MuddyWater Back with DarkBit

 Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload.

Initial Access Method

The initial lure was delivered as an ISO file.
Figure 1 – ISOFile
The payload included a shortcut file (with a .doc extension) and a zip file.
Figure 2 – Contents Inside ISO File
The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool.
Figure 3 – Shortcut File
cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe

Figure 4 – HR-Update.exe Running
HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike.
At the time of writing the blog, we were unable to get the exact DarkBit ransomware payload. So we are using another available sample that belonged to the same campaign.

Analysis of Ransomware

This DarkBit ransomware sample is written in GoLang. It contains command line arguments.
Figure 5 – Ransomware Features
It also contains an inbuilt configuration file as shown in Figure 6.
Figure 6 – InBuilt Config
Further analysis revealed that they had obfuscated some dll names like advapi32.dll and functions like SystemFunction036.
Figure 7- Obfuscation
Its dynamically resolving API at this address. Malware authors tend to dynamically resolve API to avoid static detections.
Figure 8 – Dynamically Resolving API
CreateMutexW API is being used to check if an instance of the malware is already running. As can be seen in Figure 5 previously, they are also using multithreading.
As the customary prelude to file encryption, they are using vssadmin.exe to delete all the shadow copies.
Figure 9 – Delete Shadow all
Here they are using SystemFunction036 (documented in MSDN as RtlGenRandom) to generate a random key as shown in Figure 10.
Figure 10 – SystemFunction036
SystemFunction036 is accessed multiple times in the code with varying buffer sizes passed to it.
Figure 11 – Call To Dynamically Resolve API and Then SystemFunction036
Here we can see that the buffer size of 80 is made available for SystemFunction036.
Figure 12 – Encrypting Key
Later-on, the key used for encrypting the files is itself encrypted and attached to the encrypted files.
Figure 13 – EncryptionAlgorithm
From Figure 13, we can see that It’s encrypting. It is likely using AES to encrypt the files, as strings related to the same functions can be found elsewhere in this same sample.
FindFirstFileW, FindNextFileW are used to iterate through the file system, to find the appropriate file and then encrypt it.
At that point it was observed that its writing file in chunks and not as a whole. For doing the same it’s using SetFilePointerEx API to move the file pointer to a specific address.
Figure 14 – SetFilePointerEx
It’s then using the WriteFile API.
Figure 15 – WriteFile
All these functions are called one after another, till all the files are encrypted.
After encrypting the file, the key is stored at the end of the file.
Figure 16 – Ransomware key
The encrypted files are given ‘.darkbit’ extension and also a ransom note is dropped in the respective folders.
Figure 17 – Ransomware Note
Tweet from a self-identifying DarkBit twitter handle, associating itself with MuddyWater
Figure 18 – Tweet on DarkBit
MuddyWaters uses different types of attacks for initial access like phishing email campaigns, using tools like MimiKatz to break into the system, etc. In this case, MuddyWaters made use of Cobalt Strike to get initial access into the system. From the ransomware note, we figured out that it was a politically motivated attack.
We at K7 Labs provide detection for DarkBit ransomware and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

Indicators of Compromise (IOCs)

File NameHashDetection NameDarkBit.exe9880FAE6551D1E9EE921F39751A6F3C0Trojan (0058e3dd1)hr-update.iso1219A8880DEBDD10D081195E27A2A016Trojan (0001140e1)

References

https://attack.mitre.org/groups/G0069/

Comments

Post a Comment

Popular posts from this blog

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...
Read more

Ransomed by Warlock Dark Army “OFFICIALS”

  Recently we came across a tweet shared by petikvx . The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes. The sample under consideration was compiled using C/C++, in case of Chaos ransomware it is usually .Net. Statically looking at the file we noticed a resource entry under Bitmap with an identifier “14”, while analyzing the file code we noticed that this resource was read and loaded on to the memory. Hence we decided to dump that resource entry. Figure 1: Encrypted blob in resource section Figure 2 : Loading blob into the memory During our code analysis we found this blob was XOR encrypted. The first 16 bytes of this blob acts as the key for XOR decryption and the rest is the data which plays a key role in this ransomware’s in...
Read more