Upon running *.js file, an execution flow of the process is as below and it is indicated that ransomware exploits a normal Windows system process. Such change was made presumably to bypass the detection of AV product. There was bypass technique detected against a certain AV program within its script code.
(Past) wscript.exe -> powershell.exe -> explorer.exe (ransomware behavior)
(Present) wscript.exe -> powershell.exe -> notepad.exe (ransomware behavior) – After November 1
Figure 1. Phishing download page displayed on the top of Google search screen
Figure 2. .zip file downloaded from the link
Figure 6. Part of malicious DLL code loaded to powershell and executed
Figure 7. Code checking the installation of V3 Lite to bypass detection
Figure 8. Code repeatedly creating UAC notification pop-up for 100 times to achieve privilege escalation
If privilege is escalated by clicking ‘Yes’ on UAC notification pop-up, it inject and operate BlueCrab ransomware by executeing notepad.exe like Figure 9. It is operated by selecting notepad.exe per OS like the code shown in Figure 10. Figure 11 is the code injecting BlueCrab ransomware to notepad.exe. When the ransomware in injected, notepad itself can perform the ransomware behavior.
Figure 9. BlueCrab ransomware injected to notepad.exe
Figure 10. Code that finds path of notepad per OS
Figure 11. Code that injects BlueCrab to notepad.exe
AhnLab V3 is blocking the following malware via behavioral and generic detection on various infection stages.
– JS/BlueCrab.S12 (2019.11.05.00)