Published on March 2nd, 2019 📆 | 8427 Views ⚑0
Ransomware, Trojan and Miner together against “PIK-Group”
The script eventually drops and executes (Stage0 Execution phase follows) a fake image file (msg.jpg) which actually is an UPX packet windows PE acting as second stage. The second stage drops and executes three additional modules: a backdoor, a Miner and finally a quite known Ransomware. It actually weird to understand the attacker’s needs, at such point, why so many different actors in an unique attack ?
According to pcrisk, the first downloaded module (327B0EF4.exe) looks like a well-known Troldesh Ransomware. This particular ransomware renames files so that they comprise a line of characters and digits and adds the “.crypted000007” extension to each. For example, after encryption, the file “1.jpg” might have an appearance similar to this example: “hmv8IGQE5oYCLEd2IS3wZQ==.135DB21A6CE65DAEFE26.crypted000007”. Furthermore, Crypted000007 creates ten ransom-demand messages (with identical content) called “README1.txt”, “README2.txt” … “README10.txt” and places them on the desktop. This virus also changes the desktop wallpaper. The following image shows the ransom note that I’ve got during the infection phase.
The second installed module (37ED0C97.exe) is well-known piece of software as well. It’s a Miner called nheqminer. Nheqminer is a great implementation of equihash mining, mainly used on NiceHas but forked many times and todays is getting used for several spare projects as well. Nheqminer is a specific miner for Zcash value based on common PCs. You might want to checkout more here. Exploring memory snapshots during its execution can be easy to figure out the miner runs over Zcash.Flypool server mining for the following wallet address.
According to zcashnetwork the attacker’s wallet received from mining activity 4.89 ZCash (lsat transaction on February 26th, 2019) so far. This amount suggests that the attacker activity is started (re-started) few days ago or its infected botnet is not so big at that time.
According to Virustotal the third installed module ( B56CE7B7.exe) is another well-known software called Trojan-Heur and (in)famous during 2017 to perform brute force attack on WordPress based websites.
A typical behaviour for Trojans like HEUR.Trojan.Win32.Generic is one or all of the following:
Download and install other malware.
Use your computer for click fraud.
Record your keystrokes and the sites you visit.
Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
Give a remote malicious hacker access to your PC.
Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software
Indeed it behaviour perfectly fits the Malware family behaviour. Once installed on victim PC it starts to brute force many websites looking for weak credentials. Once it finds weak credentials it installs itself into the WordPress website maintaining the original name: “pik.zip”. Thanks to this characteristic it would be possible to enumerate infected website through a combined searches on google engine (please see dropping urls).
The following image shows the main actor connections and their relationships. The analysed implant is quite interesting since rises many questions, for example: Why the attacker pretends to build a targeted attack to PIK-Group (using crafted strings) with refurbished malware ? Why the implant installs a “miner” and a “ransomware” as well ? While it might be understandable the usage of software for harvesting money, why the attacker introduced a brute force Trojan bot ?
On my personal point of view, it’s a quite weird behavior goes pretty far from classical state-sponsored attacks. We are facing an actor who apparently wants money (ransomware and miner), but also want credentials and want to be able to control the victim’s box in the future. But we are facing again an actor who is using the victim to brute force third-party random websites as well. This activity is quite heavy and it ‘s easy to be detected and to be blocked from security administrators or IT guys, which is clearly, in opposition to mining (which wants to remain stealth as more as possible) and to trojan as well (who wants to propagate itself silently). We might assume a malware building factory who is overselling a small botnet. In any case, I don’t think it would be a state sponsored-attack against PIK-Group but rather a nice way to maximize profits on a relatively small botnet.
Further details, including Indicator of Compromise (IoCs) are reported in the analysis published by Marco Ramilli.