It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.
When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows.
- WANNA_RECOVER_KOXIC_FILEZ_[Random string].txt
The ransom note of the recently collected sample is similar to those of BlueCrab (Sodinokibi, REvil) ransomware, which was once actively distributed in Korea.
BlueCrab had its own website made and specified that the users should access it via the TOR browser. Contrary to BlueCrab, Koxic ransomware guides contact via email.
Out of the Koxic ransomware samples collected in the past, there were samples with completely different ransom notes and those that were almost in the same format as BlueCrab. It seems that there are no direct connections between the two ransomware, seeing that there are no similarities in their codes.
In the ransom note of this sample, there is a threatening message that tells the reader that their important files have been downloaded, and if they do not come to an agreement, these data will be leaked, however, this has never happened.
Another feature to note is that the section names were deliberately changed to hide the UPX packing. This technique, dubbed the UPX Trick, is a commonly used method where files packed with UPX are modified to hinder analysis or to bypass automatic unpacking from AV software.
When the ransomware is executed, the following range of tasks is carried out before the files are encrypted.
[Debugging Check]
Using the two APIs that check for debugging, if a debugging process is running, the current function is run as an infinite loop (recursive call). If a debugging process is running, a stack overflow occurs.
[Modifying System Registry]
A cmd command is used to modify the system registry. Values are modified to terminate Defender and turn off notifications, and there are entries that extend the remote session expiry time to the maximum.
| HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesMaxDisconnectionTime HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesMaxIdleTime HKLMSOFTWAREPoliciesMicrosoftWindowsHomeGroupDisableHomeGroup HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware HKLMSOFTWAREPoliciesMicrosoftWindows DefenderAllowFastServiceStartup HKLMSOFTWAREPoliciesMicrosoftWindows DefenderServiceKeepAlive HKLMSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableRealtimeMonitoring HKLMSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableBehaviorMonitoring HKLMSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableOnAccessProtection HKLMSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableScanOnRealtimeEnable HKLMSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableIOAVProtection HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerHideSCAHealth HKCUSoftwarePoliciesMicrosoftWindowsExplorerDisableNotificationCenter |
[Terminating Processes]
By executing the following commands, Koxic ransomware attempts to terminate certain processes and services. However, because the commands are separated with newlines instead of the “&” operator, only the first line is executed in actuality. This is deemed to be a mistake on the part of the threat actor.
| cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe |
[Deleting VSC and Terminating Services]
A command that deletes volume shadow copies and other commands that modify the status of multiple services are executed. Like the example above, only the first line is executed, effectively only deleting the VSC.
| cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled |
[Collecting System Info]
The ransomware collects system information and records it under a random filename in the %temp% directory, but a routine that leaks this data was not identified. Collected information includes the IP address, system account information, disk information, network adapter information, hardware information, and OS information.
[Changing Process Priority and Granting Privilege]
The ransomware upgrades its own process priority to “high” and checks and modifies (adds) the process token privileges. The privileges added are shown in the table below.
| SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege |
[File Encryption]
A thread that draws up the list of targets for encryption and multiple threads that carry out the actual encryption process run simultaneously to encrypt the target files in the list one by one. The encryption process involves changing the name of the original file before using the file mapping function to overwrite the encrypted data. The function call flow used here is as follows.
| MoveFileExW – CreateFileMappingW – MapViewOfFile – [Encryption] – UnmapViewOfFile |
The encryption algorithm is the AES CBC mode, and it uses a 32 byte-long key and 16 byte IV.
A notable point is that when the files are encrypted, they are done so in 16 byte blocks, but padding is not used for the last block. Thus, the remainder at the end of the file after dividing the file into 16 bytes is not encrypted, and the original data is preserved.
It seems that the open source libtomcrypt was used as-is for the encryption code.
The AES key used for file encryption is encrypted with RSA and saved at the end of the ransom note. The IV value is added in plain text behind the encrypted key and ultimately becomes the following.
When file encryption is complete, the ransom note is created in the %TEMP% directory and opened with Notepad.
[Encryption Exceptions]
- Extensions
Entries such as “.ps1.” and “rtp” seem like faults.
| .386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll, .drv, .exe, .hlp, .hta, .icl, .icns, .ico, .ics, .idx, .key, .ldf, .lnk, .lock, .mod, .mpa, .msc, .msi, .msp, .msstyles, .msu, .nls, .nomedia, .ocx, .pdb, .prf, .ps1., .rom, rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .wpx, |
| ., .., windows, System Volume Information, $Recycle.Bin, $SysReset, Config.Msi, bootfont.bin, boot.ini, ntuser.dat, desktop.ini, $windows.~bt, intel, msocache, $recycle.bin, $windows.~ws, tor browser, boot, system volume information, perflogs, google, application data, windows, programdata, windows.old, appdata, mozilla, iconcache.db, ntldr, ntuser.dat.log, thumbs.db, bootsect.bak, ntuser.ini, autorun.inf, All Users, microsoft, |
AhnLab products detect and block Koxic ransomware using the following aliases.
[File Detection]
– Ransomware/Win.KoxicCrypt.R533926 (2022.11.11.00)
– Trojan/Win.Wacatac.C5290617 (2022.11.04.00)
– Trojan/Win.Generic.C4963639 (2022.02.11.01)
[Behavior Detection]
– Ransom/MDP.Delete.M2117
– Malware/MDP.Behavior.M2771
– Ransom/MDP.Decoy.M4475
[IOC Info]
MD5
e9fdad2df8f8b95398f3c8f27e940f5d
3c4fa896e819cb8fada88a6fdd7b2cc7
01a4208ab9d4b2cfa87ffbdef2f8ab78
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/42343/
Views: 0