Following our previous post about GandCrab, in this post we show how another variant of this well-known ransomware is observed by Check Point’s SandBlast Agent (SBA) Behavioral Guard and analyzed through the lens of a SBA Forensics report. In addition, we review how this new variant comes loaded with Trojan malware too, and yet even when attacked on multiple fronts, so to speak, SBA is still able to prevent an infection.
Whereas our last analysis was in respect to Fileless GandCrab, the new variant discussed below does not rely on PowerShell for encryption. In this variant, PowerShell is mainly used for delivering the first stage of the malware combo to end users. In addition, the operation of this malware was seen to be distributed across multiple processes. This may serve as both an evasion technique for traditional malware protections and also increases analysis complexity and reduces compatibility issues. It seems the malware authors really do want to infect the victim with any of the malware variants and go to great lengths to make sure that happens.
As was mentioned previously, GandCrab is an advanced operation with its own affiliate program that offers low skilled threat actors the opportunity to run their own ransomware campaigns.
PowerShell as an Entry Point
From our observation of the above Forensics Report provided by SandBlast Agent, we can understand that the attack begins by launching a hidden PowerShell window with command line arguments to download a secondary payload from an infected hosting provider. Our analysts have confirmed that the online hosted payload is changing frequently in order to escape detection from hash signature based Anti-Viruses.
By viewing the report’s PowerShell process ‘Content Tab’ we can see the entire attack’s script as it was executed. Of course this is due to SBA Behavioral Guard having complete oversight on the PowerShell script that is being run on the Windows 10 Operating System.
As seen from the above screenshot, the payload itself is actually Base64 encoded bytecode of a portable executable (PE) which was made with AutoIt, a freeware automation language for Microsoft Windows. AutoIt generated PE acts as an unpacker to download other binaries from different servers and create multi layered attack scenario to cover all operating systems with different protections. This includes downloading two types of ransomwares and trojans and monitoring the ransomware processes and relaunching them in case there was a crash and abrupt termination. Interestingly, the process has a “Microsoft Windows” signature which has been invalidated. This signature was most likely taken from another signed process and its signature was revoked due to the differences in the checksum.
Once launched, the newly executed process (mwqtep.exe) waits for 200 seconds and then re-launches itself but now with higher privileges. The malware’s instructions are to:
- Pull the C&C URL from the memory by the offset
- Build a pseudo random file name
- Access the C&C server and drop the malicious files to %TEMP%.
- Run the dropped files.
In total, four new binaries are downloaded to the infected system as part of the secondary payload. The payloads include a variant of Betabot (Also known as Neuvert), AzorUlt data stealer malware and 2 variants of GandCrab ransomware.
Who Runs First?
The BetaBot sample is the first to run. Betabot is a “Swiss army knife” kind of malware. It doesn’t have sole purpose, its behavior is mostly determined by the C2 server. But in order to execute properly and avoid detection it does several things, including injecting itself into explorer.exe. After injections, series of other binaries are downloaded from the CnC server which in short are responsible for the followings:
- Gather information about the machine
- Looks for analysis and debugging tools on the machine
- Detects the virtual machine environment
- Identify and disable certain Anti-virus and firewall tools
BetaBot is known to be used to steal log-in credentials and financial data of the victim as well however we could not confirm this for the current samples that were analyzed.
While Betabot uses several persistence techniques, in the sample above a classic registry Autorun method was used to enable the trojan survives a reboot.
The second malware that is executed is a variant of AzorUlt data stealer malware. The main characteristic of this malware family is:
- Harvesting Cryptocurrency wallets saved on the machine
- Extracting credentials saved in FTP/IM/Email clients
- Staying dormant on the system and listening for instructions from a CnC server
Check Point’s research team has already dissected this malware family and you can find out more about it here.
In addition to the above trojans, two variants of the GandCrab ransomware are also downloaded. As can be seen in the reports, one of them had actually crashed which resulted in the Windows Error reporting application (werfault.exe) to launch.
After detecting the crash of the GandCrab ransomware, a second variant of GandCrab is launched and successfully gains privilege escalation. This is then able to continue the attack of encrypting files and writing ransomware message files. At the time of the attack this variant had not been seen in the wild.
Conclusion
As seen from the above screenshots, SandBlast Agent’s Behavioral Guard robust detection engine is capable of adapting to a malware’s evolution over time. It is also sufficiently robust to handle the prevention of several malware variants simultaneously. In this way it can be used to detect and prevent endless types of attacks including those using even legitimate scripting tools maliciously. To help IT security professionals monitor and keep on top of these attacks SandBlast Agent blocks them with ease, remediates them and automatically create a forensics report that details how these actions were taken. In this way, even the most sophisticated of malware is blocked to keep organizations secure and protected.
IOCs:
checkerrors.ug./payload.ps1
checkerrors.ug/gategate.php
d7fa0b97fea55a939bf76eb76c95505b
59706e1c7a11cc204a9be6b75cdf214b
54501f36058c52421ae5c43733afb27a
077f6405b750b6c4533d81d1eb80f975
45e00aaaae849370a8918f1e7b01732e
67dcacb8fd750c9568ab9a5624c9b908