It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.
When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows.
- WANNA_RECOVER_KOXIC_FILEZ_[Random string].txt
The ransom note of the recently collected sample is similar to those of BlueCrab (Sodinokibi, REvil) ransomware, which was once actively distributed in Korea.
BlueCrab had its own website made and specified that the users should access it via the TOR browser. Contrary to BlueCrab, Koxic ransomware guides contact via email.
Out of the Koxic ransomware samples collected in the past, there were samples with completely different ransom notes and those that were almost in the same format as BlueCrab. It seems that there are no direct connections between the two ransomware, seeing that there are no similarities in their codes.
In the ransom note of this sample, there is a threatening message that tells the reader that their important files have been downloaded, and if they do not come to an agreement, these data will be leaked, however, this has never happened.
Another feature to note is that the section names were deliberately changed to hide the UPX packing. This technique, dubbed the UPX Trick, is a commonly used method where files packed with UPX are modified to hinder analysis or to bypass automatic unpacking from AV software.
When the ransomware is executed, the following range of tasks is carried out before the files are encrypted.
Using the two APIs that check for debugging, if a debugging process is running, the current function is run as an infinite loop (recursive call). If a debugging process is running, a stack overflow occurs.
[Modifying System Registry]
A cmd command is used to modify the system registry. Values are modified to terminate Defender and turn off notifications, and there are entries that extend the remote session expiry time to the maximum.
|HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime|
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime HKLM\SOFTWARE\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth HKCU\Software\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter
By executing the following commands, Koxic ransomware attempts to terminate certain processes and services. However, because the commands are separated with newlines instead of the “&” operator, only the first line is executed in actuality. This is deemed to be a mistake on the part of the threat actor.
|cmd.exe /c taskkill /F /IM MSASCuiL.exe|
taskkill /F /IM MSMpeng.exe
taskkill /F /IM msseces.exe
[Deleting VSC and Terminating Services]
A command that deletes volume shadow copies and other commands that modify the status of multiple services are executed. Like the example above, only the first line is executed, effectively only deleting the VSC.
|cmd.exe /c vssadmin delete shadows /all /quiet|
sc config browser
sc config browser start=enabled
sc stop vss
sc config vss start=disabled
sc stop MongoDB
sc config MongoDB start=disabled
sc stop SQLWriter
sc config SQLWriter start=disabled
sc stop MSSQLServerOLAPService
sc config MSSQLServerOLAPService start=disabled
sc stop MSSQLSERVER
sc config MSSQLSERVER start=disabled
sc stop MSSQL$SQLEXPRESS
sc config MSSQL$SQLEXPRESS start=disabled
sc stop ReportServer
sc config ReportServer start=disabled
sc stop OracleServiceORCL
sc config OracleServiceORCL start=disabled
sc stop OracleDBConsoleorcl
sc config OracleDBConsoleorcl start=disabled
sc stop OracleMTSRecoveryService
sc config OracleMTSRecoveryService start=disabled
sc stop OracleVssWriterORCL
sc config OracleVssWriterORCL start=disabled
sc stop MySQL
sc config MySQL start=disabled
[Collecting System Info]
The ransomware collects system information and records it under a random filename in the %temp% directory, but a routine that leaks this data was not identified. Collected information includes the IP address, system account information, disk information, network adapter information, hardware information, and OS information.
[Changing Process Priority and Granting Privilege]
The ransomware upgrades its own process priority to “high” and checks and modifies (adds) the process token privileges. The privileges added are shown in the table below.
|SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege|
A thread that draws up the list of targets for encryption and multiple threads that carry out the actual encryption process run simultaneously to encrypt the target files in the list one by one. The encryption process involves changing the name of the original file before using the file mapping function to overwrite the encrypted data. The function call flow used here is as follows.
|MoveFileExW – CreateFileMappingW – MapViewOfFile – [Encryption] – UnmapViewOfFile|
The encryption algorithm is the AES CBC mode, and it uses a 32 byte-long key and 16 byte IV.
A notable point is that when the files are encrypted, they are done so in 16 byte blocks, but padding is not used for the last block. Thus, the remainder at the end of the file after dividing the file into 16 bytes is not encrypted, and the original data is preserved.
It seems that the open source libtomcrypt was used as-is for the encryption code.
The AES key used for file encryption is encrypted with RSA and saved at the end of the ransom note. The IV value is added in plain text behind the encrypted key and ultimately becomes the following.
When file encryption is complete, the ransom note is created in the %TEMP% directory and opened with Notepad.
Entries such as “.ps1.” and “rtp” seem like faults.
|.386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll, .drv, .exe, .hlp, .hta, .icl, .icns, .ico, .ics, .idx, .key, .ldf, .lnk, .lock, .mod, .mpa, .msc, .msi, .msp, .msstyles, .msu, .nls, .nomedia, .ocx, .pdb, .prf, .ps1., .rom, rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .wpx,|
|., .., windows, System Volume Information, $Recycle.Bin, $SysReset, Config.Msi, bootfont.bin, boot.ini, ntuser.dat, desktop.ini, $windows.~bt, intel, msocache, $recycle.bin, $windows.~ws, tor browser, boot, system volume information, perflogs, google, application data, windows, programdata, windows.old, appdata, mozilla, iconcache.db, ntldr, ntuser.dat.log, thumbs.db, bootsect.bak, ntuser.ini, autorun.inf, All Users, microsoft,|
AhnLab products detect and block Koxic ransomware using the following aliases.
– Ransomware/Win.KoxicCrypt.R533926 (2022.11.11.00)
– Trojan/Win.Wacatac.C5290617 (2022.11.04.00)
– Trojan/Win.Generic.C4963639 (2022.02.11.01)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.