protection, this malware is also detected by Quick Heal ARW (Anti Ransomware Protection) and BDS (Behaviour Detection System).<\/p>\n

            \"ARW<\/p>\n

            Fig: ARW and BDS detection of 1covid.exe<\/p>\n

            Conclusion:<\/strong><\/p>\n

            Coronavirus pandemic has become a target for threat vectors using it as an Initial Vector for all sorts of malicious activities. Quick Heal detects many malicious domains and spear-phishing emails and saves the user from falling into those traps. However, to be on the safer side, below are the steps that can be taken to minimize the risk.<\/p>\n

              \n
            1. Turn on email protection on your anti-virus software.<\/li>\n
            2. Do not open any link or attachment in an email if you doubt the authenticity of the email.<\/li>\n
            3. Do not download and open any attachments from an unknown source.<\/li>\n<\/ol>\n

              IOC:<\/strong><\/p>\n

              Malicious domains pertaining to the Coronavirus.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
              Suspicious URLs and Domains<\/strong><\/td>\nCategory<\/strong><\/td>\n<\/tr>\n
              hxxp:\/\/mohanlakshmipathy[.]com\/COVID-19.doc<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/64.227.17[.]38\/bins\/covid.x86<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/crack.relaxationcards[.]com\/health\/application\/COVID\/2019\/Covid_19_test_form.doc<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/tusa.mindbodyspiritsydney[.]com\/application\/health\/test\/Covid2019\/2019_nCoV_Application_Test.doc<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/tks.enzacurrenti[.]com\/application\/health\/test\/Covid2019\/Test_COVID_2019.doc<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/185.242.104[.]197\/wzjd\/Covid19-UPDATE_PDF.exe<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/corona-virus-map[.]net\/data\/mapdata.jar<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/corona-map-data[.]com\/bin\/regsrtjser346.exe<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/192.3.193[.]251\/Corona.ppc<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/91.234.99[.]234\/Corona.mips<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/phamchilong[.]com\/22\/CORONA<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/45.32.78[.]111\/Corn\/Calin\/Corona.exe<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/recoverrryasitalycovid-19[.]xyz\/over<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/toyswithpizzazz[.]com.au\/service\/coronavirus<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/coronasafetymask[.]tk<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxp:\/\/coronavirusapp[.]site\/mobile.html<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/corona-masr2[.]com\/chase-support.wepay.com\/ChaseClean\/Chase%20Clean\/login\/<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/corona-masr2[.]com\/chase-support.wepay.com\/ChaseClean\/Chase%20Clean\/login\/auth.php<\/td>\nPhishing & Fraud<\/td>\n<\/tr>\n
              hxxp:\/\/dtipgifts[.]com\/E-Transfer\/COVID-19\/files6546541204\/down45640\/banks\/directing\/atbonline\/question.php<\/td>\nPhishing & Fraud<\/td>\n<\/tr>\n
              hxxps:\/\/uk-covid-19-relieve[.]com<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/covid-19[.]bdtime.news\/directing\/www1.royalbank.com\/cgi-bin\/rbaccess\/rbunxcgi\/ClientSignin.htm<\/td>\nPhishing & Fraud<\/td>\n<\/tr>\n
              hxxp:\/\/covid-19[.]bdtime.news<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/raymondne[.]buzz\/COVID-19PRECAUTIONS\/<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/footytube[.]top\/admin\/covid-19\/office365\/office365\/office365\/office365\/office365\/office365\/office365<\/td>\nPhishing & Fraud<\/td>\n<\/tr>\n
              hxxps:\/\/covid-19-business-continuity-epic-uk-limited.azurewebsites[.]net\/Corona_Virus_2020\/passw.php?client_id_redirect_uri=_authenticate_\/common\/oauth2\/authorize_token=9d84bdf0dfc3d870ee7e328eff7d2e597c924200<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/kampcbation[.]info\/COVID-19\/<\/td>\nMalware<\/td>\n<\/tr>\n
              hxxps:\/\/www.brightparcel[.]com\/corona\/owa.php<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusstatus[.]space\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirus[.]zone\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirus-realtime[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirus[.]app\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cCoronavirusaware[.]xyz\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgoiglecoronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronavvirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronavirua[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronavirs[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronavius[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronaviru[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgooglecoronacirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cgoolgecoronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronaviruspatientobservation[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusremotepatientobservation[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirus-com[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronaviruscovid19-information[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-map-data[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusgovernmentrelief[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusfired[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccheapcorona[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-defence[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirushomeinternet[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cchildcarecorona[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona5[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusfactsandfears[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cthankscoronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusapp[.]site\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201calphacoronavirusvaccine[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201canticoronaproducts[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbeatingcorona[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbeatingcoronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbestcorona[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbetacoronavirusvaccine[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbuycoronavirusfacemasks[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cbyebyecoronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccdc-coronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccombatcorona[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccontra-coronavirus[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-armored[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-crisis[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-emergency[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-explained[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-iran[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-ratgeber[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronadatabase[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronadeathpool[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronadetect[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronadetection[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccoronavirusmedicalkit[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccorona-masr2[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201cuk-covid-19-relieve[.]com\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccovid-19.bdtime[.]news\u201d<\/td>\nMalware<\/td>\n<\/tr>\n
              \u201ccovid-19-business-continuity-epic-uk-limited[.]azurewebsites.net\u201d<\/td>\nMalware<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


              \nSubject Matter Expert<\/strong><\/p>\n

              Rahul Sharma, Akshay Gaikwad | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

              Since the outbreak of the Novel Coronavirus pandemic, many malware have been seen trying to lure people to open malicious emails, malicious domains and run other malware, etc. Some of these malicious domains are fully functional and provide real-time mapping of COVID-19 stats across the globe. However, they deliver malware on the system of victims […]<\/p>\n","protected":false},"author":77,"featured_media":88911,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1725,910],"tags":[1721,1727,534,1728,50],"class_list":["post-88898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-coronavirus","category-ransomware","tag-coronavirus","tag-covid-19","tag-cybersecurity","tag-pandemic","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88898"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88898"}],"version-history":[{"count":35,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88898\/revisions"}],"predecessor-version":[{"id":88963,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88898\/revisions\/88963"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88911"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}