STOP Ransomware Being Distributed in Korea

The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below.

  • %SystemDrive%\users\[user]\appdata\local\temp\4316.exe
  • %SystemDrive%\users\[user]\appdata\local\temp\8c21.exe
  • %SystemDrive%\users\[user]\appdata\local\temp\a579.exe
  • %SystemDrive%\users\[user]\appdata\local\[uuid]\2399.exe
  • %SystemDrive%\users\[user]\appdata\local\[uuid]\1da9.exe

When the ransomware is executed, it first connects to hxxps://api.2ip.ua/geo.json and checks the country code. If the code corresponds to any of the countries below, encryption is not performed.

Country Code

If the identified code does not belong to the list above, a folder is created in the %LOCALAPPDATA% folder with the name, [uuid], and the executable copies itself into this folder. Afterward, the –AutoStart argument is assigned to the copied file and the file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper registry.

Created registry

Also, in order to prevent the copied file from being modified or deleted, the icacls command is used to remove all permissions on this folder and its subfolders.

  • Execution command: icacls “%LocalAppData%\[uuid]” /deny *S-1-1-0:(OI)(CI)(DE,DC)

Modified folder permissions

Afterward, in order for the ransomware file to run continuously, the task is added to Task Scheduler under the name, Time Trigger Task. The file added to the Task Scheduler is then run every 5 minutes with –Task as the argument.

Task Scheduler

Additionally, for the ransomware to be executed with admin privilege, it is executed through Runas with –Admin IsNotAutoStart IsNotTask

The STOP ransomware connects to hxxp://fresherlights[.]com/test1/get.php?pid=[MD5 HASH value of the MAC address] and downloads the key data for file encryption. The downloaded data is saved in %LOCALAPPDATA%\bowsakkdestx.txt, and if the above URL is unavailable, the data within the ransomware is used.

bowsakkdestx.txt file

Files, folders, and extensions that are excluded from encryption are as follows.

C:\SystemID\, C:\Users\Default User\, C:\Users\Public\, C:\Users\All Users\, C:\Users\Default\, C:\Documents and Settings\, C:\ProgramData\, C:\Recovery\, C:\System Volume Information\, C:\Users\vmuser\AppData\Roaming\, C:\Users\vmuser\AppData\Local\, C:\Windows\, C:\PerfLogs\, C:\ProgramData\Microsoft\, C:\ProgramData\Package Cache\, C:\Users\Public\, C:\$Recycle.Bin\, C:\$WINDOWS.~BT\, C:\dell\, C:\Intel\, C:\MSOCache\, C:\Program Files\, C:\Program Files (x86)\, C:\Games\, C:\Windows.old\, D:\Users\[user]\AppData\Roaming\, D:\Users\[user]\AppData\Local\, D:\Windows\, D:\PerfLogs\, D:\dell\, D:\Intel\, D:\MSOCache\, D:\Games\, D:\ProgramData\Desktop\, D:\ProgramData\Microsoft\, D:\ProgramData\Package Cache\, D:\$Recycle.Bin\, D:\$WINDOWS.~BT\, D:\Program Files\, D:\Program Files (x86)\, E:\dell\, E:\Windows\, E:\PerfLogs\, E:\Users\Public\, E:\$Recycle.Bin\, E:\$WINDOWS.~BT\, E:\Program Files\, E:\Intel\, E:\MSOCache\, E:\Program Files (x86)\, E:\Games\, E:\ProgramData\Desktop\, E:\Users\vmuser\AppData\Roaming\, E:\Users\vmuser\AppData\Local\, E:\ProgramData\Microsoft\E:\ProgramData\Package Cache\, F:\dell\, F:\Windows\, F:\PerfLogs\, F:\ProgramData\Desktop\, F:\Users\Public\, F:\$Recycle.Bin\, F:\$WINDOWS.~BT\, F:\Intel\, F:\Users\[user]\AppData\Roaming\, F:\Users\[user]\AppData\Local\ , F:\ProgramData\Microsoft\

Folders excluded from encryption

ntuser.dat, ntuser.dat.LOG1, ntuser.dat.LOG2, ntuser.pol

Files excluded from encryption

.sys, .ini, .DLL, .dll, .blf, .bat, .lnk, .regtrans-ms

Extensions excluded from encryption

Upon infection, the filenames are changed to “[Original filename].bowd,” and the following ransom note is generated.

Ransom note ( _readme.txt )

As this ransomware is currently being mass-distributed, a variety of extensions have been detected besides .bowd.

Date of Identification

File Extension

11/03

.bowd

11/07

.zate

11/16

.fatp

11/24

.tcvp

11/29

.kcvp

12/01

.uyit

The STOP ransomware is run with a variety of argument values, and each argument performs a unique feature. In addition to the file encryption feature, some have the feature to download additional malware. The files downloaded through the STOP ransomware are banking malware among other various malware, thus caution on the part of the user is advised.

[File Detection]

  • Trojan/Win.SmokeLoader.R532839(2022.11.04.02)
  • Trojan/Win.Generic.R533564(2022.11.08.03)
  • Infostealer/Win.Raccoon.R534639(2022.11.16.02)
  • Trojan/Win.SmokeLoader.R536008(2022.11.25.01)
  • Ransomware/Win.Extensions.C5314354(2022.11.26.00)
  • Downloader/Win.BeamWinHTTP.R536869(2022.12.01.02)
  • Trojan/Win.SmokeLoader.R536926(2022.12.02.01)

[Behavior Detection]

  • Persistence/MDP.AutoRun.M203

[IOC Info]

  • bcd360251e71a44bd89b76a137ab74e1
  • dcf1661f464688799531f10aa23d535f
  • ec9e7ec1f15a62c4758fb57a73c2ef43
  • 1b6cb967d428b206838942f6dd48bc84
  • 60af7021e4bf7e26d25852de5cb43eac
  • 83c1e4e675d6c19eb31b92bbe0471341
  • 623ec8b8c74e4e45a2380c41b5bb8045
  • hxxp://fresherlights[.]com/test1/get.php
  • hxxp://uaery[.]top/dl/build2.exe
  • hxxp://fresherlights[.]com/files/1/build3.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments