{"id":89154,"date":"2020-06-12T18:51:29","date_gmt":"2020-06-12T13:21:29","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=89154"},"modified":"2023-06-20T16:42:39","modified_gmt":"2023-06-20T11:12:39","slug":"maze-of-maze-ransomware-its-deceitful-tactics","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/maze-of-maze-ransomware-its-deceitful-tactics\/","title":{"rendered":"Maze of Maze ransomware & its deceitful tactics"},"content":{"rendered":"

Maze is a recent highlighted ransomware<\/a> among the ever-growing list of ransomware families. Maze ransomware is active from last one year, although it came into light due to its new approach of publishing sensitive data of infected customer publicly.<\/p>\n

The malware uses different techniques to gain entry like to use exploits kits or via email impersonation. These phishing emails are having a Word document attachment which contain macros to run the malware in\u00a0the system.<\/p>\n

Maze uses CHA-CHA algorithm for encryption and its key is encrypted using RSA algorithm.\u00a0Maze can run\u00a0with or\u00a0without mutex. It uses some Russian IPs for webserver to send information from victim system. It uses RSA encryption request for\u00a0CnC\u00a0communication. It will not encrypt system for specific region by checking keyboard type.<\/p>\n

Stage \u2013 I:\u00a0<\/b><\/p>\n

\u00a0\u00a0\u00a0 VBA MACRO<\/b><\/p>\n

The attached\u00a0document\u00a0file has a form containing input box in which number array of encrypted URL and path is present. Document file contains an activeX object. When it is executed, URL and path is decrypted then it\u00a0calls URLDownloadToFileA<\/em>()<\/em>\u00a0which downloads an executable to the specified location.<\/p>\n

\"\"
Fig 1.\u00a0URLDownloadToFileA() Call with their parameters<\/figcaption><\/figure>\n

The number array is read from text box\u00a0then\u00a0converted into characters\u00a0and concatenated\u00a0to form\u00a0a URL\u00a0and\u00a0path where file is downloaded. Sometimes it also uses\u00a0PowerShell\u00a0to download file. In most of the cases file is downloaded at \u201cC:\\W<\/em>indows\\temp<\/em>\u201d\u00a0location.<\/p>\n

\"\"
Fig 2.\u00a0Characters stored in Number Array<\/figcaption><\/figure>\n

Stage \u2013\u00a0<\/b>II:<\/b>\u00a0<\/b><\/p>\n

    \n
  1. CRYPTER<\/b><\/li>\n<\/ol>\n

    The first stage of\u00a0Maze ransomware is custom\u00a0cryptor. This\u00a0cryptor\u00a0is packed one with less imports. It loads libraries by calling\u00a0LoadLibrary<\/em>()<\/em> and\u00a0GetProcAddress<\/em>()<\/em> from kernel32.dll.\u00a0In this\u00a0cryptor,\u00a0function\u00a0names are\u00a0stored with their\u00a0adler32\u00a0checksum.<\/p>\n

    The\u00a0cryptor\u00a0for\u00a0antidebugging, it passes junk strings to the function\u00a0OutputDebugStringW<\/em>(<\/em>).<\/p>\n

    \"\"
    Fig 3.\u00a0Call to\u00a0OutputDebugStringW()<\/figcaption><\/figure>\n

    In the below code,\u00a0it checks whether file is present or not, if present it will terminate. Similarly, it also checks specific\u00a0commandline\u00a0arguments if it is present it will change execution flow. Then malware load the resource where actual\u00a0DLL\u00a0is present. The loaded resource is encrypted and\u00a0XOR\u00a0operation is used with key 0x41. After decryption, we get base64 encoded data.<\/p>\n

    \"\"
    Fig 4. Xor Loop and API resolution<\/figcaption><\/figure>\n

     <\/p>\n

    After copying all data onto stack, API names are formed and then it calls\u00a0Loadlibrary() Win32 API. Then it decodes base64 data by calling\u00a0CryptStringToBinaryA() API. The decrypted buffer is again decrypted using CHA-CHA 20 algorithm which brings actual payload of Maze ransomware. Along with payload (which is a DLL of Maze), it also decrypts shellcode. By using\u00a0CreateThread() API, it executes the shellcode.<\/p>\n

    \"\"
    Fig 5. Call to\u00a0CreateThread()<\/figcaption><\/figure>\n

    In this\u00a0payload code, it firstly\u00a0loads base address of kernel32 for PEB.\u00a0Below code show the loading of address.<\/p>\n

    \"\"
    Fig\u00a06.\u00a0Address\u00a0is Loaded\u00a0from PEB<\/figcaption><\/figure>\n

    The shellcode allocates\u00a0memory using\u00a0VirtualAlloc<\/em>()<\/em> and copies\u00a0DLL\u00a0file to\u00a0newly allocated space. Then it\u00a0creates a\u00a0thread and execute code from\u00a0DLL. This code changes bytes at original entry point and then jump to OEP.<\/p>\n

    2. MAZE PAYLOAD<\/b><\/p>\n

    In decrypted payload it first loads\u00a0all the\u00a0APIs\u00a0and then does patching of\u00a0dbgUiRemoteBreakin\u00a0from\u00a0ntdl.dll. It is one of the anti-debugging\u00a0techniques\u00a0it\u00a0using to avoid attachment of debugger.<\/p>\n

    First it calls\u00a0VirtualProtect()<\/em>\u00a0on\u00a0dbgUiRemoteBreakin<\/b>\u00a0<\/b>with PAGE_EXECUTE_READWRITE\u00a0as new\u00a0flNewProtect. Then it replaces\u00a0byte\u00a06A\u00a0with C3 by simple mov instruction.\u00a0So,\u00a0if someone try to attach debugger it will get failed.<\/p>\n

    \"\"
    Fig\u00a07.\u00a0Copy 0xC3 at\u00a0dbgUiRemoteBreakin\u00a0Entry point<\/figcaption><\/figure>\n

     <\/p>\n

    \"\"
    Fig\u00a08.\u00a0Code before and after patching<\/figcaption><\/figure>\n

    Then it enumerates running processes using Process32<\/em>First()<\/em>\u00a0and process32Next<\/em>()<\/em>. It calls APIs using\u00a0\u2018je\u2019<\/em>\u00a0instruction and address is pushed onto stack which is executed\u00a0after\u00a0API\u00a0call. Call is replaced with\u00a0\u2018push\u2019<\/em>\u00a0<\/em>and\u00a0\u2018jz\u2019<\/em>\u00a0or\u00a0\u2018je\u2019<\/em>\u00a0instruction.<\/p>\n

    \"\"
    Fig\u00a09.\u00a0 Call to Process32NextW () using\u00a0jz\u00a0instruction<\/figcaption><\/figure>\n

    After process enumeration it will obfuscate all the names with its own algorithm which uses\u00a0XMM registers. Then it calculates hash of this\u00a0obfuscated string which is then compared with some hardcoded hashes. Some of them\u00a0are:<\/p>\n

    Procmon64.exe:\u00a00x776E0635<\/p>\n

    Procexp64.exe:\u00a00x78020640<\/p>\n

    Ida.exe:\u00a00x33840485<\/p>\n

    Dumpcap.exe:\u00a00x5FB805C5<\/p>\n

    X32dbg.exe:\u00a00x50620538<\/p>\n

    \"\"
    Fig\u00a010:\u00a0Compare hashes\u00a0with\u00a0running process\u00a0hashes<\/figcaption><\/figure>\n

    When any of the process hash matches it calls\u00a0TerminateProcess()<\/em>\u00a0<\/em>and exit the\u00a0running process.<\/p>\n

    It will not\u00a0encrypt\u00a0files\u00a0for specific keyboard type. To get keyboard type it calls the function\u00a0GetUserDefaultUILanguage()<\/em>. For\u00a0eg:<\/p>\n

    Russsian: 0x419\u00a0 \/\/ NOT Encrypt For this value<\/p>\n

    Ukrainian: 0x422 \/\/ NOT Encrypt For this value<\/p>\n

    Serbian: 0x7C1A \/\/ NOT Encrypt For this value<\/p>\n

    en_US\u00a0: 0x409\u00a0\/\/ Encrypt For this value<\/p>\n

    \"\"
    Fig 11. Check value return by\u00a0GetUserDefaultUILanguage()<\/figcaption><\/figure>\n

    Then\u00a0It first\u00a0communicate\u00a0with\u00a0CnC\u00a0server where IP list is hardcoded,\u00a0all\u00a0below mentioned IP\u00a0seems\u00a0belong\u00a0to\u00a0Russia.<\/p>\n

    91.218.114.4<\/p>\n

    91.218.114.11<\/p>\n

    91.218.114.25<\/p>\n

    91.218.114.26<\/p>\n

    91.218.114.32<\/p>\n

    91.218.114.37<\/p>\n

    91.218.114.38<\/p>\n

    \"\"
    Fig 12. Hardcoded Ip list<\/figcaption><\/figure>\n

    Then data is sent to\u00a0CnC\u00a0on first request: Data which is sent is\u00a0Username,\u00a0Computername,\u00a0OsVersion.\u00a0Malware create mutex with unique ID. Unique ID is created using\u00a0SHA(\u00a0GetComputerName() +\u00a0VolumeID<\/em>()<\/em>)\u00a0.\u00a0For ransomware marker it creates unique file on root and each folder.<\/p>\n

    Maze Encryption<\/b>\u00a0Process<\/b>:<\/b><\/p>\n

    Malware select\u00a0files for\u00a0encryption based on extension. It excludes following extension:<\/p>\n