04/15/2021 | News release | Distributed by Public on 04/15/2021 05:13
The Phoenix Cryptolocker ransomware variant first appeared in early 2021 and made the headlines due to its involvement in an attack on the American insurance provider CNA Financial.
Utilizing an as-of-yet unknown infection vector, the malware comes signed with a digital certificate in an attempt to appear to be a legitimate utility.
Upon execution, Phoenix Cryptolocker creates a copy of itself under a different name to a location on the host, then detonates this copy and proceeds to enumerate the victim host, searching for targeted file extensions which it then encrypts, appending a '.phoenix' extension to each affected file while at the same time dropping a ransom note to each affected directory.
The ransom note contains instructions on how to contact the attacker via a web address link and/or email address.
Once encryption is completed, the malware proceeds to delete all traces of itself such as the binaries and created folder, leaving the user with just their encrypted files and instructions on how to pay to have them decrypted should they wish.
The following describes the level of impact along with the likelihood of risk this threat currently presents:
Table 1: Threat Impact
Phoenix Cryptolocker comes with several built-in mechanisms designed to help it appear to be a legitimate utility and trick an unwitting user into executing it. The first being that it uses the 7-Zip icon in an attempt to masquerade as a 7-Zip file:
Figure 1: Phoenix Cryptolocker Icon
The second is that it is signed with a digital certificate, issued to a company called 'SATURDAY CITY LIMITED', with a signing date of March 20th 2021:
Figure 2: Phoenix Cryptolocker Digital Cert
An examination of the file's compilation timestamp shows the same date of March 20th of this year:
Figure 3: Compiler Timestamp
Upon execution, Phoenix Cryptolocker first proceeds to create a new directory in the 'C:/%Username%/AppData/Roaming/' location, where it installs a copy of itself under a random name and without appending a typical Windows executable extension such as '.exe'.
This file also correlates to the same SHA256 as the initial binary.
The naming convention of both the created installation folder and the copied binary typically follow a legitimate-sounding and nondescript format, such as in the example below, where the created folder was named 'MessagingApp' with the copied binary titled 'Nt'.
This is likely an attempt to remain inconspicuous to a potentially suspicious user or security software:
Figure 4: Copied Binary
The copied binary is then executed with a '/go' switch:
Figure 6: Execution Path
Where it can be seen running as a sub-process of the initial binary:
Figure 7: Phoenix Cryptolocker Process Tree
It then continues its execution and proceeds to enumerate all directories/files on the victim host and begin its encryption routine, with each affected file being appended with a '.phoenix' file extension:
Figure 9: Encrypted Files
In tandem with the file encryption, a ransom note titled 'PHOENIX-HELP' is also dropped to each directory with its contents containing the malware name, an image of a phoenix, and instructions on how to contact the attacker via an email - 'phcontactme[at]c*ck[dot]li' or web link - 'hxxps://t[dot]me/phdecrypt':
Figure 10: PHOENIX-HELP Ransom Note
Should a user navigate to the URL provided within the ransom note, it takes them to a page titled 'phoenix helpdesk' which prompts the user to download the messaging app 'Telegram' in order to make contact with the attacker:
Figure 11: Phoenix Helpdesk
Upon completion of its encryption routine, the malware then proceeds to invoke the built in Windows® binaries 'waitfor.exe' and 'attrib.exe' via 'cmd.exe' to remove both the original binary and the created folder, along with the copied binary - thereby removing all evidence of itself and leaving the victim with just their encrypted files and the dropped ransom note:
Figure 12: Phoenix Post-Encryption Cleanup
The below is a partial list of file-types targeted by this ransomware:
.html |
.zip |
.chm |
.inc |
.diz |
.c |
.ss |
.rar |
.xml |
.pdb |
.dd64 |
.h |
.qm |
.lib |
.a |
.asm |
.txt |
.doc |
.pl |
.1 |
.vim |
.sample |
.GPLV2 |
.GPLV3 |
.RUNTIME |
.pm |
.bash |
.ico |
.tcsh |
.zsh |
.png |
.sh |
.cgi |
.css |
.js |
.ioc |
.its |
.def |
.rst |
.cmderver |
.map |
.reg |
.lua |
.fml |
.conf |
.bmp |
.farconfig |
.pyd |
.lng |
.properties |
.api |
.au3 |
.spc |
.cspec |
.pspec |
.sla |
.spaspec |
.exports |
|
.global |
.fs |
.fsc |
.xpm |
.csc |
.xbm |
.tab |
.gz |
.mo |
.docbook |
.svgz |
.theme |
.tmac |
.mount |
.page |
.gr |
.db |
.bz2 |
.README |
.awk |
.7z |
.lic |
Table 2: Targeted File Extensions
Exempted File Types
Exempted Folders
The BlackBerry® model assessment shows the behavior of current and previous BlackBerry® Protect machine learning (ML) models when analyzing this sample:
The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:
rule Mal_Ransom_Phoenix_Cryptolocker
strings:
$f0 = {48 8D 0D D0 2F 1D 00} condition:
// Must be a 64-bit executable
// Must be less than
// Must have exact import hash
// Must have the below Rich sig hash
// Must be signed with the below digital Certificate
// Must have Strings |
File System
Created
Deleted
Mutex
The BlackBerry Research and Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.