{"id":14089,"date":"2018-12-17T10:03:07","date_gmt":"2018-12-17T18:03:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/17\/news-7856\/"},"modified":"2018-12-17T10:03:07","modified_gmt":"2018-12-17T18:03:07","slug":"news-7856","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/17\/news-7856\/","title":{"rendered":"Sophisticated Ransomware : \u201cKatyusha\u201d"},"content":{"rendered":"

Credit to Author: Ghanshyam More| Date: Fri, 14 Dec 2018 10:59:58 +0000<\/strong><\/p>\n

Estimated reading time: 6 minutesFor\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension \u201c.katyusha\u201d and demands\u00a0for an amount of 0.5 btc within three days and threatens\u00a0to release the data to public download if the ransom is not paid. Malware is bundled with many components including using \u201cDouble pulsar\u201d and \u201cEternal blue\u201d exploit which is used to get spread over the network. Also, uses a unique attack technique called \u201csquiblydoo\u201d to \u00a0spread over the network. The infection vector for this ransomware is still not confirmed, but on the basis of attribution this ransomware may enter the system via spear phishing, malvertising, spam mail, SMB exploit etc. Technical Analysis: This malware is packed with MPRESS(v2.19) and present on victim\u2019s system with the name \u201ckatyusha.exe\u201d at \u201c%temp%\u201d. It contains three components. On execution it drops them into C:WindowsTemp and starts their execution: Svchost0.bat Zkts.exe Ktsi.exe Katyusha checks for following files on the system to determine whether the system is already infected or not. \u201cC:_how_to_decrypt_you_files.txt\u201d \u201cC:ProgramData_how_to_decrypt_you_files.txt\u201d If a system is already infected, Katyusha creates a batch file (svchost0.bat) which contains code as shown in Fig.1. to delete self-copy and terminate itself. If the system is not infected then it drops zkts.exe and ktsi.exe and executes them. Fig 1: Content of Svchost0.bat   Zkts.exe: This file is 7zip compressed executable and main component which contains multiple sub-modules like network spreading module, password stealing module, etc. On the execution of zkts.exe, it extracts components in \u201cC:WindowsTemp\u201d such as Mimikatz, katyusha.dll, eternal blue exploit, etc. those are later used by Katyusha to perform an activity. Fig 2.Files Dropped by zkts.exe   Ktsi.exe (Encryptor): This is another main component which is also MPRESS packed file. It is mainly used for file encryption and to drop ransom note on the victim\u2019s system. This process is started independently by main payload (katyusha.exe) as shown in Fig 3. Fig 3: Call to CreateProcess() for ktsi.exe On the execution of ktsi.exe, it firstly kills list of following tasks to release handles of files which are locked by relevant processes to encrypt(such as db files, etc) as shown in Fig 4. To encrypt database related files successfully, ktsi kills processes which are related to database applications. Below is the list of processes hard-coded in malware: mysqld.exe \u00a0httpd.exe \u00a0sqlsevr.exe sqlwriter.exe \u00a0w3wp.exe \u00a0sqlagent.exe fdhost.exe \u00a0fdlauncher.exe \u00a0reportingservicesservice.exe omtsreco.exe \u00a0\u00a0tnslsnr.exe \u00a0\u00a0oracle.exe emagent.exe \u00a0mysqld-nt.exe Fig 4: Taskkill command execution. After the taskkill operation malware drops ransom note in html and txt format at below path to make it visible for all users at system startup, \u201cC:ProgramDataMicrosoftWindowsStart MenuProgramsStartup\u201d _how_to_decrypt_you_files.txt _how_to_decrypt_you_files.html In \u201cC:ProgramData\u201d and at the root of C drive(C:) drop only ransom note as “_how_to_decrypt_you_files.txt”. Fig 5: Ransom Note Ktsi.exe also deletes shadow copy by executing the following command, \u201cvssadmin delete shadows \/all \/quiet\u201d Fig 6: delete shadow copy After all these tasks, ktsi.exe starts file encryption (RSA) with the help of standard encryption method of CRYPTOGAMS. Signatures related to this algorithm are found in a file, as shown in Fig 7. Fig 7: Cryptogams strings. It encrypts all extension files except the following one, Fig 8: Excluded Extensions from encryption. It also contains an exclusion list of files and folders (as shown in fig 9) if found these words in enumerated file path then it will exclude that path from encryption. To perform uninterrupted encryption, list contains names of few security products. Fig 9: Exclusion list of Files and Folders. Spreading Mechanism: For network spreading, files extracted from zkts comes in role. Please refer Fig 2 for extracted components. m32.exe and m64.exe are Mimikatz tool which are used to fetch credentials from windows lsass.exe. Firstly, katyusha.exe determine whether the system is 64bit or 32bit using system call IsWow64Process (it returns a nonzero value if the system is 64 bit) and executes\u00a0Mimikatz according to system architecture. Mimikatz tool drops following files at \u201cC:WindowsTemp\u201d\u00a0as output. – snamelog : \u00a0contains fetched usernames. – spasslog : \u00a0contains passwords for respective fetched usernames. Fig 10: Check to determine system type and start Mimikatz. After execution of mimikatz, katyusha.exe reads usernames \u00a0from snamelog and passwords from spasslog which are used to perform brute force attack into the…
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Ghanshyam More| Date: Fri, 14 Dec 2018 10:59:58 +0000<\/strong><\/p>\n

For\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware, we have found one more interesting ransomware which encrypts files and adds extension \u201c.katyusha\u201d and demands\u00a0for an amount of 0.5 btc within three days and threatens\u00a0to release the data to public download if the ransom is not…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[10490,11796,20440,12319,11253,20441,3764,12165,11831,3924,3765,714,10596,10518,20442,10833,10467],"class_list":["post-14089","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-bitcoin","tag-cyber-crime","tag-double-pulsar","tag-eternalblue","tag-hacker","tag-katyusha","tag-malware","tag-mimikatz","tag-password","tag-phishing","tag-ransomware","tag-security","tag-security-patch","tag-spam","tag-squiblydoo","tag-trojan","tag-vulnerability"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14089"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14089\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14089"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}