Makop Ransomware Identified in Attacks in South Korea
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks.
1. Installing Malware Using RDP
Threat actors who exploit Remote Desktop Services (RDP) as an attack vector generally scan systems that are accessible from external sources and have RDP activated. For the identified systems, threat actors perform brute force or dictionary attacks. If a user is using inappropriate account credentials, threat actors can easily obtain the account credentials.
If a threat actor logs into a system using the account credentials they obtained, they can gain control over the system, allowing them to perform various malicious behaviors. Ransomware strains that attack RDP include Phobos [1], GlobeImposter, MedusaLocker [2], Hakuna matata [3], Venus, and Crysis [4].
Starting from 2024, there have been reported cases of threat actors attacking RDP to install Makop ransomware. [5] While direct logs have not been confirmed, the fact that the threat actors use ransomware in GUI form, execute malware through the explorer process, and use RDP as an attack vector, it can be inferred that they installed ransomware through RDP, similar to the previous Makop report.
2. Installing Malware
The threat actor installed various malware on the infected system. The installed tools are responsible for scanning and stealing account credentials, and most of them are created by NirSoft. Through this, it can be assumed that the network in which the infected system is located can also be a target of attack.
It is worth noting that the use of RDP in the initial access phase and the installation of various tools from NirSoft and Mimikatz with an installation path of “mimik” are the same as what the Crysis ransomware threat actor did when installing the Venus ransomware. This suggests the possibility that the same threat actor is behind the Crysis, Venus, and recent Makop ransomware attacks.
| Type | Path |
|---|---|
| Makop Ransomware | %USERPROFILE%\documents\air_visual.exe |
| NetworkShare | %USERPROFILE%\documents\networkshare v.2.exe |
| Web Browser Pass View | %USERPROFILE%\documents\mimik\pass\webbrowserpassview.exe |
| RouterPassView | %USERPROFILE%\documents\mimik\pass\routerpassview.exe |
| Remote Desktop PassView | %USERPROFILE%\documents\mimik\pass\rdpv.exe |
| MessenPass | %USERPROFILE%\documents\mimik\pass\mspass.exe |
| Mail PassView | %USERPROFILE%\documents\mimik\pass\mailpv.exe |
| Dialupass | %USERPROFILE%\documents\mimik\pass\dialupass.exe |
| VNCPassView | %USERPROFILE%\documents\mimik\pass\vncpassview.exe |
| Wireless Key View | %USERPROFILE%\documents\mimik\pass\wirelesskeyview64.exe |
| Network Password Recovery | %USERPROFILE%\documents\mimik\pass\netpass64.exe |
| BulletsPassView | %USERPROFILE%\documents\mimik\pass\bulletspassview64.exe |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x64\mimik.exe |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x64\mimidrv.sys |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x64\mimilib.dll |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x32\mimilove.exe |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x32\mimik.exe |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x32\mimilib.dll |
| Mimikatz | %USERPROFILE%\documents\mimik\mimik\x32\mimidrv.sys |
Table 1. Installed Malware
After the threat actor has taken control of the system via RDP, they will use the above tools to scan the network to see if the infected system is part of a specific network. If it is, they can proceed with internal reconnaissance, account credential collection, and lateral movement to encrypt other systems on the network. The following is a log found in AhnLab Smart Defense (ASD) infrastructure. It shows a Mimikatz command used by the threat actor to extract various credentials.
Figure 1. Mimikatz execution log
> .\Mimik\x64\mimik.exe “privilege::debug” “sekurlsa::bootkey” “token::elevate” “event::clear” “log .\!logs\Result.txt” “sekurlsa::logonPasswords” “vault::cred” “lsadump::secrets” “lsadump::cache” “lsadump::sam” exit
3. Makop Ransomware
| Overview | Description |
|---|---|
| Extension | .[Unique String].[xueyuanjie@onionmail.org].AIR |
| Ransom Note | +README-WARNING+.txt |
| Encryption Algorithm | AES-256, RSA-1024 |
| Files Excluded from Encryption | boot.ini”, “bootfont.bin”, “ntldr”, “ntdetect.com”, “io.sys”, “+README-WARNING+.txt”, “desktop.ini |
| Paths to Exclude from Encryption | windows”, “winnt”, “C:\Windows”, “C:\ProgramData\microsoft\windows\caches”, “C:\Users\All Users\Microsoft\Windows\Caches”, “C:\Users\Public |
| Extensions Excluded from Encryption | .exe”, “.dll”, “.AIR |
| Other | Process terminated. Volume shadow and backup catalog deleted. |
Table 2. Makop ransomware
Makop is GUI-based and encrypts the entire system by default, but users can also specify the encryption target path.
Figure 2. GUI screen of Makop ransomware
When encryption is started, the following command is used to delete the volume shadow and backup catalog.
> vssadmin delete shadows /all /quiet
> wbadmin delete catalog -quiet
> wmic shadowcopy delete
In addition, the following processes are terminated to encrypt more files.
|
List of processes |
|---|
| sqlbrowser.exe”, “sqlwriter.exe”, “sqlservr.exe”, “msmdsrv.exe”, “MsDtsSrvr.exe”, “sqlceip.exe”, “fdlauncher.exe”, “Ssms.exe”, “sqlagent.exe”, “fdhost.exe”, “ReportingServicesService.exe”, “msftesql.exe”, “pg_ctl.exe”, “postgres.exe”, “UniFi.exe”, “armsvc.exe”, “IntelCpHDCPSvc.exe”, “OfficeClickToRun.exe”, “DellOSDService.exe”, “DymoPnpService.exe”, “Agent.exe”, “FJTWMKSV.exe”, “IPROSetMonitor.exe”, “IRMTService.exe”, “MBCloudEA.exe”, “QBCFMonitorService.exe”, “QBIDPService.exe”, “RstMwService.exe”, “TeamViewer_Service.exe”, “dasHost.exe”, “IntelCpHeciSvc.exe”, “RAVBg64.exe”, “vds.exe”, “unsecapp.exe”, “TodoBackupService.exe”, “MediaButtons.exe”, “IAStorDataMgrSvc.exe”, “jhi_service.exe”, “LMS.exe”, “DDVDataCollector.exe”, “DDVCollectorSvcApi.exe”, “TeamViewer.exe”, “tv_w32.exe”, “tv_x64.exe”, “Microsoft.Photos.exe”, “MicrosoftEdge.exe”, “ApplicationFrameHost.exe”, “browser_broker.exe”, “MicrosoftEdgeSH.exe”, “MicrosoftEdgeCP.exe”, “RtkNGUI64.exe”, “WavesSvc64.exe”, “OneDrive.exe”, “DYMO.DLS.Printing.Host.exe”, “FtLnSOP.exe”, “FjtwMkup.exe”, “FTPWREVT.exe”, “FTErGuid.exe”, “qbupdate.exe”, “QBWebConnector.exe”, “ShellExperienceHost.exe”, “RuntimeBroker.exe”, “IAStorIcon.exe”, “PrivacyIconClient.exe”, “SupportAssistAgent.exe”, “SecurityHealthService.exe”, “taskhostw.exe”, “taskhosta.exe”, “wijca.exe”, “ktfwswe.exe”, “HeciServer.exe”, “mdm.exe”, “ULCDRSvr.exe”, “WLIDSVC.exe”, “WLIDSVCM.exe”, “GoogleCrashHandler.exe”, “GoogleCrashHandler64.exe”, “RAVCpl64.exe”, “igfxtray.exe”, “hkcmd.exe”, “igfxpers.exe”, “PsiService_2.exe”, “UNS.exe”, “taskeng.exe”, “AdobeARM.exe”, “LenovoReg.exe”, “dwm.exe”, “wuauclt.exe”, “avp.exe”, “FBService.exe”, “LBAEvent.exe”, “PDFProFiltSrvPP.exe”, “avpsus.exe”, “klnagent.exe”, “vapm.exe”, “ScanToPCActivationApp.exe”, “BrStMonW.exe”, “BrCtrlCntr.exe”, “concentr.exe”, “redirector.exe”, “BrccMCtl.exe”, “BrYNSvc.exe”, “Receiver.exe”, “BrCcUxSys.exe”, “LSCNotify.exe”, “SelfServicePlugin.exe”, “wfcrun32.exe”, “HPNETW~1.exe”, “HPScan.exe”, “taskhost.exe”, “Teams.exe”, “AuthManSvr.exe”, “WLXPhotoGallery.exe”, “outlook.exe”, “prevhost.exe”, “excel.exe”, “chrome.exe”, “AcroRd32.exe”, “RdrCEF.exe”, “vssadmin.exe”, “WmiPrvSE.exe”, “oracle.exe”, “ocssd.exe”, “dbsnmp.exe”, “synctime.exe”, “agntsrvc.exe”, “mydesktopqos.exe”, “isqlplussvc.exe”, “xfssvccon.exe”, “mydesktopservice.exe”, “ocautoupds.exe”, “encsvc.exe”, “firefoxconfig.exe”, “tbirdconfig.exe”, “ocomm.exe”, “mysqld.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “dbeng50.exe”, “sqbcoreservice.exe”, “infopath.exe”, “msaccess.exe”, “mspub.exe”, “onenote.exe”, “powerpnt.exe”, “steam.exe”, “thebat.exe”, “thebat64.exe”, “thunderbird.exe”, “visio.exe”, “winword.exe”, “wordpad.exe |
Table 3. Processes that are terminated upon the completion of encryption
The extension added to encrypted files is in the format of “.[unique string].[xueyuanjie@onionmail[.]org].AIR”. The unique string is an 8-character hexadecimal string generated by combining the system’s ProductId and Volume Serial Number. A ransom note named “+README-WARNING+.txt” is created in the encrypted folder. The ransom note contains the following email address.
- xueyuanjie@onionmail[.]org
- xueyuanjie@mail2tor[.]com
- xueyuanjie@exploit[.]im
Figure 3. Ransom note
Finally, the desktop background is changed so that the user can notice the change.
Figure 4. The changed desktop
4. Conclusion
Threat actors have been using RDP in the initial access and lateral movement stages of their attacks. These attacks are usually launched through brute force and dictionary attacks against systems with poor account credentials. In particular, aside from the Makop threat actor, many ransomware threat actors use RDP as their main initial access vector.
Users can reduce the number of attack attempts by disabling RDP when it is not in use. If the RDP service is being used, users must employ a strong password and regularly change it to prevent brute-force and dictionary attacks. Users must also update V3 to the latest version and take measures to prevent malware infection.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
