Thursday 30 March 2017

New Shade cryptolocker confuses analysis tools with 'MS-DOS EXE' file type

A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.

Similar to the previous version, it is delivered as a fake letter from the State Fiscal Service of Ukraine.

The PE header is not recognized due to the following alteration in the MS-DOS stub:
New version:

Previous version:

File identification on VirusTotal:

The payload is the same. The Java script from the zip archive downloads and executes the cryptolocker through cmd. The process name is 'rad<RANDOM>.tmp'.

The cryptolocker adds its reference to the autorun key in the Windows System Registry to start on system boot up:

"Client Server Runtime Subsystem"="C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe"
The encrypted files get '.no_more_ransom' extension.

Network IoCs

Yara rule

rule ShadeCryptolocker_nomoreransom
        author = "NioGuard Security Lab"
        info = "Detecting the Shade (Troldesh) cryptolocker process"
        reference = ""

        $a1 = "Client Server Runtime Subsystem"
        $a2 = "a4ad4ip2xzclh6fd.onion"
        $a3 = "reg.php"
        $a4 = "prog.php"
        $a5 = "err.php"
        $a6 = "cmd.php"
        $a7 = "sys.php"
        $a8 = "shd.php"
        $a9 = ".no_more_ransom"
      all of ($a*)


No comments:

Post a Comment