Security Market Segment LS
Wednesday, 05 August 2020 11:51

Sophos says WastedLocker has many similarities to Bitpaymer and Dridex Featured

By
Sophos says WastedLocker has many similarities to Bitpaymer and Dridex Image by Couleur from Pixabay

The new kid on the Windows ransomware block, WastedLocker, may be causing foreheads to wrinkle over at companies that fear attacks from this genre of malware, but it has given security firms, like global operator Sophos and Russian company Kaspersky, plenty of meat for its researchers to sink their teeth into.

On Wednesday, Sophos announced it had carried out a multi-part series on ransomware, with the first in the series concentrating on techniques that WastedLocker uses to avoid detection.

As iTWire has reported, Kaspersky researcher Fedor Sinitsyn issued a detailed report on WastedLocker last week, concentrating on its method of attacking a system and its command-line interface that allowed it to accept different arguments that controlled the way it operated.

Sinitsyn pointed out that WastedLocker had been increasingly used in the first six months of the year, with the most recent, and possibly the most attention-garnering, attack against wearable technology specialist Garmin.

Sophos researchers Mark Loman and Anand Ajjan wrote that the author of WastedLocker had cunningly crafted a sequence of manoeuvres meant to confuse and evade anti-ransomware software.

They said some of the techniques mimicked those used by other ransomware known as Bitpaymer and the Dridex trojan, with hints that WastedLocker might be a derivative work or have common authors.

anand ajjanmark loman

Anand Ajjan and Mark Loman. Courtesy Sophos

"Ransomware defences based on behaviour monitoring typically implement a mini-filter driver," the pair said. "These are kernel drivers that attach to the file system stack. Mini-filters filter I/O operations in order to keep an eye on everything that happens to files.

"For example, the well-known Process Monitor utility from Sysinternals uses a mini-filter driver to create a real-time log of file system activity. Most anti-ransomware solutions use a similar approach to keep an eye on what happens to files."

They said WastedLocker utilised a trick to make it harder for behaviour-based anti-ransomware solutions to keep track of what was going on: using memory-mapped I/O to encrypt a file.

"Although it is unnecessary for ransomware to access documents as a memory-mapped file, the method is more common nowadays, as Maze and Clop (two common Windows ransomware packages) also employ the same tactic," Loman and Ajjan said.

"This technique allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. For behaviour monitoring, this may be a problem. Tools used to monitor disk writes may not notice that ransomware is accessing a cached document, because the data is served from memory instead of disk.

"But the kicker here is that WastedLocker is closing the file once it has mapped a file in memory. You’d think this would result in an error, but the trick actually works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory."

The two researchers said anti-ransomware solutions that correlated activity based on CreateFile and CloseFile operations would miss all the disk I/O performed by the Cache Manager in response to mapped memory operations.

"Ultimately, the Cache Manager will release its internal handle to the memory-mapped file. This may happen after a few minutes, but we have observed that the Cache Manager closes the handle only after several hours," they said.

Regarding the similarities observed between WastedLocker and Bitpaymer and the Dridex trojan, the pair said both Bitpaymer and WastedLocker abused alternate data streams in the same way. The malware found a clean system file, copied itself to the clean file’s ADS, and then executed itself as a service component of the clean file. This makes it appear that the clean file was the source of the ransomware behaviour.

And both accomplished this using the same technique: they reset the privileges of the targeted system file using icacls.exe in order to add the ADS component, and then copy the clean system file to the %APPDATA% folder.

Loman and Ajjan said Bitpaymer used the custom API resolve functions to call Windows APIs using a hash value, rather than the API function’s name. The same code was also used by Dridex malware, and was consistently seen in many earlier Bitpaymer variants. With WastedLocker, there had been a major upgrade by removing these functions.

Instead, it calls the Windows API directly in memory. This change had improved efficiency of execution without spending much time in computing the hash and calling the API dynamically.

Both ransomware packages — WastedLocker and BitPaymer — used a similar User Account Control bypass technique to elevate the clean, hijacked process to run the ransomware code (using the ADS technique mentioned). Bitpaymer added a .cmd file to the registry key (“HKCU\Software\Classes\mscfile\shell\open\command”), so that, when an elevated eventvwr.exe file was executed, it checked the registry key (by default). That, in turn, executed the .cmd file that ran the ransomware binary. WastedLocker used winsat.exe and winmm.dll to run the ransomware binary (ADS component) by patching the winmm.dll.

Over time, Bitpaymer had slowly improved its encryption method. Early variants used an RC4 key for encrypting the file content, and it further encrypted the RC4 key using a 1024-bit RSA public key. But later variants — as well as current versions of WastedLocker — made some improvements by using AES 256 bit CBC mode for encrypting the files, along with a 4096-bit RSA public key.

Both ransomware packages also encoded the key information with Base64, and stored the encoded key in the ransom note.

Loman and Ajjan said both malware packages customised the ransom note for each victim by adding the name of the organisation WastedLocker also added the name of the organisation to the ransom note file name as a prefix.

Finally, the two researchers said, WastedLocker could perform certain operations when its main executable was launched using specific arguments, as did some earlier versions of BitPaymer. Both used numbers as arguments and the numbers they both used to indicate the operation the malware was supposed to perform were the same (eg., -1 indicates the main/initial execution, -2 issues a command to copy the malware and run it using ADS, and -3 indicates that it will begin the file encryption process.

"While none of these alone, or even in combination, is enough to definitively say that, for instance, the same creator was responsible for both ransomware packages, the similarities are so striking as to raise questions about whether the malware author(s) of Bitpaymer and WastedLocker are connected in some collaborative way," Loman and Ajjan noted.


Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.

CLICK HERE!

WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.

REGISTER HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments