New Ransomware Installed using Fake Windows Update Screen Found in Korea (*.rezm Extension)

On March 2, 2020, ASEC analysis team discovered a new ransomware that gets installed using Windows update screen. This ransomware uses the same packer as ransomware goes by the name of Bluecrab, Nemty, or Paradise for distribution, and the extension .rezm is added to the encrypted file.

Fake Windows update screen

Upon running the file, Fake Windows update file is downloaded and run from the addresses below. Then, a screen that pretends as Windows update screen pops up. When this happens, a ransomware is run and it starts infecting the user’s PC files.

  • http[:]//mopg.top/files/penelop/updatewin1.exe
  • http[:]//mopg.top/Asjdi435784ihjk65pen2/get.php?pid=????생략????&first=true
  • http[:]//mopg.top/files/penelop/updatewin2.exe
  • http[:]//mopg.top/files/penelop/updatewin.exe
  • http[:]//mopg.top/files/penelop/3.exe
  • http[:]//mopg.top/files/penelop/4.exe
  • http[:]//mopg.top/files/penelop/5.exe
  • http[:]//paunsaugunt.com/517
  • http[:]//paunsaugunt.com/freebl3.dll
  • http[:]//paunsaugunt.com/mozglue.dll
  • http[:]//paunsaugunt.com/msvcp140.dll
  • http[:]//paunsaugunt.com/nss3.dll
  • http[:]//paunsaugunt.com/softokn3.dll
  • http[:]//paunsaugunt.com/vcruntime140.dll

The figure below shows a ransom note that is created under the name of _readme.txt.

 Ransom note

Upon running the malware, RAPIT, the analysis team’s automatic analysis system, shows the process execution flow as below:

Process execution flow

Externally downloaded files are created in the filepaths below, they perform features of granting the permission to the folder so that it does not get deleted. (Folder name is assumed to be variable for each user)

  • C:\Users\%UserAccount%\AppData\Local\0fee4dc7-4518-478c-8290-735cf669e86f\updatewin2.exe
  • C:\Users\%UserAccount%\AppData\Local\0fee4dc7-4518-478c-8290-735cf669e86f\updatewin1.exe
  • C:\Users\%UserAccount%\AppData\Local\0fee4dc7-4518-478c-8290-735cf669e86f\updatewin.exe

Granting access permission to malware creation folder

  • icacls “C:\Users\%UserAccount%\AppData\Local\5a62d912-778b-4591-873d-4c9826534ff8” /deny *S-1-1-0:(OI)(CI)(DE,DC)

For more information, see the article below.

Users must take extra caution when opening a suspicious email or an attachment file and refrain from accessing untrusted websites.

AhnLab’s V3 products detect the ransomware under the following aliases: 

[File Detection]

  • Malware/Win32.Generic (2020.03.02.01)

[Behavior Detection]

  • Malware/MDP.Ransom.M1171
0 0 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments