Koxic Ransomware Being Distributed in Korea

It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.

When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows.

  • WANNA_RECOVER_KOXIC_FILEZ_[Random string].txt
Figure 1. Examples of encrypted files and ransom note

The ransom note of the recently collected sample is similar to those of BlueCrab (Sodinokibi, REvil) ransomware, which was once actively distributed in Korea.

BlueCrab had its own website made and specified that the users should access it via the TOR browser. Contrary to BlueCrab, Koxic ransomware guides contact via email.

Out of the Koxic ransomware samples collected in the past, there were samples with completely different ransom notes and those that were almost in the same format as BlueCrab. It seems that there are no direct connections between the two ransomware, seeing that there are no similarities in their codes.

Figure 2. Comparing Koxic and BlueCrab ransom notes

In the ransom note of this sample, there is a threatening message that tells the reader that their important files have been downloaded, and if they do not come to an agreement, these data will be leaked, however, this has never happened.

Another feature to note is that the section names were deliberately changed to hide the UPX packing. This technique, dubbed the UPX Trick, is a commonly used method where files packed with UPX are modified to hinder analysis or to bypass automatic unpacking from AV software.

Figure 3. Modification of the section names (UPX Trick)

When the ransomware is executed, the following range of tasks is carried out before the files are encrypted.

[Debugging Check]

Using the two APIs that check for debugging, if a debugging process is running, the current function is run as an infinite loop (recursive call). If a debugging process is running, a stack overflow occurs.

Figure 4. Function that checks for debugging

[Modifying System Registry]

A cmd command is used to modify the system registry. Values are modified to terminate Defender and turn off notifications, and there are entries that extend the remote session expiry time to the maximum.

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime  HKLM\SOFTWARE\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup    
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware        
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\AllowFastServiceStartup   
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ServiceKeepAlive 
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection      HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable   HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth         HKCU\Software\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter     
Table 1. Modified registries

[Terminating Processes]

By executing the following commands, Koxic ransomware attempts to terminate certain processes and services. However, because the commands are separated with newlines instead of the “&” operator, only the first line is executed in actuality. This is deemed to be a mistake on the part of the threat actor.

cmd.exe /c taskkill /F /IM MSASCuiL.exe
taskkill /F /IM MSMpeng.exe
taskkill /F /IM msseces.exe
Table 2. Process termination commands

[Deleting VSC and Terminating Services]

A command that deletes volume shadow copies and other commands that modify the status of multiple services are executed. Like the example above, only the first line is executed, effectively only deleting the VSC.

cmd.exe /c vssadmin delete shadows /all /quiet
sc config browser
sc config browser start=enabled
sc stop vss
sc config vss start=disabled
sc stop MongoDB
sc config MongoDB start=disabled
sc stop SQLWriter
sc config SQLWriter start=disabled
sc stop MSSQLServerOLAPService
sc config MSSQLServerOLAPService start=disabled
sc config MSSQLSERVER start=disabled
sc config MSSQL$SQLEXPRESS start=disabled
sc stop ReportServer
sc config ReportServer start=disabled
sc stop OracleServiceORCL
sc config OracleServiceORCL start=disabled
sc stop OracleDBConsoleorcl
sc config OracleDBConsoleorcl start=disabled
sc stop OracleMTSRecoveryService
sc config OracleMTSRecoveryService start=disabled
sc stop OracleVssWriterORCL
sc config OracleVssWriterORCL start=disabled
sc stop MySQL
sc config MySQL start=disabled
Table 3. Commands to delete VSC and terminate services

[Collecting System Info]

The ransomware collects system information and records it under a random filename in the %temp% directory, but a routine that leaks this data was not identified. Collected information includes the IP address, system account information, disk information, network adapter information, hardware information, and OS information.

Figure 5. Example of collected system information

[Changing Process Priority and Granting Privilege]

The ransomware upgrades its own process priority to “high” and checks and modifies (adds) the process token privileges. The privileges added are shown in the table below.

Figure 6. Changing the process priority
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege
Table 4. Modified token privileges

[File Encryption]

A thread that draws up the list of targets for encryption and multiple threads that carry out the actual encryption process run simultaneously to encrypt the target files in the list one by one. The encryption process involves changing the name of the original file before using the file mapping function to overwrite the encrypted data. The function call flow used here is as follows.

MoveFileExW – CreateFileMappingW – MapViewOfFile – [Encryption] – UnmapViewOfFile
Table 5. File encryption flow

The encryption algorithm is the AES CBC mode, and it uses a 32 byte-long key and 16 byte IV.

A notable point is that when the files are encrypted, they are done so in 16 byte blocks, but padding is not used for the last block. Thus, the remainder at the end of the file after dividing the file into 16 bytes is not encrypted, and the original data is preserved.

It seems that the open source libtomcrypt was used as-is for the encryption code.

The AES key used for file encryption is encrypted with RSA and saved at the end of the ransom note. The IV value is added in plain text behind the encrypted key and ultimately becomes the following.

Figure 7. Example of the encrypted AES key and IV (underlined) saved in the ransom note

When file encryption is complete, the ransom note is created in the %TEMP% directory and opened with Notepad.

[Encryption Exceptions]

  • Extensions

Entries such as “.ps1.” and “rtp” seem like faults.

.386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll, .drv, .exe, .hlp, .hta, .icl, .icns, .ico, .ics, .idx, .key, .ldf, .lnk, .lock, .mod, .mpa, .msc, .msi, .msp, .msstyles, .msu, .nls, .nomedia, .ocx, .pdb, .prf, .ps1., .rom, rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .wpx,
Table 6. Extensions excluded from encryption
  • Paths
., .., windows, System Volume Information, $Recycle.Bin, $SysReset, Config.Msi, bootfont.bin, boot.ini, ntuser.dat, desktop.ini, $windows.~bt, intel, msocache, $recycle.bin, $windows.~ws, tor browser, boot, system volume information, perflogs, google, application data, windows, programdata, windows.old, appdata, mozilla, iconcache.db, ntldr, ntuser.dat.log, thumbs.db, bootsect.bak, ntuser.ini, autorun.inf, All Users, microsoft,
Table 7. Paths excluded from encryption

AhnLab products detect and block Koxic ransomware using the following aliases.

[File Detection]
– Ransomware/Win.KoxicCrypt.R533926 (2022.11.11.00)
– Trojan/Win.Wacatac.C5290617 (2022.11.04.00)
– Trojan/Win.Generic.C4963639 (2022.02.11.01)

[Behavior Detection]
– Ransom/MDP.Delete.M2117
– Malware/MDP.Behavior.M2771
– Ransom/MDP.Decoy.M4475

[IOC Info]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments