A newly discovered piece of ransomware written in PureBasic has been linked to a Malware-as-a-Service (MaaS) provider that has been used by Cobalt Gang, FIN6, and other threat groups.
Dubbed PureLocker, the malware comes with evasion methods and features that have allowed it to remain undetected for months. The use of PureBasic, a rather uncommon programming language, also makes porting between Windows, Linux, and macOS easy.
The analyzed Windows sample was masquerading as the C++ cryptography library called Crypto++, and managed to remain undetected by VirusTotal antivirus engines for several weeks. The file would not exhibit malicious or suspicious behavior when executed in a sandbox, Intezer reveals.
Digging deeper, security researchers discovered that the file was not related to Crypto++, but that it did include code copied from multiple malware families, mainly from the Cobalt Gang. Most of the malicious code, however, was found to be unique.
The threat is executed as a COM server DLL by regsrv32.exe, with its code residing in the DllRegisterServer export. The code includes various other exports as well, but they are meant for deception and have no functionality.
At first, the malware checks if it is executed as intended or if it is being analyzed or debugged, and exits immediately if a check fails. The threat doesn’t delete itself in such an instance, but does it after a successful execution.
Intezer’s security researchers believe the malware is part of a targeted and multi-stage attack, given that it checks whether the “/s /i” arguments are used at execution, to ensure no dialogues are displayed to the user.
It also checks whether it is executed by regsrv32.exe and for its file extension to be either “.dll” or “.ocx,” in addition to verifying the current year on the machine is 2019 and whether it has admin privileges or not.
“This type of behavior is not common in ransomware, which typically prefer to infect as many victims as possible in the hopes of gaining as much profit as possible. Additionally, being a DLL file designed to be executed in a very specific manner reveals this ransomware is a later-stage component of a multi-stage attack,” the researchers note.
PureLocker manually loads another copy of “ntdll.dll” and resolves API addresses manually from there, an anti-hooking technique that allows it to evade user-mode hooking of ntdll functions. The ransomware also uses the resolve-by-hash method to obtain the function addresses.
Low-level Windows API functions in ntdll.dll are employed for most functionality, with some exceptions. The Windows Crypto API functions are not used, but the compiled-in purebasic crypto library is leveraged instead for encryption.
The threat uses the standard AES+RSA combination for file encryption, with a hard-coded RSA key, and adds the “.CR1” extension to affected files. After encryption, the original files are securely deleted to prevent recovery.
A ransom note dubbed YOUR_FILES.txt is then dropped onto the desktop, instructing victims to contact the attackers via email for payment type and ransom amount. The attackers use a different Proton email address for each attack, which allows them to track victims and decryption keys.
The CR1 string appears not only in the encrypted file extension, but also in the ransom note and attacker email addresses, suggesting this is the identifier of the group operating the samples.
The investigation also revealed a connection with the loader part of the “more_eggs” JScript backdoor, also known as “SpicyOmelette,” which is associated with a MaaS provider on underground forums that threat groups such as the Cobalt Gang and FIN6 have bought malware kits from.
PureLocker and the more_eggs loader were likely designed by the same author, given that they both have COM Server DLL components written in PureBasic, employ the same evasion and anti-analysis methods, use identical string encoding and decoding methods, and their pre-payload stage are nearly the same.
“While we have a good sense regarding the malware’s origin, it’s unclear at this time whether the “CR1” group that’s using this ransomware for targeted attacks is a previous customer of the MaaS provider, such as Cobalt Gang and FIN6, or a new one,” the security researchers note.