Saturday, 7 May 2016

On 02:27 by admin   No comments
The Bucbi ransomware family, which dates back to early 2014, has received a significant update. In a recently observed attack, we also noted new tactics used to infect systems. The malware has historically been delivered via an HTTP download, most likely via an exploit kit or phishing email. However, in recent weeks, Palo Alto Networks researchers have observed attackers brute-forcing RDP accounts on Internet-facing Windows servers to deliver their malware. Additionally, the malware itself has been modified to no longer require an Internet connection.

Recent ransom notes left on infected systems identify the malware as belonging to the “Ukrainian Right Sector,” a far-right Ukrainian nationalist political party with paramilitary operations that opposes Russia but operate outside of the Ukrainian government’s authority. However, there are a number of Russian identifiers in the recent attacks. Consequently, it is unclear if the claims of responsibility by the “Ukrainian Right Sector” are accurate, and if so, what the reason behind and significance of the Russian identifiers.

Unlike many other ransomware families, this particular variant of Bucbi was delivered via a RDP brute force attack. The following five IP addresses were observed attacking the victim machine starting in late March 2016:
Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (PoS) specific usernames. It is likely that this attack originally began with the attackers seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions. A truncated list of the usernames used in attempted logins can be found below.
Администратор [‘Administrator’ in Russian]

Once the attackers successfully compromised this specific machine, they dropped an executable file that contains the following PDB string:

C:\inetpub\restartprm\Present\Перед запуском софта\dotNetFx45_Full_setup.exe
The Russian string above roughly translates to ‘Before running software’. Researching the filename above leads us to a number of Russian language forums that are discussing an RDP brute force utility named ‘RDP Brute (Coded by z668)’. While not confirmed, there is a possibility that this tool was used to gain access to the victim machine originally. A screenshot of this utility can be found below:

The following sample was discovered on an attempted breach in early April 2016:
MD5: 410E395600C291C59D8C9B93FA82A7F3
SHA1: 2E385E8B8CEB01C9E638F8A95889B571D31AEF41
SHA256: 26F2BF1FC3EE321D48DCE649FAE9951220F0F640C69D5433850B469115C144FE
Timestamp: 2016-04-02 16:40:13 UTC
This particular sample is configured to take one of the following two command-line (CLI) arguments. Should no argument be provided, it will attempt to start a service it expects to exist, named ‘FileService’.
When provided a CLI argument of ‘/install’, the malware will proceed to create a service with the following properties.
Service Name: FileService
Display Name: File Service
Startup: Auto
Path: [path of malware]
After the service has been successfully created, the malware outputs a printf statement of ‘Installation OK’.

When give a CLI argument of ‘/uninstall’, the malware will remove the previously created service and output a printf statement of ‘Uninstallation OK’.
When the service is run, the malware will generate a number of debugging statements that are written to a randomly named file with an extension of ‘.log’ in the %ALLUSERSPROFILE% directory. An example of this log file is below.

The malware begins by seeking out a file in the victim’s %ALLUSERSPROFILE% directory. The filename is generated by a unique algorithm that uses the victim’s volume serial number in conjunction with two 4-byte seeds provided to generate a unique 8-byte sequence. This sequence then has a search/replace performed on it in order to convert it into an alphabetic string. This function is represented below.

The algorithm above makes use of the GOST block cipher to generate a unique filename. GOST is fairly obscure, as it was developed in the 1970s by the Soviet government. It was declassified to the public in 1994. This particular technique for generating a unique filename looks to be specific to Bucbi, as no other malware families have been discovered using it.

The algorithm is used to determine if a key file is present on the victim. If this particular file is not present, the malware proceeds to generate one. Two files are created—one 580 bytes in size, and one 1060 bytes in size. Both files begin with a DWORD of 0x60000, as shown in the screenshot below.

The cryptography used by Bucbi is still being researched by Palo Alto Networks. After the key files are generated, the malware will spawn a new thread that is responsible for encrypting network resources.

A call to WNetOpenEnum is made to enumerate all network disk resources available. Should a network disk be identified, the encryption routine will be run against this resource. The malware will ignore the following directories, but otherwise will encrypt every file it encounters.

No file type blacklisting results in this particular malware being very inefficient, often taking several minutes before encryption is complete.

Files are overwritten, leaving them with the same filename that was originally present. Unlike other more popular ransomware families, Bucbi does not use a specific file extension for files that are encrypted.

It’s also important to note that the key files that were originally created are not removed. Additionally, the malware includes a decryption routine, which, while never called by the malware, exists and can be used with a simple binary modification to the sample. This would allow victims to recover their files without resorting to paying the ransom.


Post a comment