Dynamic Analysis on Bypass Method of GandCrab v5.2

In a widely distributed ransomware GandCrab, the code is inserted to bypass a dynamic analysis equipment. Thus, Gandcrab can bypass the detection by getting terminated in dynamic analysis equipment without proper operation or delaying the analysis process. Below are the codes to bypass the dynamic analysis equipment: Anti-Sandbox via SetErrorMode function Delay of time using SetTimer function 1. Anti-Sandbox via SetErrorMode function First, the packer that GandCrab mostly utilizes contains the code that uses SetErrorMode function to bypass Cuckoo Sandbox as seen in Figure 1. Figure 1. Anti-Sandbox via SetErrorMode SetErrorMode function sets ProcessDefaultHardErrorMode and returns the previously set ErrorMode. ErrorMode sets how the system will cope with the error that has occurred. Below is the flow of operation in normal…

A New Attempt to Disable Korean Anti-malware Software (GandCrab v5.0.4)

As monitoring the GandCrab distribution script, AhnLab ASEC recently spotted a new method to disable Korean anti-malware software. While the previous version tried to delete the software via executing ‘Uninst.exe’ as Figure 1 below, recently discovered distribution script leverages a new method to terminate V3 software. Figure 1. Code related to uninstall V3Lite (GandCrab v5.0.3) Also, there was a change in its operation method. In previous version, GandCrab ransomware executable was created and executed by Javascript file(*.JS) but the recent one is operated in fileless format via powershell and the encryption is conducted by PowerShell.exe. Furthermore, it operates after a 15-minute delay (Sleep() function) if widely used Korean anti-malware software is running. A distributed *.js file is obfuscated as shown in…

Analysis of CVE-2018-8174 Vulnerability

AhnLab ASEC performed an analysis on IE vulnerability CVE-2018-8174 which is being widely used to distribute ransomware and Korean malware. This vulnerability is used to distribute Magniber ransomware as well, and users must apply security patch to prevent damage that can be done. MS security update page (CVE-2018-8174) – https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/CVE-2018-8174 01. Summary 1) CVE-2018-8174 overview CVE-2018-8174 vulnerability is created as a result of object reuse that occurs when Use After Free vulnerability of VBScript engine surfaces. This vulnerability allows remote execution, and the affected versions are: Internet explorer 8, Internet explorer 9, Internet explorer 10, Internet explorer 11 (1803 or older version), Windows 10 (1803 or older), Windows 7, Windows 8, and Windows Server. 02. Background Knowledge 1) How VBScript engine runs a…

[Exclusive] How to Block Encryption of GandCrab v4.1.2 (Kill-Switch) – Update (v4.1.3)

On July 13, AhnLab shared the method to block encryption of GandCrab v4.1.1; Fortinet announced a similar information on July 9. However, on July 17, GandCrab 4.1.2 version was newly found as below. There was a message inserted that seemingly ridicules both security vendors. – “#fortinet & #ahnlab, mutex is also kill-switch not only lockfile ;)” Figure 1. Twitter post on GandCrab v4.1.2 (Reference: https://twitter.com/MarceloRivero/status/1019259361259028480?s=09) Addition of the message was not the only change in 4.1.2 version. It also complicated the algorithm of *.lock filename creation which is a key to prevent encryption and extended the length of filename from 8-byte to 20-byte. AhnLab ASEC confirmed that the changed filename creation algorithm is Custom Salsa20, a partially modified Salsa20 and developed…

GandCrab Ransomware Included in Javascript Prompting to Remove V3

While monitoring the distribution process of GandCrab ransomware in Korea, AhnLab ASEC has detected the feature that prompts to uninstall V3 Lite from the distribution script; it only targets V3 Lite. Figure 1 – Obfuscated script code Distribution script contains obfuscated Javascript as shown in Figure 1, and the main function of Javascript is found as Figure 2 when unobfuscated. Figure 2 – Unobfuscated script code There are two techniques that unobfuscated Javascript shown in Figure 2 runs GandCrab ransomware. The path of GandCrab downloaded via technique that uses powershell(no.2) was confirmed to be http://pastebin.com/raw/****. The internal version of all GandCrab is v4.3.  Execution Technique of GandCrab ransomware  1. Create and run internally encoded GandCrab executable in user system  2….