Posted By ,

TZW Ransomware Being Distributed in Korea

Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.

This ransomware is being propagated with the version info marked as “System Boot Info”, disguising itself as a normal program file related to boot information.

Figure 1. File version info

It was created in a .NET format and includes a loader and the actual ransomware data within it. It ultimately loads and executes the ransomware file through the loader. Among the data in the resources, it decodes and runs ‘dVvYsaL’ on the memory. This data holds the loader and ransomware data. Such a method has been covered in a previous ASEC blog post.

Types of Recent .NET Packers and Their Distribution Trends in Korea


The resource area also holds pornographic photos and the contents are shown in Figure 2 below.

Figure 2. Resources including the loader file
Figure 3. Execution logic
Figure 4. Loader file

The additionally executed loader file drops a copy under the name ‘GvsqHuTYODA.exe’ into the %AppData% directory and proceeds with task scheduler registration.

  • schtasks.exe /Create /TN “Updates\GvsqHuTYODA” /XML “%Temp%\tmpF6C.tmp”
Figure 5. Registering to the task scheduler

After registering to the task scheduler, the file recursively executes the PE file that performs the ransomware behavior along with the “{path}” parameter to encode files.

Figure 6. The ultimately executed ransomware

The executed process goes through a logic to check for a virtual environment before infecting the system.

Figure 7. Logic to check for virtual environment
Figure 8. Logic to check for virtual environment

Afterward, to expand the range of infection, it goes through a logic that checks the drive information before moving on to the file encryption routine.

Figure 9. Exploring the drive

The file encryption process is made up of the thread that encrypts shared folders and the thread that encrypts the local environment.

Figure 10. Infection thread
Figure 11. Part of the shared folder encryption code
Figure 12. File encryption logic

File encryption is conducted on all folders aside from the Windows folder, and after encryption, volume shadows are deleted to hinder system recovery.

Figure 13. Deleting the volume shadows

The following ‘ReadMe.txt’ ransom note can be found in the path where file encryption occurred. The string “CRYPTO LOCKER” is found at the end of infected files.

Figure 14. Ransom note
Figure 15. Infected file

AhnLab’s anti-malware software, V3, detects and responds to PE files used in TZW file extension ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

  • Ransomware/Win.Generic.C5355494 (2023.01.11.02)
  • Trojan/Win.MSILKrypt.C5020026 (2022.03.21.01)
  • Trojan/Win32.RansomCrypt.R343432 (2020.07.08.05)

[Behavior Detection]

  • Malware/MDP.Inject.M218 (2019.10.30.02)

[IOC Info]

  • eae94abe9753634f79a91ecb4da7ff72
  • 10daa4697b861d3dc45a0a03222ba132
  • f1ab4f5cbf5fc72c4033699edadc4622

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 2 votes
Article Rating
guest

15 Comments
Inline Feedbacks
View all comments
trackback
The Week in Ransomware - February 3, 2023 -
1 month ago

[…] TZW Ransomware is distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February 3rd 2023 - Insta Bureau
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
Minggu dalam Ransomware - 3 Februari 2023 - Teknokrat Network
1 month ago

[…] Ransomware TZW Didistribusikan di Korea […]

0
Reply
trackback
The Week in Ransomware – February third 2023 – Anedejo
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware – February 3rd 2023 – Ending with a mess – Whats Current In
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February third 2023 - Techy Stufff
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February 3, 2023 - Transparent NEWS
1 month ago

[…] TZW Ransomware Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February third 2023 - 360tecnologico.com
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February third 2023 - playtime74.com
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February third 2023 - informacoesdiaria.com. All rights reserved.
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February 3rd 2023 - Ending with a mess - Můj Linux - #Debian, #xUbuntu, #Servery
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware – February 3rd 2023 – Ending with a mess | Cyber Review
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware – February 3rd 2023 – Ending with a mess - Shackle Media
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
The Week in Ransomware - February third 2023 - Post Open. All rights reserved.
1 month ago

[…] TZW Ransomware Being Distributed in Korea […]

0
Reply
trackback
Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family – MyITAssistant
1 month ago

[…] a February 2023 blog post, Ahnlab described a new ransomware campaign affecting South Korean organizations which deployed a malware […]

0
Reply