GlobeImposter Ransomware Being Distributed in Korea

The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed.

This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics.

This ransomware decodes the internal data through the logic of Figure 1 into the DLL file shown in Figure 2 which performs the actual ransomware behavior.

Figure 1. Decoding logic
Figure 2. Decoded DLL file

Afterward, the generated DLL file’s Method is called using the Delegate function.

Figure 3. Calling decoded DLL file

This DLL file creates the aspnet_compiler.exe process before executing the ransomware through process hollowing. As shown below, in order to prevent file recovery, the ransomware deletes the volume shadow and terminates the database service, true to it being a ransomware that targets vulnerable database servers.

  • C:\Windows\system32\cmd.exe /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
Figure 4. RAPIT process tree

Afterward, it checks the drive (See Figure 5) and infects all except the following folders, file names, and extensions to expand the area of infection.

FolderFile
windows
bootmgr
boot
PerfLogs
pagefile.sys
ids.txt
NTUSER.DAT
.dll
.lnk
.ini
.sys
Table 1. List of folders and files excluded from encryption
Figure 5. Checking the drive

Each file is encrypted with the file extension of [Original file name].Globeimposter-Alpha666qqz and after encryption, a ransom note titled HOW TO BACK YOUR FILES.txt is created.

Figure 6. Ransom note

Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have vulnerability patch applied.

Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– Ransomware/Win.GlobeImposter.R523882

[Behavior Detection]
– Injecion/MDP.Event.M4455

[IOC]
MD5
– f21f99e976394bfcbd8b86be2bedce6e

Download
– hxxp://103.93.130[.]45:8080/Yoqjtgzrr.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments