Everis-Ransomware-Attack

Tactical report of ransomware Bitpaymer _

Identification

Vendor	Detection
Kaspersky	Trojan.Win32.DelShad.bnq
Malwarebytes	Ransom.Bitpaymer
TrendMicro	Ransom.Win32.FRIEDEX.E

Prevalence:-

Ransomware Attacks Hit Everis and Spain's Largest Radio Network, Everis​, an NTT DATA company and one of Spain's largest managed service providers (MSP), had its computer systems encrypted today in a ransomware attack, just as it happened to Spain's largest radio station Cadena SER (Sociedad Española de Radiodifusión).

While the ransomware attacks were not yet publicly acknowledged by the company, the ransom note left on Everis' encrypted computers has already leaked and Bleeping Computer can confirm that the MSP's data was infected using the BitPaymer ransomware.

1.Indicators of compromise

The threat phases are:

1. An everis user access to a compromised website where the source code was modified to show a fake browser update and download a file.

2. The file is a JavaScript code (JS) which infects the device with a C2C malware categorized as “EMOTET”. This JavaScript creates additional exe files.

3. Once the attackers controls the infected device, install a PowerShell post explotation framework called Empire1. With Empire Framework in the infected device, the attacker enumerates the network and get credentials form the infected device cache. With this, different Empire installations is seen in different hosts and servers.

4. Attackers distribute a ransomware family called “BitPaymer/IEncrypt” to everis devices through compromised hosts and servers.

1.1.1 Compromised website

A compromised website with a modification of the source code to simulate a fake browser update.

URL: hxxps://esancendoc[.]esan[.]edu[.]pe/ - Compromised website.

1.1.2 Malicious file

Compromised website downloads a JS file “Chrome.Update.3f61f4.js”. JS script is a Dropper which downloads “crhome.update.3f61f4.exe” categorized as EMOTET. An additional exe “d0409052256c6efc85b155f58cc03f70.exe” file is created and executed.

Indicators of Compromise

Chrome.Update.3f61f4.js

MD5: a9db3444e9c50da5ce6845ccc116255c.

MD5: c1a5725f45e6a35bd82852210e29f941.

URL to download the malware

hxxps://click[.]clickanalytics208[.]com/s_code[.]js?cid=240&v=73a55f6de3dee2a751c3

EMOTET - crhome.update.3f61f4.exe

SHA256: 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c

IP: 195[.]123[.]213[.]19

Port: 443

EMOTET - d0409052256c6efc85b155f58cc03f70.exe

SHA256: 1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05.

1.1.3 Lateral movement

Lateral movement is performed by the attacker through the PowerShell post-explotation framework called Empire. Lateral movement was performed through sysinternals tool “psexesvc.exe”.

Indicators of Compromise.

Empire Framework

IP: 185[.]92[.]74[.]215.

Port: 443.

1.1.4 Infection

Malware is distributed from compromised assets to affected endpoints.

Indicators of Compromise.

BitPaymer/IEncrypt

SHA256: bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f - evrs.exe.

The following table contains a list of artifacts that had been analyzed within this document.

PE timestamp	MD5	Size in bytes	File name	Description
1994-05-18 19:56:20	e19d2c46521767f3b836e9861eecea9c	148 KB (151,552 bytes)	N/A	Dropper

This ransomware packed with new custom packing as shown in figure (1).

Figure (1)

Let’s see how to unpack it.

Unpacking

• Set breakpoint at virtualalloc api then run as shown in figure (2).

Figure (2)

• Continue stepping till see loop that resolves section .txt and other sections as shown in figure (3).

Figure (3)

• Continue stepping till find function as shown in figure (4) then go inside it.

Figure (4)

• Continue stepping till find jmp near eax as shown in figure (5).

Figure (5)

After jumping, we reach to correct malicious code then dumps code as shown in figure (6).

Figure (6)

PE timestamp	MD5	Size in bytes	File name	Description
2019/03/12 Tue 07:20:45 UTC	F46C341753E7DC50C345B0B21D9CC93F	156 KB (159,744 bytes)	N/A	Encryption + Payload

Simple trick to stop ransomware

Kill Switch File

Bitpaymer try to open file called C:\\aaa_TouchMeNot_.txt as shown in figure (7) with the following parameters as shown in table.

Figure (7)

FileName	C:\\aaa_TouchMeNot_.txt
dwDesiredAccess	GENERIC_READ
dwShareMode	FILE_SHARE_READ|FILE_SHARE_WRITE
dwCreationDisposition	OPEN_EXISTING

Case (1)

So if the file exists, it will terminate without any encryption to files.

Case (2)

If the file is not exist, it will encrypt files.

So for simplification if you create file in c directory with same name and contains any data, then ransomware will not infect you.

Obfuscation

Ransomare is fully obfuscation, it creates strings during runtime, it resolves apis based on 2 value pushed to specific algorithm and executes in random address in memory.

Technical analysis

It handles to current filename of ransomware , it gets operating system version as shown in figure (8).

Figure (8)

It determines if operating system is 64 or 32 bit as shown in figure (9) with the following parameters as shown in table.

Figure (9)

hProcess	0013FC18
InfoClass	1A
Buffer	0013FC08
Bufsize	0x4

It enumerates path of software as shown in figure (10) with the following parameters as shown in table below.

Figure (10)

Access	KEY_ENUMERATE_SUB_KEYS|13FB80
Subkey	Null
hKey	0x586300

It repeats operation of enumeration to resolve full path of registry key and close handle registry as shown in figure (11).

Figure (11)

Full path

• "SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System".

It enumerates registry key as shown in figure (12) with the following parameters as shown in table to resolve important strings.

Figure (12)

hKey	0x0
Value	0013FA90
Index	13FA94

Resolved values

• "EnableVirtualization”
• "EnableInstallerDetection"
• “PromptOnSecureDesktop"
• "EnableLUA"
• "EnableSecureUIAPaths"
• "ConsentPromptBehaviorAdmin"
• "ValidateAdminCodeSignatures"
• "EnableCursorSuppression"
• "EnableUIADesktopToggle"
• "ConsentPromptBehaviorUser"
• “dontdisplaylastusername"
• "legalnoticecaption"
• "legalnoticetext"
• "scforceoption"
• "shutdownwithoutlogon"
• "undockwithoutlogon"
• "FilterAdministratorToken"
• "ConsentPromptBehaviorUser".

It resolves api called RegQueryValue and gets the data and type of value EnableLUA as shown in figure (13) with the following api parameters as shown in table.

Figure (13)

hKey	0x586D50
ValueName	NULL
Reserved	0013FBA0

It retrieves information about the current system as shown in figure (14).

Figure (14)

It resolves api called CreateEvent and create new event as shown in figure (15) with the following parameters as shown in table.

Figure (15)

EventName	"P2. @"
InitiallySignaled	TRUE
ManualReset	FALSE
pSecurity	00000001

It disables file system redirection as shown in figure (16).

Figure (16)

Expands environment-variable strings

[“%ProgramData%”,”%windir%”,”%temp%”,”%AppData%”] and replaces them with the values defined for the current user as shown in figure (17).

Figure (17)

The reason of that is preventing ransomware from encrypting files in these folders.

It resolves ransomware message as shown in figure (18), once encryption finished it will create it at each folders.

Figure (18)

It decodes string called .3v3r1s as shown in figure (19), this string will be an extension of readme file at each directory that ransomare will encrypt its files.

Figure (19)

It resolves key used for encryption data as shown in figure (20).

Key

• "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAslY99/86gD/dS9kosI+Am20UDt//ms4TQmVQtmiwLf5oFArtmbbPEikgu0JHMmMhHIe7F8GoSLYQWUBiqs679xN5T6i0Mjp5N4Dc5WSVAtzxOCjDfXdORgzL/sGc8Yp4QS9OMmyrXyUYjmrvO05vjxU7r+m2BdKizo6F4TmzkgYNRPMZXJI+rJjJrRP".

It resolves api called ExitProcess so once the encryption ends it will exit process immediately as shown in figure (21).

Figure (21)

It attempt to start specific service if it couldn’t start it then it will repeat steps and creates new process as shown in figure (22).

Figure (22)

It retrieves the short path form of the path of ransomware as shown in figure (23).

Figure (23)

So the short path will be:

• "C:\Users\MAHMOU~1\Desktop\EVERIS~1".

It generates new random key using windows api cryptographic as shown in figure (24).

Figure (24)

It resolves another random string with 9 mixed characters and numbers as shown in figure (25).

Figure (25)

The file “N88O21Cry” created in path called C:\Users\UserName\AppData\Roaming.

And assign time and date to it.

Figure (26)

It Gets short of file “N88O21Cry” as shown in figure (27).

Figure (27)

Short path:

• "C:\Users\MAHMOU~1\AppData\Roaming\N88O21~1"

It resolves api called CreateProcessW as shown in figure (27) and create new process with the following parameters as shown in table.

Figure (27)

ModuleFileName	"C:\Users\MAHMOU~1\AppData\Roaming\N88O21~1:bin C:\Users\MAHMOU~1\Desktop\EVERIS~1"
CommandLine	Null
pProcessSecurity	NuLL
pThreadSecurity	00000001
InheritHandles	TRUE

The reason of this process is deleting shadow copy and start encrypting files as shown in figure (28), (29), (30).

Figure (28)

Figure (29)

Figure (30)

It iterates logical drivers, including network drivers, by mapping the network using the commands ‘arp.exe -a’ and respectively ‘nslookup.exe <IP>’. After gathering all applicable drivers, it recursively iterates each file in each driver and encrypt it.

At the end it adds extension called .3v3r1s to each encrypted file and adds readme file to each files that had been encrypted as shown in figure (31).

Figure (31)

Ransom note

Figure (32)

Email address

• Hxxp\\SYDNEY[.]WILEY@PROTONMAIL[.]COM.
• HXXP\\EVANGELINA[.]MATHEWS@TUTANOTA[.]COM.

Yara Rule

/*

  Yara Rule Set

  Author: Mahmoud Elmenshawy

  Date:2019-11-17

  Identifier:  BitPaymer Ransomware

*/

private rule IsPE

{condition:

     // MZ signature at offset 0 and ...

     uint16(0) == 0x5A4D and

     // ... PE signature at offset stored in MZ header at 0x3C

     uint32(uint32(0x3C)) == 0x00004550}

rule NotPetya{

     meta:

                                Author = "Mahmoud Elmenshawy"

                                  Description = "  BitPaymer Rule for detecting Installer  "

                                  MD5 = "e19d2c46521767f3b836e9861eecea9c" 

                strings:

                                $x1 =".C:\\aaa_TouchMeNot_.txt".

                                  $x2 ="30 34 51 75 55 52 58 2E 70 64 62".

                                  $x3 ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+".

                               

                condition:

                All of them  and  IsPE

Referances:

• https://www.mcafee.com/blogs/other-blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/.
• https://www.cbronline.com/news/everis-hacked-ransomware.
• https://howtoremove.guide/everis-ransomware-attack/.

If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  

YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.
linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/.