Jack O'Sullivan
March 22 2021
Mole02, alleged to be a variant of the CryptoMix Ransomware family, first emerged in June 2017. It was distributed via a malvertising campaign which redirected its victims to the Astrum Exploit Kit (also known as Stegano EK) [1], exploiting several vulnerabilities in Flash and Internet Explorer to spread [3, 4, 5].
The malware, which appends the .MOLE02 extension, to encrypt records utilises RSA and AES encryption ciphers to encrypt files. It then demands 0.5 or 1.0 Bitcoin to decrypt the data.
While the malware does not leverage any specific exploits following infection and does not contain worm-like behaviour, it consists of several distinct components, including:
- File system activity - creating new files on the system and encrypting data
- Network based activity - communicating with a remote C&C server
- Persistence - attempting to remain after resets
- Stealth - attempting to prevent security warnings
Described below is the analysis of the binary, our thought process, and clues which led us to create a universal decryption tool. Additionally, the profile also provides actionable blue team intelligence to assist organisations in reacting to current and future infections.
The scope of this article is limited to the sample received by the Secarma Threat Intelligence Team with the following characteristics [2]:
Filename | SHA256 Hash | Size (bytes) | Compile Time | Description | File Type |
CarrollPLC Soft (6.2.1.7) | 846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e | 225280 | 2017-06-13 15:11:08 | Main payload + Encryptor | Win32 EXE |
Table 1 - Mole02 Sample File Characteristics
It is not the intention of this article to examine the behaviour of the Exploit Kit and associated campaigns, which we will be discussing in future articles.
START UP AND CONTROL FLOW OVERVIEW
This section provides a high-level overview of the malware's behaviour when executed within our lab. Additional details of the relevant functions can be found within the next few sections.
One of the first actions taken by the malware that we noticed was checking the current Windows charset. The following figure shows this check being performed.
The following high-level source code is provided for simplicity to represent the above.
if ((v2 = GetDC(0), GetTextCharset(v2) == 204)) // IF RUSSIAN CHARSET
|
As highlighted in the figure above, the “204” value is the character set being checked following the executing of the “GetTextCharset” [6] function. If this is matched, the malware exits. The function relies on the “WinGDI.h” library. A quick check shows the 204 character set is the value for the Russian charset, which can be seen in the below snippet.
#define ANSI_CHARSET 0
|
In other words, if the host's charset is Russian then it will exit the process and will not proceed to encrypt files.
When the malware executes successfully, runtime analysis discovered the sample disabled multiple services which could interfere with its execution, including: Windows Security Centre, Windows Defender, and the Windows Auto Update Service. Moreover, to prevent system recovery, the sample also deleted the host's shadow files. A more detailed view of each service's behaviour is shown in the figure below.
For a listed output of the above commands please refer to Appendix A.
The next stage of the malware revealed its networking capabilities, with a POST request sent to an external address. Although currently offline the external host responded with a public key.
Following the HTTP activity, the sample copies itself within the “%APPDATA%” directory, includes a Zone Identifier Alternate Data Stream (ADS), and then executes itself from there. For persistence, new registry entries are also created, shortly before starting the encryption routine, which encrypts, renames, and replaces file extensions with “.MOLE02”.
When User Access Control (UAC) is enabled the victim is shown an additional window to entice to allow the malware to execute, as shown below.
Once clicked the user is prompted with the following UAC window, which loops a couple times unless permitted.
The next few sections provide a deeper level of details for each stage of the malware analysed. For a summarised list of all indicators, please refer to the end of this article.
NETWORKING
Shortly after starting-up, but before establishing persistence or encrypting the files, the malware attempts to communicate with an external host. A POST request is sent to hxxp://137.74.163[.]43/css/styless.php, containing data about the version of the sample (in this case “6”), as well as a unique identification number (“GUID”), which we have redacted. The following figure illustrates this.
Although the remote host is no longer responding to requests the full HTTP request and response was as follows:
Request | Response |
POST /css/styless.php HTTP/1.1
|
HTTP/1.1 200 OK -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJujltYLvSczUBHnV04R1DiwI/ SoRpb3CgXPa6i4Gqw51f41OoXv2tgy5NLOMPvbIM6kWuSmgp7lSFiBb8U+aJPYjU KgXT6ccnEZBfpLXL15YAm6eMifC8GGz3eNPrSeNRx0ojTrVgEhWhMjRY0E6VRK+b d8/VGGzdJIO/e/rbxwIDAQAB -----END PUBLIC KEY----- |
Table 2 - Full Request/Response
Although the host responded with a public key, it was not required for operation. This was confirmed through further analysis which showed the same hard coded key, as evidenced below:
Initially our thoughts were that the GUID's linked to their respective public keys. However, since the same key is hard coded, it seems likely that all victims of this particular variant could benefit if the private key were recovered.
This was the only network request attempted, and our first clue which meant that the ransomware authors used a static public key for encrypting files of all infected users.
Networking - Indicators of Compromise Summary
Indicator | Comments |
137.74.163[.]43
|
C&C IP address |
/css/styless.php
|
C&C resource |
POST /css/styless.php HTTP/1.1 guid=<GUID>&ver=6 |
Full C&C request |
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJujltYLvSczUBHnV04R1DiwI/
|
Public key |
FILE SYSTEM
Following the malware start-up routine discussed previously and the initial network request initiated, a file is created on the system. The filename was identical on different hosts we tested, hence could be used as an early indicator of compromise prior to the encryption process being started. This is possibly a remnant of a previous variant, which would contain the fetched public key previously mentioned. The file name and full path is as follows, which may also contain a prefix:
%APPDATA%<prefix>_26E14BA00B70A5D0AE4EBAD33D3416B0.MOLE
|
Further into the infection, the malware then copies itself into the same directory ("%APPDATA%") under a different name associated with the infected user’s GUID, and creates a Zone Identifier Alternate Data Stream (ADS) containing a ZoneTransfer ZoneId value of “0” ("Local machine"). A Windows ADS Zone Identifier stores information about a file on whether it was downloaded from the Internet, and whether it should be trusted. The reason behind this action is so that once the sample establishes persistence within the Windows registry, as we will see in the next section, the malware is executed without the user being presented a security warning. By way of example, the following figures demonstrate what would happen if this ZoneId was either set to "3" ("Internet"), or "4"("Restricted sites").
Figure 7 - Zone Identifier: ZoneTransfer ZoneId = 3
|
Figure 8 - Zone Identifier: ZoneTransfer ZoneId = 4
|
As can be seen above, a ZoneId of “3” or “4” would display security warnings, whereas a ZoneId of “0” would successfully execute with no warnings. Alternate Data Streams (ADS) are often used by malware authors to either hide data or in this scenario, disable security warnings.
After these actions new registry entries are added. This is discussed in the next section. The new PE file is then executed, and once the encryption routine starts, the malware identifies user paths and file extensions to process and starts encrypting files. Encrypted files are renamed with a 128-bit hexadecimal uppercase value, and their extensions replaced with “.MOLE02”.
The malware then writes several notes containing instructions laid out by the developers on how to pay the ransom and decrypt the files, including the Tor service, address unique “DECRYPT-ID” (which we refer to as “GUID”), to the “_HELP_INSTRUCTION.TXT” files, which reads as follows:
!!!IMPORTANT INFORMATION!!! All of your files are encrypted with RSA 2048 and AES-128 ciphers. More information about the RSA and AES can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
Follow these steps: 1. Download and install Tor Browser: http://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://supportjy2xvvdmx.onion/ 4. Follow the instructions on the site. !!! Your DECRYPT-ID: <GUID> !!! |
Table 3 - Redacted Ransom Note ("_HELP_INSTRUCTION.TXT")
File System - Indicators of Compromise Summary
Files created (including Alternate Data Streams):
%APPDATA%\<prefix>_26E14BA00B70A5D0AE4EBAD33D3416B0.MOLE
|
REGISTRY
Before executing its encryption routine, the malware creates registry entries to persist on the host system. Each entry points to the executable within the "%APPDATA% folder, as seen in the previous section. The following figures are examples of registry entries created by this sample:
Registry entries created:
Registry - Indicators of Compromise Summary
Registry Key | Value |
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun<long_name>
|
%APPDATA%<name>.exe
|
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun<name>
|
%APPDATA%<name>.exe
|
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce<name>
|
%APPDATA%<name>.exe
|
ANTI DISASSEMBLY & DEBUGGING
In this instance the sample was found to be using two native Windows API functions for the purposes of anti-debugging.
IsDebuggerPresent
This is the simplest API function for determining whether the calling process is being debugged by a user-mode debugger. It searches the Process Environment Block (PEB) structure for the field 'IsDebugged' and returns a zero or non-zero value whether a debugger is attached.
OutputDebugStringA and OutputDebugStringW
These functions can be used to detect the presence of a debugger by sending a string to a debugger for display. If called and a debugger is attached the call would succeed and display the predetermined string value.
No Anti-VM techniques were found, the sample ran without issue within a Virtualbox environment.
POST INFECTION ANALYSIS
Following the analysis of the malware, we decided to investigate further the process a victim would go through to recover their files. Navigating to the Tor hidden service, as instructed within the “_HELP_INSTRUCTION.TXT” files, we are presented with the following interface.
As seen above, 1.0 BTC is required to be sent a decryption software and the associated private key, which would be used to decrypt the infected victim’s files. Earlier reports regarding the Mole02 ransomware showed only 0.5 BTC were needed at the time.
After submitting our "DECRYPT-ID", we received the following message, just hours later:
As seen above, a payment of 1.0 BTC must be made to the given address to receive a private key that will decrypt the infected user’s files. This address differs from other reports we came across. We identified at least two Bitcoin addresses during our analysis:
As the figures above show, based on these two Bitcoin addresses, the ransomware authors gathered an amount of around £25,000 at the time of writing. It is likely however that other addresses were used, which would result in a higher sum.
Post Infection Analysis - Indicators of Compromise Summary
Indicator | Comments |
supportjy2xvvdmx[.]onion
|
Tor hidden service (payment website) |
defiles@post[.]com
|
Ransom return sender |
1CzoVXuzrKAe6ancEdMsfSkyzWffzyakUe
|
Ransom Bitcoin address 1 |
1Lt5w9Yow8Q6ZX3SxxAebc3Qp4oouwBUH7
|
Ransom Bitcoin address 2 |
CONCLUSION
This sample and campaign are surely related to the CryptoMix family, as examining the code within already well written research papers proves it. It doesn’t contain particularly advanced features such as those seen in more notable malware. However, this also means a relatively quick and easier creation process, as has already happened since the release of Mole02’s decryption tool [7].
Stay tuned for future analysis and more in depth security related research. In part two we will examine the decryption and how we successfully exploited the poor encryption process.
We hope this article has given valuable insight into typical ransomware actions and resulting observables and thus assisted in developing better and more robust blue team tactics.
REFERENCES
[3] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
[4] http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
[5] http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html
[6] https://msdn.microsoft.com/en-us/library/windows/desktop/dd318125(v=vs.85).aspx
APPENDIX A
mole02.exe (1596) "C:\Users\infected\AppData\Local\Temp\mole02.exe"
|
INDICATORS OF COMPROMISE SUMMARY
Indicator | Comments |
137.74.163[.]43
|
C&C IP address |
/css/styless.php
|
C&C resource |
POST /css/styless.php HTTP/1.1 guid=<GUID>&ver=6 |
Full C&C request |
%APPDATA%\<prefix>_26E14BA00B70A5D0AE4EBAD33D3416B0.MOLE
|
Dropped files (including ADS) |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<long_name> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<name> ("%APPDATA%\<name>.exe")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\<name> ("%APPDATA%\<name>.exe") |
Registry entries created (with values) |
supportjy2xvvdmx[.]onion
|
Tor hidden service (payment website) |
defiles@post[.]com
|
Ransom email return sender |
1CzoVXuzrKAe6ancEdMsfSkyzWffzyakUe
|
Ransom Bitcoin address 1 |
1Lt5w9Yow8Q6ZX3SxxAebc3Qp4oouwBUH7
|
Ransom Bitcoin address 2 |