Cyble – CrossLock Ransomware Emerges: New GoLang-Based Malware On The Horizon

Ransomware Uses Multi-Faceted Data Cleaning Tactics to Avoid Recovery

Threat Actors (TAs) have shown increasing interest in utilizing the Go programming language. This can be attributed to its cross-platform capabilities and the added challenge it presents to reverse engineering. Consequently, numerous malware, including ransomware, has been observed that were implemented using the Go language.

Cyble Research and Intelligence Labs (CRIL) has been closely observing the emergence of various types of malicious threats, including Ransomware, Backdoors, RATs, and others. Recently, CRIL discovered a new strain of ransomware called CrossLock, which was created using the programming language “Go”.

CrossLock ransomware employs the double-extortion technique to increase the likelihood of payment from its victims. This technique involves encrypting the victim’s data as well as exfiltrating it from their system. The attackers then threaten to publicly leak or sell the stolen data on the dark web if the ransom is not paid within the specified time to decrypt the data. This approach puts significant pressure on victims to pay the ransom, as they risk losing access to their data as well as the risk of data exposure or theft, leading to further consequences.

So far, CrossLock ransomware has targeted and added one organization to its victim list, which has been publicly mentioned on the leak site.

Technical Analysis

We have taken the below sample hash for the purposes of this analysis: (SHA256), 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72, which is a 64-bit GoLang binary executable.

The unique build ID of the GoLang-compiled CrossLock ransomware file is shown below.

Figure 1 Go Build ID — Figure 1 – Go Build ID

CrossLock ransomware can accept various command line parameters. In the table below are the available options, along with their corresponding descriptions, for executing the ransomware:

–path, -P	Parameter is used to encrypt a specified path
–host, -H	Parameter is used to designate a Remote IP address or DNS name, like 192[.]168[.]1[.]2 or dcServer, to gain access to the victim’s network.
–domain, -d	Specify the domain name for gaining access. By default, the domain name is set to “.”.
–user, -u	Indicates the username for authenticating the remote server for encryption.
–pwd, -p	Specifies the password for authentication.
–uac, -ub	Used to bypass User Account Control (UAC), with the default setting being false.

An example of a hardcoded CommandLine used to run the CrossLock ransomware can be found within the executable file:

rware.exe –host dcServer –domain icme[.]com –user administrator -p 123456@passwd -P C$

If no input parameters are provided, the ransomware will attempt to infect the machine it is currently running on.

Upon execution, the ransomware attempts to determine if it is operating in a WINE environment. It achieves this by using the GetProcAddress() API to check for the presence of the wine_get_version() function. If this function exists, the ransomware can assume it is running in a WINE environment.

Figure 2 Anti analysis Technique — Figure 2 – Anti-analysis Technique

Subsequently, the ransomware alters several Event Tracing for Windows (ETW) functions, such as EtwNotificationRegister(), EtwEventRegister(), EtwEventWriteFull(), and EtwEventWrite(). It does so by substituting the initial bytes of these functions with the bytes ‘48 33 C0 C3’ to bypass event tracing.

Event Tracing Bypass

Event Tracing for Windows (ETW) is a logging mechanism integrated into Windows operating systems that enables developers to capture and analyze system and application events in a standardized method across all system components, such as the kernel, device drivers, and applications. ETW is a useful tool for troubleshooting performance issues, diagnosing problems, and monitoring system activities.

Unfortunately, the TAs, including ransomware creators, can exploit ETW to avoid detection and conceal their actions. Event Tracing Bypass is a common technique that exploits vulnerabilities in the ETW infrastructure to avoid detection by security monitoring systems.

The figure below displays how the CrossLock ransomware modifies the initial bytes of the EtwEventWrite() function with ’48 33 C0 C3′ to evade event tracing.

Figure 3 Bypassing ETW — Figure 3 – Bypassing ETW

By patching the ETW function in the .text section of the ntdll.dll module, the ransomware can redirect calls to the original function to its own code. This results in the ransomware being able to bypass Event Tracing, which helps it to evade detection.

The CrossLock ransomware is patching the Event Tracing for Windows (ETW) function by using the steps shown in the figure below.

Figure 4 Steps involving in patching of Event tracing function — Figure 4 – Steps involved in the patching of the Event tracing function

Cleaning

After patching ETW, the ransomware performs multiple actions on the infected system by executing a series of command lines. These actions include deleting all shadow copies, clearing the application event logs, deleting the backup catalog, disabling the automatic startup repair feature, deleting the oldest system state backup, clearing the security event logs, and more.

cmd.exe /c “vssadmin delete shadows /all /quiet”: This command deletes all the shadow copies of the files and folders on the system. Shadow copies are a backup mechanism used in Windows that can be used to recover files if they get lost or damaged.
cmd.exe /c “wevtutil cl application”: This command clears the application event logs in the Windows Event Viewer. Event logs are logs created by the system and applications to record specific events and actions that have occurred on the system.
cmd.exe /c “wbadmin delete catalog -quiet”: This command deletes the backup catalog of the system. The backup catalog contains information about backups that have been taken on the system.
cmd.exe /c “bcdedit /set {default} recoveryenabled No”: This command disables the automatic startup repair feature on the system. Automatic startup repair is a feature in Windows that can automatically fix startup problems.
cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest”: This command deletes the oldest system state backup on the system. A system state backup is a backup of the system’s critical files, including the registry, boot files, and system files.
cmd.exe /c “wevtutil cl security”: This command clears the security event logs in the Windows Event Viewer. Security event logs are logs created by the system and applications to record security-related events and actions that have occurred on the system.
cmd.exe /c “bcdedit /set {default} bootstatuspolicy ignoreallfailures”: This command sets the boot status policy to ignore all failures. The boot status policy is a feature in Windows that determines what actions the system takes if it fails to start up properly.
cmd.exe /c “wbadmin DELETE SYSTEMSTATEBACKUP”: This command deletes the system state backup on the system.
cmd.exe /c “wevtutil cl system”: This command clears the system event logs in the Windows Event Viewer. System event logs are logs created by the system and applications to record system-related events and actions that have occurred on the system.

Figure 5 – Execution of commands to delete system logs and shadowcopy

Stop Services

Additionally, CrossLock ransomware is designed to stop over 500 services that could be running on the victim’s machine before proceeding with the encryption of files. The figure below displays some of the service names that the ransomware is programmed to target.

Figure 6 List of Services to Stop — Figure 6 – List of Services to Stop

Once the services are stopped, the malware proceeds to identify the system drives and then drops a ransom note with the file name “—CrossLock_readme_To_Decrypt—.txt.” in various folders.

Then, the ransomware creates a ransom note with the content shown below.

Figure 7 Malware Writing Ransom Notes 1 — Figure 7 – Malware Writing Ransom Notes

After dropping the ransom note, the malware uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories and search files for encryption.

As part of its encryption process, the CrossLock ransomware refrained from encrypting particular folder names, file names, and file extensions, which are listed in the table below.

File extension	.exe, .dll, .sys, .msi, .lnk, .html, .bak, .dat, .lnk, .bat, .cmd & .crlk
File names	Bootmgr, BOOTNXT, DumpStack.log.tmp, pagefile.sys, swapfile.sys, desktop.ini, ntuser.dat, thumbs.db
Folder names	Windows, System Volume Information, $Recycle.Bin, perflogs, Program Files, Programdata, Recovery

Encryption

The CrossLock ransomware employs a combination of “Curve25519” and “ChaCha20” algorithms in its encryption routine to encrypt the files on the victim’s machine. These algorithms are implemented through GoLang Packages, as shown below.

Figure 8 Hardcoded Strings of Crypto GoLang Packages — Figure 8 – Hardcoded Strings of “Crypto” GoLang Packages

Subsequently, the malware utilizes the MoveFileExW() API function to replace the original files with their encrypted file, which have been renamed with the “.crlk” extension. The MoveFile operation is illustrated in the below figure.

Figure 9 MoveFileExW API — Figure 9 – MoveFileExW() API

The below figure shows the CrossLock ransomware encrypted files and ransom note text files after the successful infection of a victim’s machine.

Figure 10 Files encrypted by CrossLock Ransomware — Figure 10 – Files encrypted by CrossLock Ransomware

The ransom note left behind by the ransomware provides victims with guidance on how to reach out to the TAs to obtain their encrypted data.

The TAs issue a warning to their victims, claiming that their network has been compromised and that highly sensitive information, including documents, databases, and customer data, has been encrypted and transferred to their own servers. In order to restore their encrypted data and avoid the release of this sensitive information, victims are required to purchase the decryption application.

The ransom note additionally includes the ID for TOX Messenger, which is utilized for negotiating the ransom, as well as the Onion URL for the leak site page, as shown in the figure below.

Figure 11 Ransom note — Figure 11 – Ransom note

The image below illustrates the information regarding the infection that the ransomware displays after the encryption process has been completed.

The figure below shows the details of the CrossLock ransomware Onion leak home page and the affected company.

Figure 13 – CrossLock Leak site home page

Conclusion

CrossLock is a newly-discovered ransomware group targeting businesses and demanding payment of a significant ransom. In addition to encrypting the victim’s files, the attackers also utilize double-extortion tactics by stealing sensitive data and threatening to release it on their onion leak site unless the ransom is paid.

Threat Actors (TAs) have written the ransomware using the Go programming language, which offers several benefits. One of these advantages is the ability to compile a single codebase for different operating systems. The use of Event Trace (ETW) bypass techniques by this CrossLock ransomware is particularly alarming. This functionality can enable the malware to avoid detection by security systems that depend on event logs. CrossLock Ransomware also performs several actions to reduce the chances of data recovery while simultaneously increasing the attack’s effectiveness.

Cyble Research & Intelligence Labs (CRIL) constantly monitors new ransomware campaigns and promptly shares our latest findings with our readers to keep them up-to-date.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

Conduct regular backup practices and keep those backups offline or in a separate network.
Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

Detach infected devices on the same network.
Disconnect external storage devices if connected.
Inspect system logs for suspicious events.

Impact of CrossLock Ransomware

Loss of Valuable data.
Loss of the organization’s reputation and integrity.
Loss of the organization’s sensitive business information.
Disruption in organization operation.
Financial loss.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1059 T1204 T1047	Command and Scripting Interpreter User Execution Windows Management Instrumentation
Defense Evasion	T1564 T1027 T1497 T1070	Hidden Window Obfuscated Files or Information Virtualization/Sandbox Evasion Clears the Windows event log & delete shadow drive data
Discovery	T1082 T1135 T1083 T1057	System Information Discovery Network Share Discovery File and Directory Discovery Process Discovery
Impact	T1486 T1490	Data encrypted for impact Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
9756b1c7d0001100fdde3efefb7e086f 55de88118fe8abefb29dec765df7f78785908621 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72	MD5 SHA1 SHA256	CrossLock Ransomware executable

Source: https://blog.cyble.com/2023/04/18/crosslock-ransomware-emerges-new-golang-based-malware-on-the-horizon/

Tags: FINANCIAL, DISCOVERY, IMPACT, MOBILE, DARK WEB, TOOL, BACKUP, WINDOWS