Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2]. The first stage is a VBScript that decodes the ransomware, setup persistence and deploys a local Node.js instance running the generated files in %USERPROFILE%\AppData\Local: \GFp0JAk\lLT8PCI.js \GFp0JAk\node_modules\graceful-fs\fs.js \GFp0JAk\node_modules\graceful-fs\package.json \GFp0JAk\node_modules\graceful-fs\graceful-fs.js \GFp0JAk\node_modules\graceful-fs\legacy-streams.js \GFp0JAk\node_modules\graceful-fs\polyfills.js Node.js is downloaded from hxxps://nodejs[.]org/download/release/latest-v8.x/win-x86/node.exe and saved as %USERPROFILE%\AppData\Local\GFp0JAk\GFp0JAk.exe Persistence is added via Registry keys: oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Office", "wscript " & strVbs,"REG_SZ" oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Startup", strExe & " " & outWorkingDir & "\" & strEntPoint & " decryptStatic","REG_SZ" oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows", "cmd /c start /min " & outWorkingDir & "\How-to-buy-bitcoins.html","REG_SZ" The script main loop performs the following tasks every 40 seconds:
Once done, an “initdone” file is created and the desktop layout reset (icons & positions) by deleting the registry key: HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop Now, let’s have a look at the Node.js code, the ransomware itself. This code is obfuscated but easy to process with a Javascript beautifier. Here is some interesting extracted information: Ransom price: 0.4 BTC Encryption is performed via a public/private key pair. Files to encrypt are scanned via this function: scan = function() { var b = []; b.push(userprofile + ""\\ Desktop ""); b.push(userprofile + ""\\ Documents ""); b.push(userprofile + ""\\ Downloads ""); b.push(userprofile + ""\\ Contacts ""); b.push(userprofile + ""\\ Pictures ""); b.push(userprofile + ""\\ Music ""); b.push(userprofile + ""\\ Videos ""); b.push(userprofile + ""\\ AppData\\ Local\\ Microsoft\\ Outlook ""); for (var a = 0; 25 > a; a++) { var c = String.fromCharCode(66 + a) + "": "", d = c + ""\\ "" + testFile; if (fs.existsSync(c)) try { fs.writeFileSync(d, "" "", "" utf - 8 ""), b.push(c), removeFile(d) } catch (e) {} } return b }; The ransomware notification is also generated on the fly: I did not find a contact email address for the victims and the encrypted file extension is empty in the code. If you have more information about this sample, please share it! [1] https://nodejs.org/en/ Xavier Mertens (@xme) |
Xme 697 Posts ISC Handler Jan 2nd 2020 |
Thread locked Subscribe |
Jan 2nd 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!