Fortinet Inc.

07/12/2018 | Press release | Distributed by Public on 07/12/2018 21:42

GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader

Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.

With this new version, GandCrab has added a network communication tactic that was not observed in the previous version. In addition, we will be sharing our analysis of currently circulating reports concerning an alleged 'SMB exploit spreader' threat.

Network Communication

Figure 1 Malware sends Info to list of compromised websites

This new version of the GandCrab malware contains an unusually long hard-coded list of compromised websites that it connects to. In one binary, the number of these websites can go up to almost a thousand unique hosts.

To generate the full URL for each host, a pseudo-random algorithm is used to choose from sets of pre-defined words. The final URL is in the following format (e.g. www.{host}.com/data/tmp/sokakeme.jpg):

Figure 2 Format of URLs connected to by GandCrab v4.1

After successfully connecting to a URL, this malware sends encrypted (and base64-encoded) victim data, which contains the following infected system and GandCrab information:

· IP Address

· User name

· Computer name

· Network DOMAIN

· List of Installed AVs (if any exists)

· Default System Locale

· Keyboard Russian Layout Flag (0=Yes/1=No)

· Operating System

· Processor Architecture

· Ransom ID ({crc of volume serial number} {volume of serial number})

· Network and Local Drives

· GandCrab Internal Info:

o id

o sub_id

o version

o action

However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab. Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.

Killing Processes to Ensure Encryption

Our analysis also uncovered that to ensure the full encryption of targeted files, GandCrab may kill the following processes:

- msftesql.exe

- sqlagent.exe

- sqlbrowser.exe

- sqlwriter.exe

- oracle.exe

- ocssd.exe

- dbsnmp.exe

- synctime.exe

- agntsvc.exeisqlplussvc.exe

- xfssvccon.exe

- sqlservr.exe

- mydesktopservice.exe

- ocautoupds.exe

- agntsvc.exeagntsvc.exe

- agntsvc.exeencsvc.exe

- firefoxconfig.exe

- tbirdconfig.exe

- mydesktopqos.exe

- ocomm.exe

- mysqld.exe

- mysqld-nt.exe

- mysqld-opt.exe

- dbeng50.exe

- sqbcoreservice.exe

- excel.exe

- infopath.exe

- msaccess.exe

- mspub.exe

- onenote.exe

- outlook.exe

- powerpnt.exe

- steam.exe

- thebat.exe

- thebat64.exe

- thunderbird.exe

- visio.exe

- winword.exe

- wordpad.exe

Killing off these processes allows for the encryption routine to successfully complete its goal without any undesirable interruptions. Additionally, these targeted file types often contain data that is valuable to the victim, and therefore makes increases the likelihood that the victim will consider making a payment to get their files back.

GandCrab SMB Exploit Spreader Speculation

Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an 'SMB exploit' - a phrase that has become the dread (as it should be) of the cybersecurity industry following the global WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year. So it is no surprise that news of another ransomware using this method of spreading would cause quite a stir.

Since we had not seen any technical report for the claim, we decided to investigate and confirm this rumour since this functionality was not observed during our previous analysis. However, this was to no avail.

According to reports, a module that is now being called 'network f**ker' is supposed to be responsible for performing the said exploit. This is apparently made evident by the following debug string found in the malware's binary:

Figure 3 Debug strings in GandCrab v4.0 binary

However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

Conclusion

We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab's SMB exploit propagation as only being speculative.

If the function does exist (we honestly hope not), we'll be sure to provide updates. However, with GandCrab's rapid development over the past week, and the public speculation of this exploit propagation functionality, we would not be a surprise if the threat actors decided to add it in a future update.

In any case, this vulnerability has long been patched by Microsoft's MS17-010 update. So make sure your systems have been appropriately updated. In the meantime, FortiGuard Labs will keep an eye out for any further developments.

Note: Thanks to David Maciejak, Jasper Manuel, Artem Semenchenko, Val Saengphaibul, and Fred Gutierrez for additional insights.

-= FortiGuard Lion Team =-

Solution

Fortinet customers are protected by the following:

· Samples are detected by W32/Gandcrab.IV!tr and W32/GandCrypt.CHT!tr signatures

· FortiSandbox rates the GandCrab's behaviour as high risk

IOCs

Sha256

37e660ada1ea7c65de2499f5093416b3db59dfb360fc99c74820c355bf19ec52 (4.1) - W32/Gandcrab.IV!tr

222ac1b64977c9e24bdaf521a36788b068353c65869469a90b0af8d6c4060f8a (4.1) - W32/Gandcrab.IV!tr

cf104f2ad205baee6d9d80e256201ef6758b850576686611c355808a681bec60 (4.1) - W32/Gandcrab.IV!tr

8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 (4.1) - W32/Filecoder_GandCrab.D!tr

6c1ed5eb1267d95d8a0dc8e1975923ebefd809c2027427b4ead867fb72703f82 (4.0) - W32/GandCrypt.CHT!tr

Learn more about our global threat research:

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.