The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password.
Inside the attached file, there is a file compressed with Alzip which contains three files as shown below.
Among them, the image named original.jpg file is a normal executable file, and the other two are the same ransomware. The files have disguised themselves as CCleaner Installer as shown below.
When the ransomware file is run, it deletes the volume shadow copy and proceeds with the encryption using the commands shown below.
| vssadmin delete shadows /all /quiet wbadmin delete catalog -quiet wmic shadowcopy delete |
Also, to encrypt currently running files such as documents, the malware terminates processes that match names shown below among the running processes.
| msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsrvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe |
The folders, files, and extensions which are not encrypted are as follows. usagoo and pecunia extension were added to the existing ransomware list.
| boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini |
| Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc, KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, usagoo, pecunia, exe, dll |
For the encrypted files, the extension of .[random 8 characters].[pecunia0318@airmail.cc].pecunia is added, and a ransom note with the readme-warning.txt filename is created in the encrypted folder.
This ransomware has been continually distributed as fake job applications and materials related to copyright violation. As such, users must proceed with extreme caution when approaching related materials. Also, it is required to refrain from opening files attached to an e-mail sent by an unknown user.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the aliases below.
[File Detection]
Ransomware/Win.MakopRansom.C4439397
[Behavior Detection]
Malware/MDP.Behavior.M3635
[IOC Info]
237d76f961f8f550c4c4bbfab30153a6
Categories:Malware Information
[…] Makop Ransomware Distributed As Copyright Violation Related Materials […]
[…] characteristics to another campaign from February 2022 that also delivered LockBit ransomware. A Makop campaign also used the theme in May 2021. Common trends include the use of compressed files with […]