Whenever we came across such news, Russians always caem up in our mind. The Russians hackers are believed to be the most dreadful hackers in all around the world. The number of ransomware they launches and the techniques they uses, is absolutely different from any other group around the world. Following this pattern, researchers from NCC group have come across a new malware variant designed by a well known group of bad actors “Evil Corp”, who were associated with the Dridex malware and BitPaymer ransomware. The malware analyzed is named as “ WastedLocker” Ransomware, which they started investigating in early May 2020. The name WastedLocker has come from two joined words
ANATOMY AND ANALYSIS OF THE RANSOMWARE
This ransomware takes the support of another trojan to deliver the ransomware on the victim's system. In the first stage, the attackers will send a trojan named Socgholish into the victim's system. This malware is a RAT and banking trojan that convinces user to go to fake browser and Flash updates, which convinces the victim to upgrade their software. As soon as update button is clicked, a JavaScript code gets executed which sends all the information to the Socgholish server and in return, it launches a payload in the victim system. The server will return the two power shell scripts which contains cobaltstrike payload s in it. Thepayload s are obfuscated using a well known crypter CrypterOne. Firstly, the crypter allocates a memory buffer calling the VirtualAlloc API and is decrypted using an XOR based algorithm. After the Ransomware is decrypted, the crypter jumps into the data blob which turns out to be a shell code (power shell scripts) responsible for decrypting the actual payload . The first power shell script will decode the cobaltstrike payload twice which is encoded using base 64 format and then it decrypts the power shell script, then converts the payloadinto bytes and then find space in the memory to execute it. The second power shell script is used to decode the other two payloads.
Source:- https://ethicaldebuggers.com/evil-corps-give-birth-to-a-new-ransomware-wastedlocker/
- First is the file which is created in the victim's computer named as “Locker”.
- While “waste” word is used to show that the file on which the ransomware attacks, is no more in use.
ANATOMY AND ANALYSIS OF THE RANSOMWARE
This ransomware takes the support of another trojan to deliver the ransomware on the victim's system. In the first stage, the attackers will send a trojan named Socgholish into the victim's system. This malware is a RAT and banking trojan that convinces user to go to fake browser and Flash updates, which convinces the victim to upgrade their software. As soon as update button is clicked, a JavaScript code gets executed which sends all the information to the Socgholish server and in return, it launches a payload in the victim system. The server will return the two power shell scripts which contains cobaltstrike payload s in it. Thepayload s are obfuscated using a well known crypter CrypterOne. Firstly, the crypter allocates a memory buffer calling the VirtualAlloc API and is decrypted using an XOR based algorithm. After the Ransomware is decrypted, the crypter jumps into the data blob which turns out to be a shell code (power shell scripts) responsible for decrypting the actual payload . The first power shell script will decode the cobaltstrike payload twice which is encoded using base 64 format and then it decrypts the power shell script, then converts the payloadinto bytes and then find space in the memory to execute it. The second power shell script is used to decode the other two payloads.
Source:- https://ethicaldebuggers.com/evil-corps-give-birth-to-a-new-ransomware-wastedlocker/