Hacking Tool Ammyy Targeting Corporate Users and Installs on Their PC (Ransomware CLOP)

These days, there have been widespread phishing emails pretending a particular national organization. The Excel document file(ex: certificate.xls, inquiry.xls) attached to the email contains a malicious macro. Recently during their malware monitoring process, AhnLab ASEC detected the code change that the malware began targeting corporates. From the fact that the Ammyy backdoor program and CLOP ransomware are distributed by utilizing the same certificate, AhnLab ASEC assumes that Ammyy backdoor is exploited to target corporate users to steal information from AD server.   Figure 1. Infection flow of the malicious document A malicious Excel file distributed via phishing email is spread, as seen in Figure 1. To be noted, recently changed malware targets the corporate user environment by identifying the workgroup…

Dynamic Analysis on Bypass Method of GandCrab v5.2

In a widely distributed ransomware GandCrab, the code is inserted to bypass a dynamic analysis equipment. Thus, Gandcrab can bypass the detection by getting terminated in dynamic analysis equipment without proper operation or delaying the analysis process. Below are the codes to bypass the dynamic analysis equipment: Anti-Sandbox via SetErrorMode function Delay of time using SetTimer function 1. Anti-Sandbox via SetErrorMode function First, the packer that GandCrab mostly utilizes contains the code that uses SetErrorMode function to bypass Cuckoo Sandbox as seen in Figure 1. Figure 1. Anti-Sandbox via SetErrorMode SetErrorMode function sets ProcessDefaultHardErrorMode and returns the previously set ErrorMode. ErrorMode sets how the system will cope with the error that has occurred. Below is the flow of operation in normal…

A New Attempt to Disable Korean Anti-malware Software (GandCrab v5.0.4)

As monitoring the GandCrab distribution script, AhnLab ASEC recently spotted a new method to disable Korean anti-malware software. While the previous version tried to delete the software via executing ‘Uninst.exe’ as Figure 1 below, recently discovered distribution script leverages a new method to terminate V3 software. Figure 1. Code related to uninstall V3Lite (GandCrab v5.0.3) Also, there was a change in its operation method. In previous version, GandCrab ransomware executable was created and executed by Javascript file(*.JS) but the recent one is operated in fileless format via powershell and the encryption is conducted by PowerShell.exe. Furthermore, it operates after a 15-minute delay (Sleep() function) if widely used Korean anti-malware software is running. A distributed *.js file is obfuscated as shown in…

Analysis of CVE-2018-8174 Vulnerability

AhnLab ASEC performed an analysis on IE vulnerability CVE-2018-8174 which is being widely used to distribute ransomware and Korean malware. This vulnerability is used to distribute Magniber ransomware as well, and users must apply security patch to prevent damage that can be done. MS security update page (CVE-2018-8174) – https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/CVE-2018-8174 01. Summary 1) CVE-2018-8174 overview CVE-2018-8174 vulnerability is created as a result of object reuse that occurs when Use After Free vulnerability of VBScript engine surfaces. This vulnerability allows remote execution, and the affected versions are: Internet explorer 8, Internet explorer 9, Internet explorer 10, Internet explorer 11 (1803 or older version), Windows 10 (1803 or older), Windows 7, Windows 8, and Windows Server. 02. Background Knowledge 1) How VBScript engine runs a…

[Exclusive] How to Block Encryption of GandCrab v4.1.2 (Kill-Switch) – Update (v4.1.3)

On July 13, AhnLab shared the method to block encryption of GandCrab v4.1.1; Fortinet announced a similar information on July 9. However, on July 17, GandCrab 4.1.2 version was newly found as below. There was a message inserted that seemingly ridicules both security vendors. – “#fortinet & #ahnlab, mutex is also kill-switch not only lockfile ;)” Figure 1. Twitter post on GandCrab v4.1.2 (Reference: https://twitter.com/MarceloRivero/status/1019259361259028480?s=09) Addition of the message was not the only change in 4.1.2 version. It also complicated the algorithm of *.lock filename creation which is a key to prevent encryption and extended the length of filename from 8-byte to 20-byte. AhnLab ASEC confirmed that the changed filename creation algorithm is Custom Salsa20, a partially modified Salsa20 and developed…