VSSDestroy is a variant of the Matrix ransomware which targets Windows workstations. Matrix ransomware was spread via Rig EK as recently as 2017. This paper details the observations made by the Cylance Threat Research team during their analysis of VSSDestroy.
Technical Analysis
Our analysis begins with the execution of the malware payload. Upon execution, the ransomware drops a copy of the malware file to the same directory of the original with the following filename:
- NW[0-9a-zA-Z]{6}.exe
The copy of the malicious file then executes with the"-n" option: (NW[0-9a-zA-Z]{6}.exe -n )
Encryption:
VSSDestroy encrypts files and renames them with the .newrar extension:
Figure 1: File types encrypted by VSSDestroy
The ransomware creates a README document for victims to read after encryption (Figure 2):
Figure 2: Encrypted file and the README document
The document instructs victims to email newrar(at)tuta[.]io or newrar(at)cock[.]lu to acquire a decryption key. A second avenue for communication, via bitmsg (hxxps://bitmsg[.]me/), is provided in case targets cannot communicate via email (Figure 3):
Figure 3: Contents of #NEWRAR_README#.rtf
VSSDestroy changes the background image of the affected system. The ransomware drops an image file named 0-9a-zA-Z]{8}.bmp and sets it as the wallpaper (Figure 4). The malware modifies wallpaper settings in the following system registry locations:
- HKCU\Control Panel\Desktop\Wallpaper
- HKCU\Control Panel\Desktop\WallpaperStyle
- HKCU\Control Panel\Desktop\TileWallpaper
Figure 4: Ransom wallpaper image
Victims will see the wallpaper after Windows reboot.
The Trojan drops a modified version of the Sysinternals tool called “Handle Viewer v4.11”. The tool closes handles grabbed by running processes, allowing the ransomware to encrypt them as well (Figure 5):
Figure 5: Handle Viewer [gLxNMqwr.exe]
The modified version is packed with UPX whereas original HashViewer 4.11 is not packed.
If you unpack the modified version, there is only a slight difference between the original HashViewer 4.11 and the modified unpacked version (Figure 6):
Figure 6: HashViewer 4.11
During file encryption, the Trojan sends the infected computer name and any captured usernames to the C2 server (Figure 7):
- hxxp://no7654324wesdfghgfds[.]000webhostapp[.]com/addrecord[.]php
Figure 7: HTTP traffic
VSSDestroy searches for remote workstations by running an IP-incremental ARP scan of a range of networks using NetShareEnum API. If anything is discovered, the malware will proceed to encrypt the files located on the remote resources:
Figure 8: ARP scan
Removing VSS/Disabling Start-Up Repair
VSSDestroy is designed to schedule a task named DSHCA which runs a bat file (FcHN8mhB.bat) every five minutes. This process is designed to let the ransomware delete shadow copies and disable start-up repair after a system reboot
Figure 9: Creating a scheduled task to run FcHN8mhB.bat every five minutes
Figure 10: A script to remove shadow copies and disable start-up repair
Summary
In testing, CylancePROTECT® detects and blocks both the ransomware file and malicious scripts.
Indicators of Compromise (IOCs)
Hashes
- 075f86e2db93138f3f3291bc8f362e5f54dfdeeb98b63026697b266fbebddb00
- 193697be39290126d24363482627ff49ad7ff76ad12bbac43f53c0a3a614db5d
- d0c7b512610a1a206dbf4b4d8c352a26a26978abe8b5d0d3255f0b02196482a1
- 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
- 0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
(dropped executable file)
Filenames
Malware Execution Directory
- NW[0-9a-zA-Z]{6}.exe
- [0-9a-zA-Z]{8}.bat
- [0-9a-zA-Z]{8}.txt
- bad_[0-9a-zA-Z]{16}.txt
- elog_[0-9a-zA-Z]{16}.txt
- LFIN_[0-9a-zA-Z]{16}.txt
- [YOUR_GLOBAL_IPADDRESS]_log.txt
- [0-9a-zA-Z]{8}.exe
- PROCEXP152.SYS
%AppData%
- [0-9a-zA-Z]{8}.bmp
- [0-9a-zA-Z]{8}.vbs
- [0-9a-zA-Z]{8}.bat
Every Directory
- #NEWRAR_README#.rtf
- [newrar@tuta.io].[0-9a-z]{8}-[0-9a-z]{8}.newrar
C2s/IPs
- hxxp://no7654324wesdfghgfds[.]000webhostapp[.]com/addrecord[.]php
o 145.14.144.16
o 145.14.144.143
o 145.14.145.178
o 145.14.144.182
-Assigned IP address is dynamically changed in the segment.
- hxxp://myexternalip[.]com/raw
o 78.47.139.102
- Mutexes
o MutexNEWRAR
o MutexNEWRARDONW
- Interesting strings/Commands
o NW[0-9a-zA-Z]{6}.exe -n
o powershell "$webClient = New-Object -TypeName System.Net.WebClient;$webClient.DownloadString('hxxp://myexternalip[.]com/raw')" >"[same directory of itself]\[0-9a-zA-Z]{8}.txt"
o reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "%AppData%\[0-9a-zA-Z]{8}.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
o "UseBackQ Tokens=3,6 delims=: "
