Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DLL Fixer leads to Cyrat Ransomware
#1
Bug 
Quote:
[Image: cryrat_die.png]

A new ransomware uses an unusual symmetric encryption method named "Fernet". It is Python based and appends .CYRAT to encrypted files. Discovery &

Initial Analysis


While hunting for new malware we often use Yara rules to find suspicious samples. One of my generic ransomware hunt rules found this new ransomware sample. At the time it had only 2 detections on Virustotal. The first submission date is 25. August 2020.

DiE and PortexAnalyzer note that there is a zlib archive in the overlay of the file. Further inspection shows references to the python37.dll and the archive's name PYZ-00.pyz which is typical for PyInstaller executables.

It means Cyrat ransomware was compiled with Python 3.7 and converted to a Windows PE file using PyInstaller.

Unpacking and decompiling this file requires PyInstxtractor, Python 3.7 and, e.g., uncompyle6. The Python version needs to be the same as the malware executable while extracting the .pyc files. Otherwise PyInstxtractor has issues properly constructing the files.Disguise as DLL fixerWhen I first tried to run the malware it crashed because of a missing fonts for pyfiglet. To see it in action, I had to install pyfiglet and replicate the code that displays the ransomware's output.

The malware disguises as DLL fixer 2.5 (see image below). Upon execution it will display a randomly created number of corrupted DLLs it pretends to have found on the system. After the system has been encrypted, a success message for fixing the DLLs is shown.

Encryption

Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic. This ransomware encrypts whole files regardless how big they are, whereas Fernet is unsuitable for big files.

A public RSA key is used to encrypt the Fernet key. This public key is downloaded from Mediafire instead of shipping it with the ransomware. This adds another dependency. The encrypted Fernet key is saved in Desktop\EMAIL_US.txt. A user with an infected system is required to send this file to the criminals.

Cyrat appends .CYRAT to encrypted files. It has a list of folders that it checks for target files. Those folders are 'Desktop', 'Downloads', 'Pictures', 'Music', 'Videos', and 'Documents'.

It targets files with the following extensions: 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'boop', 'pst', 'ost', 'msg', 'eml', 'vsd', 'vsdx', 'txt', 'csv', 'rtf', '123', 'wks',  'wk1', 'pdf', 'dwg', 'onetoc2', 'snt', 'jpeg', 'jpg', 'docb', 'docm', 'dot', 'dotm', 'dotx', 'xlsm', 'xlsb', 'xlw', 'xlt', 'xlm', 'xlc', 'xltx', 'xltm', 'pptm', 'pot', 'pps', 'ppsm', 'ppsx', 'ppam', 'potx', 'potm', 'edb', 'hwp', '602', 'sxi', 'sti', 'sldx', 'sldm', 'sldm', 'vdi', 'vmdk', 'vmx', 'gpg', 'aes', 'PAQ', 'bz2', 'tbk', 'bak', 'tar', 'tgz', 'gz', '7z', 'rar', 'zip', 'backup', 'iso', 'vcd', 'bmp', 'png', 'gif', 'raw', 'tif', 'tiff', 'nef', 'psd', 'ai', 'svg', 'djvu', 'm4u', 'm3u', 'mid', 'wma', 'flv', '3g2', 'asf', 'mpeg', 'vob', 'mpg', 'swf', 'wav', 'mp3', 'sh', 'class', 'jar', 'java', 'rb', 'asp', 'php', 'jsp', 'brd', 'dch', 'dip', 'pl', 'vb', 'vbs', 'ps1', 'bat', 'cmd', 'asm', 'h', 'pas', 'c', 'cs', 'suo', 'sln', 'ldf', 'mdf', 'ibd', 'myi', 'myd', 'frm', 'odb', 'dbf', 'db', 'mdb', 'accdb', 'sql', 'sqlitedb', 'sqlite3', 'lay6', 'lay', 'mml', 'sxm', 'otg', 'odg', 'uop', 'std', 'sxd', 'otp', 'odp', 'wb2', 'slk', 'dif', 'stc', 'sxc', 'ots', 'ods', '3dm', 'max', '3ds', 'uot', 'stw', 'sxw', 'ott', 'odt', 'p12', 'csr', 'key', 'pfx', 'der', 'deb', 'mpeg', 'WEBM', 'MPG', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3', 'json', 'css', 'html', 'py', 'exe', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3'

The ransomware lists a few more extensions with a dot in them which is a bug: '.ARC', '.cpp', '.cgm', '.js', '.fla', '.asc', '.crt', '.sch'. These extensions will never be found by Cyrat because the file path is stripped from dots before it is compared with the target extension.

A ransom note named RANSOME_NOTE.txt is placed in every target folder. Furthermore a ransomware stock photo is downloaded from images.idgesg.net to Documents\background_img.png and set as wallpaper. The wallpaper does not contain any ransom message. In this state the stock photo's only purpose is to draw attention to the user.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
The slowest Meteor Lake spotted: Intel C...
Intel Core Ultra 5...harlan4096 — 12:47
Microsoft Edge fixes 0-day vulnerability...
Microsoft released...harlan4096 — 10:12
AnyDesk 8.0.9
AnyDesk 8.0.9:   ...harlan4096 — 10:10
AMD Confirms RDNA 3+ GPU Architecture F...
AMD Zen5-based Strix...harlan4096 — 10:08
Adobe Acrobat Reader DC 24.001.20629 (Op...
Adobe Acrobat Read...harlan4096 — 10:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>