It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.
As the form of DAGON file is packed, the 64-bit EXE binary created on the process memory is the core code. This code is very similar to the MountLocker and Quantum ransomware which propagated themselves since 2020. DAGON can be seen as a similar variant of MountLocker and Quantum because there are similar features and parts that use the same code. A ‘Ver 5.1 x64’ string which signifies the version information was identified on the DAGON ransomware code. The following shows the major characteristics of DAGON and the user screen when infected with this ransomware.
- Can limit or expand the scope of ransomware encryption with execution arguments and designate execution options
- Encrypts all files except certain paths and file extensions before changing them to filenames in the format of ‘*.dagoned’
- Uses the ChaCha20 encryption method for file encryption, and uses the RSA-2048 encryption key for the process
- Checks the list of Windows services and processes of the system and terminates them if they meet the conditions
- Saves user system info and the ransomware’s encryption history in a ‘.log’ file
- Does not delete the volume shadow copies
As DAGON 64-bit EXE binary (md5: 81a757ac559ae73229992d4b533338c3) is saved with all strings encrypted, necessary strings are created through a routine that decodes these strings. Windows API functions are called by loading the static library, and the same decoding routine is performed for this process as well. Looking at the Import header information, we can see that only the functions that are required in the initial execution stage are imported.
Can limit or expand the scope of ransomware encryption with execution arguments and designate execution options
The GetCommandLineW function is used to check the transmitted execution argument. After checking for the existence of a valid argument, the scope of ransomware encryption is limited or expanded.
For example, arguments and designated values given as ‘/LOGIN=’ and ‘/PASSWORD=’ are credentials required to access user resources connected to the network. If the conditions are met, DAGON can encrypt other user systems on the network. Aside from designating the scope of ransomware operation, arguments can also be used to designate execution environment options. For example, ‘/NOKILL’ disables the termination of Windows services and processes. User file encryption proceeds as normal even with default execution options without additional arguments. The recently detected DAGON has no identified execution arguments and is deemed to be run on its own.
Encrypts all files except certain paths and file extensions before changing the filenames to ‘*.dagoned’
Fundamentally, all files within the drive are encrypted. If there are no additionally transmitted execution arguments, it explores all drives in order from A to Z. Among the drive types, network drives (DRIVE_REMOTE) are excluded with the GetDriveTypeW function. Certain paths and file extensions are exempt from encryption, and these include 46 paths and 15 file extensions. After encryption, the filename is changed to ‘<Original filename>*.dagoned’. A ransom note file named ‘README_TO_DECRYPT.html’ is created in the same path as the encrypted files.
exe, dll, sys, msi, mui, inf, cat, bat, cmd, ps1, vbs, ttf, fon, lnk, .386
"\\windows\\" "\\System Volume Information\\" "\\$RECYCLE.BIN\\" "\\SYSTEM.SAV" "\\WINNT" "\\$WINDOWS.~BT\\" "\\Windows.old\\" "\\PerfLog\\" "\\PerfLogs\\" "\\Program Files\\" "\\Program Files (x86)\\" "\\Boot" "\\ProgramData\\Microsoft\\" "\\ProgramData\\Packages\\" "\\EFI" "\\WindowsApps\\" "\\Microsoft\\Windows\\" "\\Local\\Packages\\" "\\Windows Defender" "\\microsoft shared\\" "\\Google\\Chrome\\" "\\Mozilla Firefox\\" "\\Mozilla\\Firefox\\" "\\Internet Explorer\\" "\\MicrosoftEdge\\" "\\Tor Browser\\" "\\AppData\\Local\\Temp\\" "\\AppData" "\\All Users" "\\Boot" "\\Google" "\\Mozilla" "\\autorun.inf" "\\boot.ini" "\\bootfont.bin" "\\bootsect.bak" "\\bootmgr" "\\bootmgr.efi" "\\bootmgfw.efi" "\\iconcache.db" "\\desktop.ini" "\\ntldr" "\\ntuser.dat" "\\ntuser.dat.log" "\\ntuser.ini" "\\thumbs.db"
Uses the ChaCha20 encryption method to encrypt files with RSA-2048 encryption key
DAGON used the ChaCha20 encryption method to encrypt files, and used RSA for the ChaCha20 encryption key. This means that DAGON is ransomware that uses complex encryption. The following codes are the ChaCha20 encryption logic in the file and the ‘expand 32-byte k’ signature. The RSA 2048 key is loaded with the CryptImportKey function, and this key is used by the CryptEncrypt function to encrypt the ChaCha20 key.
Checks Windows services and processes of the system and terminates them if they meet the conditions
DAGON looks up Windows services that are validly (SERVICE_ACTIVE) running as a process (SERVICE_32) in the system using the EnumServiceStatus function. If three particular pattern names are present in the service name, that service is terminated. Currently running processes are also checked, and any of them corresponding to the malware’s list of 49 processes are also terminated.
Processes to be terminated include malware behavior monitoring processes such as “agntsvc.exe” Panda Security Agent, “dumpcap.exe”, and “procmon.exe”.
SQL, database, msexchange
"msftesql.exe" "sqlbrowser.exe" "sqlwriter.exe" "oracle.exe" "ocssd.exe" "dbsnmp.exe" "synctime.exe" "agntsvc.exe" "isqlplussvc.exe" "xfssvccon.exe" "sqlservr.exe" "encsvc.exe" "ocautoupds.exe" "mydesktopservice.exe" "firefoxconfig.exe" "tbirdconfig.exe" "mydesktopqos.exe" "ocomm.exe" "mysqld.exe" "sqlagent.exe" "mysqld-nt.exe" "mysqld-opt.exe" "dbeng50.exe" "sqbcoreservice.exe" "excel.exe" "infopath.exe" "msaccess.exe" "mspub.exe" "onenote.exe" "outlook.exe" "powerpnt.exe" "sqlservr.exe" "thebat.exe" "steam.exe" "thebat64.exe" "thunderbird.exe" "visio.exe" "winword.exe" "wordpad.exe" "QBW32.exe" "QBW64.exe" "ipython.exe" "wpython.exe" "python.exe" "dumpcap.exe" "procmon.exe" "procmon64.exe" "procexp.exe" "procexp64.exe"
Saves user system info and the ransomware’s encryption history into a ‘.log’ file
If no separate /NOLOG execution argument is given, the user system information, file operation processes, and all encryption history logs are saved into a ‘.log’ file in the same path. There are no features that transmit the ‘.log’ file to an external network address when the file is executed on its own. If DAGON is executed alongside another malware that can leak information, it is likely that the threat actor use the ‘.log’ file to check the infected system. Along with the “Ver 5.1 x64″ string in the ransomware which shows its version information, the following information is saved in the ‘.log’ file.
- User system information: Number of processors, Windows version, username, PC name, group account, etc.
- List of terminated Windows services
- List of terminated processes
- Encryption history: Shows whether it has succeeded or failed
- Statistics: Encryption speed, encrypted file and path count, error count, etc.
Does not delete the volume shadow copies
DAGON was not found to delete volume shadow copies, which is a behavior found in ransomware in general.
– Ransomware/Win.DagonLocker.C5272105 (2022.10.04.03)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.