[ad_1]
Model-New HavanaCrypt Ransomware Poses as Google Software program Replace App Makes use of Microsoft Internet hosting Service IP Deal with as C&C Server
We not too long ago discovered a brand new ransomware household, which we now have dubbed as HavanaCrypt, that disguises itself as a professional Google Software program Replace software and makes use of a Microsoft webhosting service IP deal with as its command-and-control (C&C) server to avoid detection.
By: Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Bren Matthew Ebriega, Joshua Paul Ignacio
July 06, 2022
Learn time: ( phrases)
Ransomware is in no way novel, but it surely continues to be one of many prime cyberthreats on this planet in the present day. In reality, based on information from Development Micro™ Good Safety Community™, we detected and blocked greater than 4.4 million ransomware threats throughout e mail, URL, and file layers within the first quarter of 2022 — a 37% improve in total ransomware threats from the fourth quarter of 2021.
Ransomware’s pervasiveness is rooted in its being evolutionary: It employs ever-changing techniques and schemes to deceive unwitting victims and efficiently infiltrate environments. For instance, this yr, there have been reviews of ransomware being distributed as faux Home windows 10, Google Chrome, and Microsoft Change updates to idiot potential victims into downloading malicious recordsdata.
Not too long ago, we discovered a brand-new ransomware household that employs an identical scheme: It disguises itself as a professional Google Software program Replace software and makes use of a Microsoft webhosting service IP deal with as its command-and-control (C&C) server to avoid detection. Our investigation additionally reveals that this ransomware makes use of the QueueUserWorkItem perform, a .NET System.Threading namespace technique that queues a way for execution, and the modules of KeePass Password Protected, an open-source password supervisor, throughout its file encryption routine.
On this weblog entry, we offer an in-depth technical evaluation of the an infection methods of this new ransomware household, which we now have dubbed HavanaCrypt.
HavanaCrypt arrives as a faux Google Software program Replace software.
Determine 1. The file description of the binary file of HavanaCrypt
This malware is a .NET-compiled software and is protected by Obfuscar, an open-source .NET obfuscator used to assist safe codes in a .NET meeting.
Determine 2. The properties of the binary file of HavanaCrypt as proven within the Detect It Simple device, a program used to find out file sorts
The malware additionally has a number of anti-virtualization methods that assist it keep away from dynamic evaluation when executed in a digital machine. To investigate the pattern and generate the deobfuscated code, we used instruments similar to de4dot and DeObfuscar.
Determine 3. An obfuscated HavanaCrypt ransomware code pattern
Determine 4. A deobfuscated HavanaCrypt ransomware code pattern
Upon execution, HavanaCrypt hides its window by utilizing the ShowWindow perform with parameter 0 (SW_HIDE).
Determine 5. The ShowWindow perform as it’s utilized by HavanaCrypt
HavanaCrypt then checks the AutoRun registry to see whether or not the “GoogleUpdate” registry is current. If the registry shouldn’t be current, the malware continues with its malicious routine.
Determine 6. The perform containing the parameters utilized by HavanaCrypt in checking the registry key
It then proceeds with its anti-virtualization routine, the place it terminates itself if the system is discovered working in a digital machine setting.
HavanaCrypt has 4 levels of checking whether or not the contaminated machine is working in a virtualized setting.
Determine 7. The perform utilized by HavanaCrypt to implement its antivirtualization mechanism.
Determine 8. Your complete antivirtualization routine of HavanaCrypt
Determine 9. The companies being checked by HavanaCrypt
Second, it checks for the standard recordsdata which can be associated to digital machine purposes.
Determine 10. The digital machine recordsdata being checked by HavanaCrypt
Third, it checks for file names utilized by digital machines for his or her executables.
Determine 11. The digital machine executables being checked by HavanaCrypt
Final, it checks the machine’s MAC deal with and compares it to organizationally distinctive identifier (OUI) prefixes which can be sometimes utilized by digital machines.
Determine 12. The OUI prefixes being checked by HavanaCrypt
Vary or prefix
Product
00:05:69
VMware ESX and VMware GSX Server
00:0C:29
Standalone VMware vSphere, VMware Workstation, and VMware Horizon
00:1C:14
VMWare
00:50:56
VMware vSphere, VMware Workstation, and VMware ESX Server
08:00:27
Oracle VirtualBox 5.2
Desk 1. Digital machines’ OUI ranges or prefixes
After verifying that the sufferer machine shouldn’t be working in a digital machine, HavanaCrypt downloads a file named “2.txt” from 20[.]227[.]128[.]33, a Microsoft webhosting service IP deal with, and saves it as a batch (.bat) file with a file identify containing between 20 and 25 random characters.
Determine 13. The small print of the Microsoft webhosting service IP deal with
(Picture supply: AbuseIPDB)
It then proceeds to execute the batch file utilizing cmd.exe with a “/c begin” parameter. The batch file accommodates instructions which can be used to configure Home windows Defender scan preferences to permit any detected menace within the “%Home windows%” and “%Consumer%” directories.
Determine 14. The perform that accommodates the downloading and execution of the batch file
Determine 15. The Base64-encoded 2.txt file as seen on the Microsoft webhosting service IP deal with
Determine 16. The decoded batch file downloaded from the Microsoft webhosting service IP deal with
HavanaCrypt additionally terminates sure processes which can be discovered working within the machine:
agntsvc
axlbridge
ccevtmgr
ccsetmgr
contoso1
culserver
tradition
dbeng50
dbeng8
dbsnmp
dbsrv12
defwatch
encsvc
excel
fdlauncher
firefoxconfig
httpd
infopath
isqlplussvc
msaccess
msdtc
msdtsrvr
msftesql
msmdsrv
mspub
mssql
mssqlserver
mydesktopqos
mydesktopservice
mysqld
mysqld-nt
mysqld-opt
ocautoupds
ocomm
ocssd
onenote
oracle
outlook
powerpnt
qbcfmonitorservice
qbdbmgr
qbidpservice
qbupdate
qbw32
quickboooks.fcs
ragui
rtvscan
savroam
sqbcoreservice
sqladhlp
sqlagent
sqlbrowser
sqlserv
sqlserveragent
sqlservr
sqlwriter
steam
supervise
synctime
tbirdconfig
thebat
thebat64
thunderbird
tomcat6
vds
visio
vmware-converter
vmware-usbarbitator64
winword
phrase
wordpad
wrapper
wxserver
wxserverview
xfssvccon
zhudongfangyu
zhundongfangyu
Determine 17. The processes that HavanaCrypt terminates
It ought to be famous that this checklist consists of processes which can be a part of database-related purposes, similar to Microsoft SQL Server and MySQL. Desktop apps similar to Microsoft Workplace and Steam are additionally terminated.
After it terminates all related processes, HavanaCrypt queries all accessible disk drives and proceeds to delete the shadow copies and resize the utmost quantity of space for storing to 401 MB.
Determine 18. HavanaCrypt deleting shadow copies and resizing the utmost space for storing of accessible drives to 401 MB
It additionally checks for system restore situations through Home windows Administration Instrumentation (WMI) and proceeds to delete them by utilizing the SRRemoveRestorePoint perform.
Determine 19. HavanaCrypt deleting system restore situations through WMI
It then drops copies of itself within the %ProgramData% and %StartUp% folders within the type of executable (.exe) recordsdata with completely different file names containing between 10 and 15 random characters. Their attributes are then set to “Hidden” and “System File.”
Determine 20. HavanaCrypt dropping copies of itself within the %ProgramData% and %StartUp% folders
Determine 21. HavanaCrypt setting the dropped recordsdata as “Hidden” and “System File”
HavanaCrypt additionally drops a file named “vallo.bat” onto %Consumer Startup%, which accommodates capabilities that may disable the Job Supervisor.
Determine 22. HavanaCrypt dropping vallo.bat onto %Consumer Startup%
Determine 23. The content material of vallo.bat
HavanaCrypt makes use of the QueueUserWorkItem perform to implement thread pooling for its different payloads and encryption threads. This perform is used to execute a job when a thread pool turns into accessible.
Determine 24. The QueueUserWorkItem perform as it’s utilized by HavanaCrypt
It additionally makes use of the DebuggerStepThrough attribute, which causes it to step by means of the code throughout debugging as an alternative of entering into it. This attribute should be eliminated earlier than one can analyze the perform inside.
Determine 25. The DebuggerStepThrough attribute as it’s utilized by HavanaCrypt
Earlier than it proceeds with its encryption routine, HavanaCrypt gathers sure items of knowledge and sends them to its C&C server, 20[.]227[.]128[.]33/index.php. These are the distinctive identifier (UID) and the token and date.
UID
The UID accommodates the machine’s system fingerprint. HavanaCrypt gathers items of machine info and combines them, by appending one to a different, earlier than changing the data into its SHA-256 hash within the format:
[{Number of Cores}{ProcessorID}{Name}{SocketDesignation}] BIOS Data [{Manufacturer}{BIOS Name}{Version}] Baseboard Data [{Name}]
Determine 26. The perform utilized by HavanaCrypt to assemble machine info
Determine 27. HavanaCrypt changing its gathered machine info right into a SHA-256 hash
The items of machine info that HavanaCrypt gathers embrace:
The variety of processor cores
The processor ID
The processor identify
The socket designation
The motherboard producer
The motherboard identify
The BIOS model
The product quantity
Token and date
HavanaCrypt replaces the string “index.php” with “ham.php” to ship a GET request to its C&C server (hxxp[:]//20[.]227[.]128[.]33/ham.php) utilizing “Havana/1.0” because the consumer agent.
Determine 28. The perform utilized by HavanaCrypt to ship a GET request to its C&C server
Determine 29. The response from 20[.]227[.]128[.]33/ham.php that we obtained through Fiddler, an internet software debugging device
HavanaCrypt decodes the response from ham.php in Base64 and decrypts it through the AES decryption algorithm utilizing these parameters:
Aes.key: d8045c7174c2649e96e68a01a5d77f7dec4846ebebb7ed04fa8b1325c14d84b0 (SHA-256 of “HOLAKiiaa##~~@#!2100”)
Aes.IV: consists of 16 units of 00 bytes
HavanaCrypt then shops the output in two completely different arrays with “–” as their delimiter. The primary array is used because the token, whereas the second is used because the date.
Determine 30. The initialization of parameters for use by HavanaCrypt in AES decryption
Determine 31. Decryption by HavanaCrypt through AES
Utilizing CyberChef, an internet app that gives operations similar to encoding and encryption, we replicated HavanaCrypt’s decryption routine utilizing the response from 20[.]227[.]128[.]33/ham.php:
Output: d388ed2139d0703b7c2a810b09e513652eb9402c92304addd34679e21a826537-1655449622
Token: d388ed2139d0703b7c2a810b09e513652eb9402c92304addd34679e21a826537
Date: 1655449622
Determine 32. Our replication of HavanaCrypt’s decryption routine utilizing the CyberChef app
After gathering all the required machine info, HavanaCrypt sends it through a POST request to hxxp://20[.]227[.]128[.]33/index.php utilizing “Havana/1.0” because the consumer agent.
Determine 33. HavanaCrypt’s POST request to hxxp[:]20[.]227[.]128[.]33/index[.]php that we obtained utilizing Fiddler
If the request is profitable, HavanaCrypt receives a response that accommodates the encryption key, the key key, and different particulars.
Determine 34. The response from hxxp[:]20[.]227[.]128[.]33/index[.]php that we obtained utilizing Fiddler
HavanaCrypt checks whether or not hava.information is already current in “%AppDataLocal%/Google/Google Software program Replace/1.0.0.0”. If it doesn’t discover the file, it drops the hava.information file, which accommodates the RSA key generated by HavanaCrypt utilizing the RSACryptoServiceProvider perform.
Determine 35. The contents of hava.information that we obtained utilizing HIEW, a console hex editor
Determine 36. HavanaCrypt’s era of an RSA key utilizing the RSACryptoServiceProvider perform
We’ve got noticed that HavanaCrypt makes use of KeePass Password Protected modules throughout its encryption routine. Specifically, it makes use of the CryptoRandom perform to generate random keys wanted for encryption. The similarity between the perform utilized by HavanaCrypt and the KeePass Password Protected module from GitHub is obvious.
Determine 37. The capabilities utilized by HavanaCrypt in producing random bytes
Determine 38. A snippet of KeePass Password Protected’s code from GitHub
HavanaCrypt encrypts recordsdata and appends “.Havana” as a file identify extension.
Determine 39. HavanaCrypt’s encryption routine
It avoids encrypting recordsdata with sure extensions, together with recordsdata that have already got the appended “.Havana” extension.
Determine 40. The perform utilized by HavanaCrypt to keep away from sure file identify extensions
Determine 41. The file identify extensions recordsdata of which HavanaCrypt avoids encrypting
HavanaCrypt additionally avoids encrypting recordsdata present in sure directories.
Determine 42. The directories wherein HavanaCrypt avoids encrypting recordsdata
Determine 43. The perform utilized by HavanaCrypt to keep away from sure directories
Determine 44. Some recordsdata encrypted by HavanaCrypt
Throughout encryption, HavanaCrypt creates a textual content file referred to as “foo.txt”, which logs all of the directories containing the encrypted recordsdata.
Determine 45. The foo.txt textual content file that accommodates logs of directories that comprise encrypted recordsdata
The HavanaCrypt ransomware’s disguising itself as a Google Software program Replace software is supposed to trick potential victims into executing the malicious binary. The malware additionally implements many antivirtualization methods by checking for processes, recordsdata, and companies associated to digital machine purposes.
It’s unusual for ransomware to make use of a C&C server that’s a part of Microsoft webhosting companies and is probably used as a webhosting service to keep away from detection. Apart from its uncommon C&C server, HavanaCrypt additionally makes use of KeePass Password Protected’s professional modules throughout its encryption part.
It’s extremely attainable that the ransomware’s creator is planning to speak through the Tor browser, as a result of Tor’s is among the many directories that it avoids encrypting recordsdata in. It ought to be famous that HavanaCrypt additionally encrypts the textual content file foo.txt and doesn’t drop a ransom word. This could be a sign that HavanaCrypt continues to be in its improvement part. Nonetheless, it is very important detect and block it earlier than it evolves additional and does much more injury.
Organizations and customers can profit from having the next multilayered protection options that may detect ransomware threats earlier than operators can launch their assaults:
Development Micro Imaginative and prescient One™ supplies multilayered safety and habits detection, which helps block questionable habits and instruments early on, earlier than the ransomware can do irreversible injury to the system.
Development Micro Apex One™ presents next-level automated menace detection and response in opposition to superior considerations similar to fileless threats and ransomware, guaranteeing the safety of endpoints.
Extra insights by Nathaniel Gregory Ragasa
Recordsdata
SHA-256
Detection identify
Description
b37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87
Ransom.MSIL.HAVANACRYPT.THFACBB
Obfuscated HAVANACRYPT ransomware
bf58fe4f2c96061b8b01e0f077e0e891871ff22cf2bc4972adfa51b098abb8e0
Ransom.MSIL.HAVANACRYPT.THFACBB
Deobfuscated HAVANACRYPT ransomware
aa75211344aa7f86d7d0fad87868e36b33db1c46958b5aa8f26abefbad30ba17
Ransom.MSIL.HAVANACRYPT.THFBABB
Deobfuscated HAVANACRYPT ransomware
URLs
http://20[.]227[.]128[.]33/2.txt
http://20[.]227[.]128[.]33/index.php
http://20[.]227[.]128[.]33/ham.php
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]