While monitoring the distribution process of GandCrab ransomware in Korea, AhnLab ASEC has detected the feature that prompts to uninstall V3 Lite from the distribution script; it only targets V3 Lite.
Figure 1 – Obfuscated script code
Figure 2 – Unobfuscated script code
|Execution Technique of GandCrab ransomware|
|1. Create and run internally encoded GandCrab executable in user system 2. Use powershell script to download and run GandCrab|
Also, the distribution script had an additional feature prompting the uninstall of V3 software. The script prompts deactivation of Windows Defender and removal of V3 via code before executing ransomware. It creates and runs ‘tmtvgcslpw.js’ with the described feature to trigger V3 removal.
Distribution script is being distributed with disguised name of a normal document or program as shown in Table 2. Therefore, users must take extra caution when running an attached document file.
|Filename of distribution script in disguise|
|윈도우_10_스토어_오류.js (translation: Windows_10_store_error.js) 무료_ppt_템플릿.js (translation: Free_ppt_template.js) 러브홀릭스_butterfly.js (translation: Loveholics_butterfly.js) 오토캐드_2014_키젠.js (translation: AutoCAD_2014_keygen.js) npdf_64_bit.js|
AhnLab V3 is detecting script file and ransomware under the following aliases: V3 can perform behavior-block on the operation of downloaded GandCrab ransomware as well as fileless malware using powershell.
|Distributed JS file||File Detection||JS/Gandcrab, JS/GandCrab.S1|
|Ransomware Executable||File Detection||Trojan/Win32.Gandcrab (2018.07.05.05)|
|Ransomware Executable||Behavior Detection||Malware/MDP.Ransom.M1171|
|Powershell Script||Behavior Detection||Malware/MDP.Ransom.M1947|
– Update (2018.08.30)
The “오토캐드_2014_키젠.js” (translation: AutoCAD_2014_keygen.js) file as of August 30 was discovered with download feature via powershell removed, as shown in the script code below. There is only a feature creating and running encoded GandCrab inside, and the V3 uninstall feature remains as is.
Figure 4. Variant as of August 30 with powershell removed