{"id":11317,"date":"2018-01-30T16:10:03","date_gmt":"2018-01-31T00:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/30\/news-5088\/"},"modified":"2018-01-30T16:10:03","modified_gmt":"2018-01-31T00:10:03","slug":"news-5088","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/30\/news-5088\/","title":{"rendered":"GandCrab ransomware distributed by RIG and GrandSoft exploit kits"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Tue, 30 Jan 2018 23:43:52 +0000<\/strong><\/p>\n

This post was authored by Vasilios Hioueras and J\u00e9r\u00f4me Segura<\/em><\/p>\n

Late last week saw the appearance of a new ransomware called GandCrab. Surprisingly, it is distributed via two exploit kits: RIG EK and GrandSoft EK.<\/p>\n

Why is this surprising? Other than Magnitude EK, which is known to consistently push the Magniber ransomware<\/a>, other exploit kits have this year mostly\u00a0dropped other payloads, such as Ramnit or SmokeLoader, typically followed by RATs and coin miners.<\/p>\n

Despite a bit of a slowdown in ransomware growth towards the last quarter of 2017, it remains a tried and tested business that guarantees threat actors a substantial source of revenue.<\/p>\n

Distribution<\/h3>\n

GandCrab was first spotted<\/a> on Jan 26 and later identified in exploit kit campaigns.<\/p>\n

RIG exploit kit<\/strong><\/p>\n

The well-documented Seamless gate appears to have diversified itself as of late with distinct threads pushing a specific payload. While Seamless is notorious for having switched to International Domain Names<\/a> (IDNs) containing characters from the Russian alphabet, we have also discovered a standard domain name in a different malvertising chain. (Side note: that same chain is also used to redirect to the Magnitude exploit kit.)<\/p>\n

We observed the same filtering done upstream, which will filter out known IPs, while the gav[0-9].php<\/em> step is a more surefire way to get the redirection to RIG EK.<\/p>\n

\"\"<\/a><\/p>\n

At the moment, only the gav4.php<\/em><\/a>\u00a0flow is used to spread this ransomware.<\/p>\n

GrandSoft exploit kit<\/strong><\/p>\n

This exploit kit is an oldie, far less common, and thought to have disappeared<\/a>. Yet it was discovered<\/a> that it too was used to redistribute GandCrab.<\/p>\n

\"\"<\/a><\/p>\n

GrandSoft EK’s landing page is not obfuscated and appears to be using similar functions found in other exploit kits.<\/p>\n

Ransom note<\/h3>\n

Interestingly, GandCrab is not demanding payment in the popular Bitcoin currency, but rather a lesser-known cryptocurrency called Dash. this is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than BTC.<\/p>\n

\"\"<\/a><\/p>\n

Technical analysis<\/h3>\n

After unpacking, the binary is pretty straight forward as far as analysis is concerned. There were no attempts to obfuscate data or code beyond just the first layer of the packer. Everything from the exclusion file types to web request variables, URLs, list of AVs\u2014even the whole ransom message\u2014is in plain text within the data section. On initial look-through, you can deduce what some of the functionality might be just by simply looking at the strings of the binary.<\/p>\n

The code flow stays relatively inline, so as far as reverse engineering is concerned, it allows you to quite accurately analyze it even just statically in a disassembler. The code is divided up into three main segments: initialization, network, <\/strong>and\u00a0encryption.<\/strong><\/p>\n

Initialization<\/strong><\/p>\n

After unpacking, GranCrab starts out with a few functions whose tasks are to set up some information to be used later in the code. It queries information about the user such as:<\/p>\n