{"id":18703,"date":"2022-04-07T07:40:09","date_gmt":"2022-04-07T15:40:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/07\/news-12436\/"},"modified":"2022-04-07T07:40:09","modified_gmt":"2022-04-07T15:40:09","slug":"news-12436","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/07\/news-12436\/","title":{"rendered":"Looking Inside Pandora\u2019s Box"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/h2>\n<p><b>Affected Platforms:<\/b> Windows<br \/> <b>Impacted Users:<\/b> Windows users<br \/> <b>Impact:<\/b> Most files on the compromised machines are encrypted<br \/> <b>Severity Level: <\/b>Medium <\/p>\n<p>In Greek mythology, opening of the infamous Pandora\u2019s box (jar) introduced terrible things to the world. That can also be said about today\u2019s ransomware. The newly emerged Pandora ransomware that crowned the name is no exception. It steals data from the victim\u2019s network, encrypts the victim\u2019s files, and unleashes the stolen data if the victim opts not to pay. The Greek myth says hope was left in the box. Does that hold true for Pandora ransomware, an emerging malware that shows all techniques used by modern ransomware? In this blog we are taking a hammer and crowbar to look inside today\u2019s Pandora\u2019s box to find out what mysteries it holds. We will discuss:<\/p>\n<ul>\n<li>How this ransomware tries to evade detection<\/li>\n<li>The numerous obfuscation and anti-analysis techniques that are used to hinder analysts<\/li>\n<li>How multi-threading is used to speed up processing<\/li>\n<li>How the filesystem is processed<\/li>\n<li>How and which files are encrypted.<\/li>\n<\/ul>\n<h2>Pandora Group<\/h2>\n<p>The Pandora ransomware group emerged into the already crowded ransomware field as early as in mid-February 2022 and targets corporate networks for financial gain. The group got recent publicity after they announced that they acquired data from an international supplier in the automotive industry. The incident came as surprise as the attack came two weeks after another automotive supplier was reportedly hit with unknown ransomware, which resulted in one of the world\u2019s biggest car manufacturers suspending factory operations. The threat group uses the double extortion method to increase pressure on the victim. This means that they not only encrypt the victim\u2019s files, but also exfiltrate them and threaten to release the data if the victim does not pay.<\/p>\n<p>The Pandora Group has a leak site in the Dark Web (TOR network), where they publicly announce their victims and threaten them with the data leak. There are currently three victims listed on the leak site (see Figure 1), a U.S.-based real estate agency, a Japanese technology company, and a U.S. law firm.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649205824909\/fig1.png\" alt=\"Figure 1: Pandora&#39;s leak site\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1 &#8211; Pandora&#39;s leak site<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Malware Analysis<\/h2>\n<p>We analyzed the sample with the SHA-256 hash <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b<\/span><\/span>,\u00a0which is a 64-bit Windows PE file. It is the ransomware itself, so by the time this file is executed during an attack, the attackers probably already had extensive access to the victim\u2019s network, and they had already exfiltrated the data they will use for the extortion. This sample does not have the capability to communicate with the threat actors. Its sole purpose is to find and encrypt files. However, it does this in an interesting and complex manner.<\/p>\n<p>In the following sections these interesting aspects of the malware will be discussed.<\/p>\n<h3>Execution Flow<\/h3>\n<p>The sample goes through the following steps:<\/p>\n<p>Note that \u201cT\u201d followed by numbers within brackets refers to MITRE ATT&amp;CK technique ID, which are summarized at the end of the post.<\/p>\n<p>\u00a01)\u00a0<b>Unpacking<\/b>: The sample is packed with a modified UPX packer (T1027.002), so the first step is to unpack the real content to memory and jump to it. This will be discussed later.<\/p>\n<p>\u00a02)\u00a0<b>Mutex<\/b><span>: It creates a <\/span><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">mutex <\/span><\/span><span>called <\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">ThisIsMutexa<\/span><\/span>.<\/p>\n<p>\u00a03)\u00a0<b>Disable Security Features<\/b>: It can delete Windows shadow copies (T1490), bypass AMSI (T1562.001), and disable Event Logging (T1562.002). More on these features later.<\/p>\n<p>\u00a04)\u00a0<b>Collects system information:\u00a0<\/b><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">GetSystemInfo()<\/span><\/span>is used to collect information about the local system.<\/p>\n<p>\u00a05)\u00a0<b>Loads Hardcoded Public Key<\/b>: A public key is hardcoded in the malware sample. This is used to set up the cryptography for encryption.<\/p>\n<p>\u00a06)\u00a0<b>Store Private and Public Keys in Registry<\/b>: A private key is generated, and both the hardcoded public key and the newly generated private key are stored in the registry\u00a0 \u00a0 \u00a0 \u00a0(T1112).<\/p>\n<p>\u00a07)\u00a0<b>Search Drives<\/b>: It searches for unmounted drives on the system and mounts them to encrypt them as well (T1005).<\/p>\n<p>\u00a08)\u00a0<b>Setup Multi-Threading<\/b>: The sample uses worker threads to distribute the encryption process. More on this later.<\/p>\n<p>\u00a09)\u00a0<b>Enumerate Filesystem<\/b>: The worker threads start to enumerate the filesystems of the identified drives (T1083).<\/p>\n<p>10)\u00a0<b>Drop Ransom Note<\/b><span>: The ransom note is dropped in every folder in <\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">Restore_My_Files.txt<\/span><\/span>.<\/p>\n<p>11)\u00a0<b>Check File Name Blacklist<\/b>: For every file and folder a blacklist of file\/folder names is checked. If the file\/folder is on the blacklist it will not be encrypted. More on this later.<\/p>\n<p>12)\u00a0<b>Check File Extension Blacklist<\/b>: Each file is checked against a file extension blacklist. If the extension is on the list, it will not be encrypted.<\/p>\n<p>13)\u00a0<b>Unlock File<\/b>: If the file is locked by a running process, the sample will try to unlock it using the Windows Restart Manager(T1489).<\/p>\n<p>14)\u00a0<b>Encrypt File<\/b>: The worker threads will encrypt(T1486) the file and write it back to the original file.<\/p>\n<p>15)\u00a0<b>Rename File<\/b><span>: Once the encryption is finished the file is renamed to<\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">[original_filename].pandora<\/span><\/span><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">.<\/span><\/span><\/p>\n<h2>Anti-Reverse Engineering Techniques<\/h2>\n<p>One of the most significant aspect of the Pandora ransomware is the extensive use of anti-reverse-engineering techniques. This is not new for malware, but Pandora lies on the extreme side of how much is invested in slowing analysis down. In this section we will go through the different techniques that were identified.<\/p>\n<h3>Packed<\/h3>\n<p>The sample is packed with a modified UPX packer, which can be easily detected with Detect It Easy (see Figure 2).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_852600251.img.png\/1649205977789\/figure2.png\" alt=\"Figure 2 - Detect It Easy can identify UPX\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Detect It Easy can identify UPX<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>However, the standard UPX unpacker does not work, which indicates that the packer was modified to make sure that off-the-shelf tools cannot be used to unpack it.<\/p>\n<p>Unpacking is still relatively easy, by scrolling down from the entry point to the end of the code in a debugger. The code will end with a jump (Figure 3). This is typical with packers, that after unpacking the original code somewhere in memory they will jump there, instead of returning from the main function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1462800240.img.png\/1649205988469\/fig3.png\" alt=\"Figure 3 - Tail jump at the end of the unpacking\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Tail jump at the end of the unpacking<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>By putting a breakpoint to the tail jump we can dump the PE file from memory including the unpacked code. With the dumped file we can analyze the ransomware statically as well.<\/p>\n<h3>Control-Flow Flattening<\/h3>\n<p>Control-Flow Flattening is an obfuscation technique that can hide the structure of the program by modifying the control-flow. In the simplest case, it replaces the normal control flow of each function with a state machine, thus it makes harder for an analyst to quickly understand how each function works. Pandora uses a more complex control-flow flattening combined with opaque predicates, to complicate the control flow even further.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_406694705.img.png\/1649206017213\/fig4.png\" alt=\"Figure 4 - Graph view of main()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Graph view of main()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 4 shows the graph view of the main function in the unpacked code. We can see that it does not resemble a normal function\u2019s control flow. It looks like a huge switch-case statement, which is the result of the control-flow flattening that implements a state machine. However, in Pandora\u2019s case most of the basic blocks are not connected at all. This is the result of the opaque predicates. Most of the jumps between basic blocks are calculated at runtime, as shown in Figure 5.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_816690912.img.png\/1649206022874\/fig5.png\" alt=\"Figure 5 - Calculating the address for the jmp in runtime\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Calculating the address for the jmp in runtime<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The first <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">cmp<\/span><\/span> instruction checks the current state of the state machine and depending on that calculates the value of the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">rdx<\/span><\/span> register for the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">jmp<\/span><\/span> at the end of the basic block. Because of this static analysis tools, such as IDA Pro cannot understand where the control flow will continue, and thus cannot connect the basic blocks in Figure 4.<\/p>\n<p>Emulation can be used to understand the control flow to a limited degree but debugging had to be applied extensively to be sure how the execution flows.<\/p>\n<h3>String Encoding<\/h3>\n<p>Some strings can be found in the unpacked binary, but most of them are from the statically linked libraries. However, the strings that would help us understand what is happening in the code are encoded. Figure 6 shows how one of the string decryption functions is called.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_411497326.img.png\/1649206047088\/fig6.png\" alt=\"Figure 6 - Calling one of the string decryption functions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Calling one of the string decryption functions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Both the address of the decryption function, which is called through <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">rax<\/span><\/span>, and the address of the encoded string, are calculated at runtime. This way, when looking at this code statically, there is no way to know what is happening here. The comment on the right side is the result of an IDAPython script that uses the\u00a0<a href=\"https:\/\/github.com\/mandiant\/flare-emu\">flare-emu<\/a>\u00a0project to emulate the code and calculate the addresses of the function call, as well as emulate the decryption function. This solution was very effective in recovering the encoded strings in the binary. The decryption function implements an XOR decoding. The decryption keys are stored together with each encoded string. As a bonus, the malware uses multiple decryption functions. We identified 14 separate functions that are used for string decoding.<\/p>\n<h3>Function Call Obfuscation<\/h3>\n<p>It was already mentioned in the previous section that most function calls are not calling a direct address, but a register. Its value is calculated at runtime.<\/p>\n<p>If we use Figure 6 as an example the address in <span style=\"font-family: &quot;Courier New&quot;;\">rax<\/span> is calculated like this:<\/p>\n<p style=\"margin-left: 40.0px;\"><span style=\"font-size: 10.0pt;\"><span style=\"font-family: &quot;Courier New&quot;;\">rax = *(*address_table_base + 638300900) &#8211; 1426601284)<\/span><\/span><\/p>\n<p>As mentioned, this was solved using emulation. By emulating the execution of a function, we could calculate the register values at CALL instructions. This allowed us to resolve function calls at scale.<\/p>\n<h3>Windows API Call Obfuscation<\/h3>\n<p>Contrary to other malware, the Windows API function names are not encoded, but another obfuscation technique is used to hide their usage. As shown in Figure 7, the Windows API functions are organized in a jump table. At each address there is a <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">jmp<\/span><\/span> instruction that redirects to the library function.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1696480002.img.png\/1649206227081\/fig7.png\" alt=\"Figure 7 - Windows API function jump table\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Windows API function jump table<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Resolving the API functions was implemented in the same\u00a0<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">flare-emu<\/span><\/span> IDAPython script that resolves the function calls. Whenever a <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">CALL [register]<\/span><\/span> points to a jmp instruction (see Figure 8), instead of the beginning of a function, then we assumed that it points to the API function jump table. So we took the name of the operand of the jump and used that to generate the comments for the function call (see Figure 9).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1769040435.img.png\/1649206238192\/fig8.png\" alt=\"Figure 8 - Recovering API function name in the emulation script\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Recovering API function name in the emulation script<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_614609724.img.png\/1649206247703\/fig9.png\" alt=\"Figure 9 - The script recovered that this is a function call to OpenMutexA\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: The script recovered that this is a function call to OpenMutexA<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Multi-Threading<\/h2>\n<p>Pandora uses multiple threads to speed up the encryption process. For that it uses Windows\u2019s\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/fileio\/i-o-completion-ports\">IO Completion Ports<\/a>\u00a0concept. This allows threads to wait for a file\/network handle to appear in the IO Completion Port queue and process them. Pandora uses unassociated IO Completion Ports and sends any data through it using the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">OVERLAPPED<\/span><\/span> structure. In this case drives and file paths will be passed to threads to process (enumerate or encrypt) them. The IO Completion Port is set up using the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">CreateIOCompletionPort()<\/span><\/span> API function as shown in Figure 10. By passing <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">INVALID_HANDLE_VALUE<\/span><\/span> as the first parameter <span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">(<\/span><\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">rcx = 0xFFFFFFFFFFFFFFFF<\/span><\/span><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">)<\/span><\/span> and <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">NULL<\/span><\/span> as the second <span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">(<\/span><\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">rdx = 0x0<\/span><\/span><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">)<\/span><\/span> an unassociated IO Completion Port is created. The fourth parameter is the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">NumberOfConcurrentThreads<\/span><\/span>, which is set to 4 (<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">r9 = 0x4<\/span><\/span>), defines that maximum 4 threads are allowed to work with this IO Completion Port.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1277599633.img.png\/1649206279028\/fig10.png\" alt=\"Figure 10 - Initializing an IO Completion Port\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Initializing an IO Completion Port<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After this, the main function will start the new threads. The communication between the threads is done using the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">GetQueuedCompletionStatus()<\/span><\/span> and <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">PostQueuedCompletionStatus<\/span><\/span> API functions. Figure 11 shows how a discovered file (<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">pydisas.py<\/span><\/span>) is put in the queue with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">PostQueuedCompletionStatus()<\/span><\/span>. Another thread will pick up this task with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">GetQueuedCompletionStatus()<\/span><\/span>, and since it receives a full path to a file it will encrypt and rename it.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1806067397.img.png\/1649206283847\/fig11.png\" alt=\"Figure 11 - Posting the file path to the IO Completion Port&#39;s queue\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Posting the file path to the IO Completion Port&#39;s queue<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Restart Manager<\/h2>\n<p>The Restart Manager is a Windows feature to reduce the number of restarts needed during installation and updates. The reason for a restart is usually because a file that needs to be updated is locked by a running process. The Restart Manager can save the state and stop the locking process to unlock the target file. Once the update is finished, it can restore the locking process again. Pandora uses the Restart Manager to make sure that even files that are currently locked will be encrypted. For each file the following process is executed:<\/p>\n<p style=\"margin-left: 40.0px;\">1)\u00a0\u00a0\u00a0\u00a0\u00a0 Create Restart Manager session with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">RmStartSession()<\/span><\/span><\/p>\n<p style=\"margin-left: 40.0px;\">2)\u00a0\u00a0\u00a0\u00a0\u00a0 Register the target file as a resource with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">RmRegisterResource()<\/span><\/span><\/p>\n<p style=\"margin-left: 40.0px;\">3)\u00a0\u00a0\u00a0\u00a0\u00a0 Check if the target file is locked by any process with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">RmGetList()<\/span><\/span><\/p>\n<p style=\"margin-left: 40.0px;\">4)\u00a0\u00a0\u00a0\u00a0\u00a0 If so, terminate locking processes<\/p>\n<p style=\"margin-left: 40.0px;\">5)\u00a0\u00a0\u00a0\u00a0\u00a0 End Restart Manager session with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">RmEndSession()<\/span><\/span><\/p>\n<h2>Encryption<\/h2>\n<ul>\n<li>Before a file is encrypted, Pandora does the following checks to make sure that it does not render the machine inoperable. Each target file is checked against the following blacklist of file and folder names. If the target file is on the list, Pandora will not encrypt it.<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--2\">      <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>Each target file is compared to the following list of file extensions. If the file\u2019s extension is on the list, the file will not be encrypted:<\/li>\n<\/ul>\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-size: 10.0pt;\"><span style=\"font-family: &quot;Courier New&quot;;\">.hta .exe .dll .cpl .ini .cab .cur .drv .hlp .icl .icns .ico .idx .sys .spl .ocx<\/span><\/span><\/span><\/span><\/p>\n<p>The ransom note, shown in Figure 12, promises an RSA-2048 encryption. The fact that malware is shipped with a hardcoded RSA-2048 public key (Figure 13) confirms this claim.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_484295586.img.png\/1649206292413\/fig12.png\" alt=\"Figure 12 - Ransom note\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Ransom note<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1379223705.img.png\/1649206299638\/fig13.png\" alt=\"Figure 13 - Hardcoded RSA public key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Hardcoded RSA public key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>A private key is also generated and both of these keys are stored in the registry under <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">HKCUSOFTWARE[Private,Public]\u00a0<\/span><\/span>(see Figure 14).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1800057009.img.png\/1649206306172\/fig14.png\" alt=\"Figure 14 - Cryptographic keys are stored in the Registry\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: Cryptographic keys are stored in the Registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The unpacked binary contains the\u00a0<a href=\"https:\/\/github.com\/ARMmbed\/mbedtls\">Mbed TLS<\/a>\u00a0cryptographic library statically linked.<\/p>\n<p>Once a file is encrypted in memory, it is written to disk. After that the file is renamed to have the\u00a0<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">.pandora<\/span><\/span> extension.<\/p>\n<h2>Disabling Security Features<\/h2>\n<p>The Pandora ransomware has the capabilities to disable some of the security measures on the target machine.<\/p>\n<h3>Deleting Shadow Copies<br \/> <\/h3>\n<p>Like a lot of other ransomware, Pandora deletes the Windows Shadow Copies, which could help the operator restore the machine to a state before the infection. Figure 15 shows the call to <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">ShellExecuteW()<\/span><\/span> with the parameters from runtime(T1059). We can see that it uses the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">vssadmin.exe<\/span><\/span>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1532547293.img.png\/1649206311842\/fig15.png\" alt=\"Figure 15 - Deleting shadow copies with ShellExecuteW\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: Deleting shadow copies with ShellExecuteW<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>AMSI Bypass<\/h3>\n<p>The Antimalware Scan Interface (AMSI) allows security products to integrate better with Windows to be able to scan all kinds of different objects, such as PowerShell scripts, JavaScript, VBScript, etc. By bypassing AMSI, the malware can take away significant capabilities from the security products running on the machine. Pandora bypasses AMSI by patching the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">AmsiScanBuffer()<\/span><\/span> function in the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">amsi.dll\u00a0<\/span><\/span>in memory.<\/p>\n<h3>Disable Event Log<\/h3>\n<p>Similar to the AMSI bypass, Pandora disables the Event Tracing for Windows (ETW) feature, by patching the\u00a0<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">EtwEventWrite()<\/span><\/span> function in the Windows kernel <span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">(<\/span><\/span><span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">ntdll.dll<\/span><\/span>). Figure 16 shows that the first byte of the function is replaced with\u00a0<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">0xC3<\/span><\/span>, which is the <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">ret<\/span><\/span> instruction. This renders the\u00a0<span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">EtwEventWrite()<\/span><\/span> function useless, because after every call it return immediately without logging the event.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image_1581367095.img.png\/1649206317144\/fig16.png\" alt=\"Figure 16 - Patching the EtwEventWrite function to return immediately\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: Patching the EtwEventWrite function to return immediately<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>The Pandora ransomware contains all of the most important features that state-of-the-art ransomware samples usually contain. The level of obfuscation to slow down analysis is more advanced than average malware. The threat actor also paid attention to unlock files to guarantee the maximum encryption coverage, while still allowing the machine to run. We can already see anti-security product features. We can expect the threat actor to develop these capabilities further. There is currently no proof that Pandora operates as Ransomware-as-a-Service (RaaS), but the time investment in the complexity of the malware might indicate that they are moving in that direction in the long term. The current attacks and leaks might be a way to make their name in the ransomware field, which they could capitalize on if they adopt the RaaS model later. It is worth tracking the threat actor to monitor how their malware changes.<\/p>\n<h2>Fortinet Protection<\/h2>\n<p>The analyzed Pandora ransomware sample is detected by the following (AV) signature:<\/p>\n<p>W64\/Filecoder.EGYTYFD!tr.ransom<\/p>\n<h2>IOCs:<\/h2>\n<p>Mutex: <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">ThisIsMutexa<\/span><\/span><br \/> Ransom note: <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">Restore_My_Files.txt<\/span><\/span><br \/> SHA256 hash of hardcoded public key: <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">7b2c21eea03a370737d2fe7c108a3ed822be848cce07da2ddc66a30bc558af6b<\/span><\/span><br \/> SHA256 hash of sample: <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b<\/span><\/span><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>ATT&amp;CK TTPs<\/h2>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td style=\"vertical-align: top;\">\n<p><b>TTP Name<\/b><\/p>\n<\/td>\n<td style=\"vertical-align: top;\">\n<p><b>TTP ID<\/b><\/p>\n<\/td>\n<td style=\"vertical-align: top;\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Obfuscated Files or Information: Software Packing<\/p>\n<\/td>\n<td>\n<p>T1027.002<\/p>\n<\/td>\n<td>\n<p>Modified UPX packer<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Impair Defenses: Disable Windows Event Logging<\/p>\n<\/td>\n<td>\n<p>T1562.002<\/p>\n<\/td>\n<td>\n<p>Disable Event Logging<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Impair Defenses: Disable or Modify Tools<\/p>\n<\/td>\n<td>\n<p>T1562.001<\/p>\n<\/td>\n<td>\n<p>Bypass AMSI<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Data from Local System<\/p>\n<\/td>\n<td>\n<p>T1005<\/p>\n<\/td>\n<td>\n<p>Searches unmounted drives and partitions<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Modify Registry<\/p>\n<\/td>\n<td>\n<p>T1112<\/p>\n<\/td>\n<td>\n<p>Cryptographic keys are stored in the registry<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Data Encrypted for Impact<\/p>\n<\/td>\n<td>\n<p>T1486<\/p>\n<\/td>\n<td>\n<p>As a ransomware it encrypts files<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Command and Scripting Interpreter<\/p>\n<\/td>\n<td>\n<p>T1059<\/p>\n<\/td>\n<td>\n<p>Uses <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">cmd.exe<\/span><\/span> to remove the shadow copies<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>System Information Discovery<\/p>\n<\/td>\n<td>\n<p>T1082<\/p>\n<\/td>\n<td>\n<p>Collects system information with <span style=\"font-family: &quot;Courier New&quot;;\"><span style=\"font-size: 9.0pt;\">GetSystemInfo()<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>File and Directory Discovery<\/p>\n<\/td>\n<td>\n<p>T1083<\/p>\n<\/td>\n<td>\n<p>Discovers drives and enumerates filesystems<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Inhibit System Recovery<\/p>\n<\/td>\n<td>\n<p>T1490<\/p>\n<\/td>\n<td>\n<p>Deletes shadow copies<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Service Stop<\/p>\n<\/td>\n<td>\n<p>T1489<\/p>\n<\/td>\n<td>\n<p>Terminates processes if they lock a file<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Learn more about Fortinet\u2019s\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/looking-inside-pandoras-box\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/looking-inside-pandoras-box\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649205824909\/fig1.png\"\/><br \/>FortiGuard Labs analyzes the emerging state-of-the-art Pandora ransomware targeting corporate networks for financial gain. Read our blog to see how it evades detection, anti-analysis, and more. Read to learn more about this ransomware.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18703","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18703"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18703\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}