Hakuna Matata Ransomware Targeting Korean Companies – Asec Blog
Category

Recently, AhnLab Security Emergency response Center (ASEC) has identified that the Hakuna Matata ransomware is being used to attack Korean companies. Hakuna Matata is a ransomware that has been developed relatively recently. The first report related to Hakuna Matata was identified on July 6th, 2023 on Twitter. [1] On July 14th, 2023, a post of a threat actor promoting Hakuna Matata on the dark web was shared on Twitter as well. [2] Also, out of the ransomware strains uploaded on VirusTotal, the file uploaded on July 2nd, 2023 is confirmed to be the first case.

Figure 1. Hakuna Matata’s default ransom note

Hakuna Matata is different from other typical ransomware types in that it includes a ClipBanker feature. Even after encryption, it remains in the system to change the Bitcoin wallet address to that of the threat actor. Therefore, if the user sends Bitcoins in the same system after it has been encrypted, there is a potential risk of sending Bitcoins to the threat actor’s wallet address instead of the one the user wants.

1. Analysis of Attack

After encrypting the system, the threat actor deletes the event log and malware strains used in the attack, so it is difficult to check the exact information. However, based on various circumstances, it is speculated that Remote Desktop Protocol (RDP) was used as the initial attack vector.

Threat actors usually target systems that are accessible externally and scan systems that have RDP activated. Then they perform a brute force attack or a dictionary attack on those systems they have found. If a user has inappropriate account credentials, then threat actors can easily take those very credentials.

Systems that were actually targeted were exposed externally and had RDP enabled. Even after the ransomware infection, brute force attacks that leave login fail logs (Windows Security Event ID: 4625) are continuously identified. If the brute force attack succeeds, the threat actor can log in to the system via RDP with the obtained account credentials. This means that the threat actor has successfully obtained control of the system.

Figure 2. Event log on the brute force attack

There is a limit on speculating the attack vector from this log. However, when looking at the tools the threat actor has additionally installed, one can see that it is similar to the ransomware attack cases where RDP was used as an attack vector.

Figure 3. Additional tools installed by the threat actor

2. Malware Strains Used in Attack

The threat actor has installed malware strains in various directories such as “C:Temp”. The installed tools are mostly made by NirSoft and are responsible for exfiltrating account credentials. Tools that steal account credentials are generated in the “MPass” directory. It is speculated that the threat actor uses these tools to collect account credentials and save them as a text file in the “M!logs” directory. The threat actor also generated Process Hacker, RCH.exe, and ver7.exe. RCH.exe cannot be confirmed currently, but ver7.exe is speculated to be the Hakuna Matata ransomware.

File Name (Path Name) Type
MPassBulletsPassView64.exe BulletsPassView – NirSoft
MPassDialupass.exe dialup / RAS / VPN passwords Viewer – NirSoft
MPassmailpv.exe Mail PassView – NirSoft
MPassmspass.exe MessenPass (IM Password Recovery) – NirSoft
MPassnetpass64.exe Network Password Recovery – NirSoft
MPassNetRouteView.exe Network Route Utility – NirSoft
MPassrdpv.exe Remote Desktop PassView – NirSoft
MPassRouterPassView.exe RouterPassView – NirSoft
MPassVNCPassView.exe VNCPassView – NirSoft
MPassWebBrowserPassView.exe Web Browser Password Viewer – NirSoft
MPassWirelessKeyView64.exe Wireless Key View – NirSoft
Process Hacker 2ProcessHacker.exe Process Hacker
RCH.exe Unconfirmed
ver7.exe Hakuna Matata Ransomware (speculated)
Table 1. Tools used for the attack

Typically, ransomware threat actors use various tools listed above to scan the internal network and collect account credentials if the target system is part of an internal network of a company. They then use the obtained information for lateral movement to encrypt as many systems as possible in the network.

3. Analysis of Hakuna Matata Used in Attack

Overview Description
Encryption algorithm AES-256 (CBC) / RSA-2048
Extension .[Random 5 letters]
Ransom note name “[Computer name]-ID-Readme.txt”
Folders excluded from encryption “windows.old”, “windows.old.old”, “amd”, “nvidia”, “programfiles”, “programfiles(x86)”, “windows”, “$recycle.bin”, “documentsandsettings”, “intel”, “perflogs”, “programdata”, “boot”, “games”, “msocache”
Files excluded from encryption “iconcache.db”, “autorun.inf”, “thumbs.db”, “boot.ini”, “bootfont.bin”, “ntuser.ini”, “bootmgr”, “bootmgr.efi”, “bootmgfw.efi”, “desktop.ini”, “ntuser.dat”, “-ID-Readme.txt”
Extensions targeted for encryption Refer to the information at the conclusion part
Terminated processes Refer to the information at the conclusion part
Terminated services Refer to the information at the conclusion part
Others – Registers Run Key
– Deletes volume shadow copies
Table 2. Hakuna Matata Ransomware Overview

The ransomware used in the attack has the name ver7.exe. The same name can be found in the generated file log. However, investigating the related files confirmed that the malware is actually the Hakuna Matata ransomware. When the ransomware is first executed, it makes a copy in the “%LOCALAPPDATA%rundll32.exe” path to disguise itself as a normal process.

Figure 4. Hakuna Matata created with the name ver7.exe

There are 869 extensions targeted for encryption. All files are encrypted except for files located in the whitelist path, files with whitelist filenames, and files with ransom note filenames. For the encryption process, the AES-256 (CBC) algorithm is used to encrypt each file by generating a random key value and IV. Once the process is complete, the AES-256 key value and IV are encrypted via the RSA-2048 algorithm, adding 0X100 at the end of the encrypted file names. For files having a larger size than 0x80000, only a certain part will be encrypted.

Figure 5. File encryption routine

Hakuna Matata then forcibly shuts down the database and MS Office related processes out of currently running processes and starts encrypting files again. Additionally, it registers itself to the Run Key so that it is executed again after the system is rebooted and changes the desktop background for the user to notice that the system has been encrypted.

Figure 6. Changed desktop

It checks if it is being run as administrator privilege. If so, the ransomware closes services related to databases and backups. Afterward, it deletes volume shadow copies using the following commands.

> vssadmin delete shadows /all /quiet & wmic shadowcopy delete
> bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
> wbadmin delete catalog -quiet

Similar to those of other typical ransomware strains, the ransom note contains information to make contact within 72 hours and a warning to leak information if the user does not contact the threat actor.

Figure 7. Hakuna Matata’s ransom note
  • Threat Actor’s Email Address: keylan@techmail[.]info, gerb666@proton[.]me

Hakuna Matata is different from other ransomware types in that it includes a ClipBanker feature. It keeps running even after encrypting the infected system files to scan the clipboard. If the user copies a Bitcoin wallet address in the clipboard, it is changed to the threat actor’s wallet address. The threat actor’s wallet address is generated from the “RANDOM_VALUE” string according to the “SALT_ALL” order.

Figure 8. Ransomware’s ClipBanker routine

Normally, a cryptocurrency wallet address is a string consisting of long and random characters, so it is hard to notice if the wallet address has been changed. So if the user makes a Bitcoin transaction in the same system that was infected with ransomware, there is a potential risk to send Bitcoins to the threat actor’s wallet address.

  • Threat actor’s Bitcoin wallet address – 1: bc1qpkgejqerp74g23m7zhjkuj6e9c3656tsppqlku
  • Threat actor’s Bitcoin wallet address – 2: 16JpyqQJ6z1GbxJNztjUnepXsqee3SBz75

4. Conclusion

A system that has been exposed to an external threat will be continually targeted. The main attack methods against Windows systems are brute force attacks and dictionary attacks against RDP services with inappropriate account credentials. Especially, most ransomware threat actors using Crysis, Venus, GlobeImposter, MedusaLocker, etc. use RDP as the initial attack vector.

Users can deactivate RDP when not in use to decrease the number of attack attempts. If RDP is being used, it is advised to use a complex account password and to change it periodically to prevent brute force and dictionary attacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Ransomware/Win.Generic.C5463415 (2023.08.01.00)

Behavior Detection
Execution/MDP.Decoy.M1171

IOC
MD5
– 1a5dd79047766bd09c27f0336dd22142

Reference)

  • Extensions targeted for encryption: “.myd”, “.ndf”, “.qry”, “.sdb”, “.sdf”, “.lzo”, “.dat”, “.settings”, “.doc”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.odt”, “.jpg”, “.mka”, “.mhtml”, “.oqy”, “.png”, “.csv”, “.py”, “.sql”, “.indd”, “.cs”, “.mp3”, “.mp4”, “.dwg”, “.zip”, “.rar”, “.mov”, “.rtf”, “.bmp”, “.mkv”, “.avi”, “.apk”, “.lnk”, “.dib”, “.dic”, “.dif”, “.mdb”, “.php”, “.asp”, “.aspx”, “.html”, “.htm”, “.xml”, “.psd”, “.pdf”, “.xla”, “.cub”, “.dae”, “.divx”, “.iso”, “.7zip”, “.pdb”, “.ico”, “.pas”, “.db”, “.wmv”, “.swf”, “.cer”, “.bak”, “.backup”, “.accdb”, “.bay”, “.p7c”, “.exif”, “.vss”, “.raw”, “.m4a”, “.wma”, “.ace”, “.arj”, “.bz2”, “.cab”, “.gzip”, “.lzh”, “.tar”, “.jpeg”, “.xz”, “.mpeg”, “.torrent”, “.mpg”, “.core”, “.flv”, “.js”, “.ini”, “.m1v”, “.inc”, “.cvs”, “.tbi”, “.amv”, “.bk”, “.onepkg”, “.json”, “.uxdc”, “.udl”, “.accda”, “.accdc”, “.accdw”, “.ai3”, “.ai4”, “.ai5”, “.ai6”, “.ai7”, “.ai8”, “.ascx”, “.asmx”, “.avs”, “.cfm”, “.dcm”, “.pict”, “.rgbe”, “.dwt”, “.f4v”, “.exr”, “.mda”, “.mde”, “.mdw”, “.mht”, “.mpv”, “.geo”, “.swift”, “.oft”, “.pls”, “.tab”, “.svgz”, “.tar.gz”, “.dmg”, “.psb”, “.rss”, “.key”, “.epsp”, “.dc3”, “.iff”, “.xsd”, “.xsf”, “.xsl”, “.kmz”, “.dacpac”, “.zipx”, “.z”, “.tar.xz”, “.pam”, “.ova”, “.c”, “.xhtml”, “.ckp”, “.dbt”, “.dbv”, “.mwb”, “.txz”, “.wmf”, “.wim”, “.xtp2”, “.xsn”, “.avchd”, “.webm”, “.yuv”, “.rmvb”, “.viv”, “.mp2”, “.mpe”, “.svi”, “.mxf”, “.roq”, “.nsv”, “0.123”, “.1c”, “.1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “0.602”, “.7z”, “._ms”, “.aac”, “.ab4”, “.abd”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adi”, “.adp”, “.adr”, “.ads”, “.aes”, “.afi”, “.agdl”, “.ai”, “.aiff”, “.aii”, “.air”, “.ais”, “.ait”, “.aiv”, “.al”, “.alg”, “.allet”, “.ams”, “.aocla”, “.aoi”, “.apj”, “.arc”, “.arch00”, “.arm”, “.art”, “.arw”, “.arz”, “.asc”, “.asf”, “.asm”, “.asset”, “.asx”, “.avhdx”, “.awg”, “.backupdb”, “.bank”, “.bar”, “.bat”, “.bc6”, “.bc7”, “.bck”, “.bco”, “.bdb”, “.bgt”, “.big”, “.bik”, “.bin”, “.bkf”, “.bkp”, “.bkup”, “.blend”, “.blob”, “.bpn”, “.bpw”, “.brd”, “.bsa”, “.bsm”, “.bxl”, “.c”, “.cad”, “.cam”, “.cas”, “.cbk”, “.cbu”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cel”, “.cert”, “.cf”, “.cfg”, “.cfr”, “.cgi”, “.cgm”, “.chg”, “.cib”, “.ckt”, “.class”, “.classpath”, “.cls”, “.cmd”, “.cmt”, “.cnf”, “.con”, “.config”, “.contact”, “.cpa”, “.cpi”, “.cpp”, “.cpr”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cs”, “.csa”, “.csh”, “.cshtml”, “.csl”, “.csr”, “.css”, “.ctl”, “.cwz”, “.d”, “.d3dbsp”, “.dac”, “.das”, “.data”, “.dazip”, “.db0”, “.db3”, “.db5”, “.db_journal”, “.dba”, “.dbc”, “.dbf”, “.dbs”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddb”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.der”, “.des”, “.desc”, “.design”, “.dft”, “.dgc”, “.dip”, “.dit”, “.djvu”, “.dmp”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.dra”, “.drf”, “.drl”, “.dru”, “.drw”, “.dsn”, “.dsnwrk”, “.dt”, “.dtd”, “.dxb”, “.dxf”, “.dxg”, “.e”, “.ecf”, “.edb”, “.edf”, “.elt”, “.eml”, “.emz”, “.epk”, “.eps”, “.erbsql”, “.erf”, “.esm”, “.ewprj”, “.exf”, “.fdb”, “.ff”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flf”, “.flp”, “.flvv”, “.fods”, “.fodt”, “.forge”, “.fos”, “.fp7”, “.fpd”, “.fpk”, “.fpx”, “.frm”, “.fsh”, “.fxg”, “.g1”, “.g2”, “.g3”, “.g4”, “.gbk”, “.gbl”, “.gbo”, “.gbp”, “.gbr”, “.gbs”, “.gbx”, “.gdb”, “.gho”, “.gif”, “.gko”, “.gml”, “.gp”, “.gp1”, “.gp2”, “.gp3”, “.gp4”, “.gpb”, “.gpg”, “.gpt”, “.gray”, “.grb”, “.grey”, “.groups”, “.gry”, “.gtl”, “.gto”, “.gtp”, “.gts”, “.gwk”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hkdb”, “.hkx”, “.hplg”, “.hpp”, “.hvpl”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.icxs”, “.idb”, “.idc”, “.iif”, “.iiq”, “.incpas”, “.info”, “.ip”, “.ink”, “.ipc”, “.ism”, “.itdb”, “.itl”, “.itm”, “.iwd”, “.iwi”, “.ix”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jrl”, “.js”, “.jsp”, “.kc2”, “.kdb”, “.kdbx”, “.kdc”, “.kf”, “.kicad”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.layout”, “.lbf”, “.lbr”, “.lc”, “.lck”, “.ldb”, “.ldf”, “.lg”, “.lgc”, “.lia”, “.lib”, “.libprj”, “.license”, “.licz”, “.lit”, “.litemod”, “.llx”, “.lmc”, “.log”, “.lrf”, “.ltx”, “.lua”, “.lvl”, “.lyt”, “.lzma”, “.m”, “.m2”, “.m2ts”, “.m3u”, “.m4p”, “.m4u”, “.m4v”, “.map”, “.mapimail”, “.max”, “.mbx”, “.mcmeta”, “.md”, “.mdbackup”, “.mdc”, “.mddata”, “.mdf”, “.mef”, “.menu”, “.mfw”, “.mid”, “.mlb”, “.mlx”, “.mml”, “.mmw”, “.mny”, “.moneywell”, “.mos”, “.mpeg”, “.mpqge”, “.mrg”, “.mrw”, “.mrwref”, “.msg”, “.mst”, “.mts”, “.myi”, “.mysql”, “.mysqli”, “.nbd”, “.nc”, “.ncf”, “.nd”, “.ndd”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.ntl”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.obk”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.oeb”, “.ogg”, “.oil”, “.olb”, “.one”, “.onetoc2”, “.opj”, “.opt”, “.ora”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p”, “.p12”, “.p7b”, “.pab”, “.pad”, “.pages”, “.pak”, “.paq”, “.par”, “.pat”, “.pbd”, “.pc”, “.pcb”, “.pcbdoc”, “.pcd”, “.pct”, “.pdblib”, “.pdd”, “.pef”, “.pem”, “.pfx”, “.phj”, “.phl”, “.pho”, “.pif”, “.pkpass”, “.pl”, “.plc”, “.plus_muhd”, “.pot”, “.potm”, “.potx”, “.ppam”, “.ppc”, “.pps”, “.ppsm”, “.ppsx”, “.pptm”, “.prj”, “.prjcor”, “.prjemb”, “.prjpcb”, “.pro”, “.project”, “.prt”, “.ps”, “.ps1”, “.psafe3”, “.psc”, “.psk”, “.psm”, “.pspimage”, “.pst”, “.pt”, “.ptx”, “.pwm”, “.py”, “.q99”, “.qb1”, “.qba”, “.qbb”, “.qbk”, “.qbm”, “.qbmb”, “.qbmd”, “.qbquery”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.qcow”, “.qcow2”, “.qdf”, “.qed”, “.qfd”, “.qfx”, “.qic”, “.qif”, “.qmd”, “.quicken”, “.quicken2015backup”, “.quicken2016backup”, “.quicken2017backup”, “.qw5”, “.r3d”, “.raf”, “.rat”, “.rb”, “.rdb”, “.re4”, “.reu”, “.rgss3a”, “.rim”, “.rm”, “.rofl”, “.rou”, “.rul”, “.rvt”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.safe”, “.sal”, “.sas7bdat”, “.sav”, “.save”, “.say”, “.sb”, “.sbn”, “.sbx”, “.sch”, “.schdoc”, “.schlib”, “.sd0”, “.sda”, “.sh”, “.shp”, “.shx”, “.sid”, “.sidd”, “.sidn”, “.sie”, “.sis”, “.sl2”, “.sl3”, “.sldm”, “.sldx”, “.slk”, “.slm”, “.sln”, “.snt”, “.snx”, “.spp”, “.sqb”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.sqr”, “.sr2”, “.srf”, “.srt”, “.srw”, “.ssq”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.stc”, “.std”, “.sti”, “.stm”, “.stp”, “.stw”, “.stx”, “.sum”, “.suo”, “.svg”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxm”, “.sxw”, “.syncdb”, “.t12”, “.t13”, “.tax”, “.tbk”, “.tcf”, “.tex”, “.tga”, “.tgz”, “.thm”, “.tib”, “.tif”, “.tiff”, “.tlg”, “.tmd”, “.tmp”, “.tor”, “.trn”, “.ub”, “.uop”, “.uot”, “.upk”, “.vb”, “.vbk”, “.vbm”, “.vbox”, “.vbs”, “.vcd”, “.vcf”, “.vdf”, “.vdi”, “.vfs0”, “.vhd”, “.vhdx”, “.vib”, “.vlb”, “.vmdk”, “.vmem”, “.vmsd”, “.vmx”, “.vmxf”, “.vob”, “.vom”, “.vpk”, “.vpp_pc”, “.vsd”, “.vsdx”, “.vtf”, “.w3x”, “.wab”, “.wad”, “.wallet”, “.wav”, “.wb2”, “.wbk”, “.wdb”, “.wk1”, “.wks”, “.wmo”, “.wotreplay”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xf”, “.xg3”, “.xgo”, “.xis”, “.xlam”, “.xlc”, “.xlk”, “.xlm”, “.xlr”, “.xls”, “.xlsb”, “.xlsm”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.xps”, “.xslt”, “.xxx”, “.yb2”, “.ycbcra”, “.ydk”, “.zpd”, “.ztmp”, “.webp”, “.jrxml”, “.jasper”, “.xmlx”, “.vsvnbak”, “.tmpl”, “.mat”, “.mxd”, “.ccm”, “.3mxb”, “.asv”, “.pth”, “.fig”, “.prx”, “.ezx”, “.ezd”, “.alr”, “.rdx”, “.seg”, “.v00”, “.v01”, “.v02”, “.dta”, “.pcap”, “.uassct”, “.sc”, “.mscz”, “.tsv”, “.yaml”, “.gitignore”, “.npy”, “.h5”, “.hdf5”
  • Terminated processes: “sqlwriter”, “sqbcoreservice”, “VirtualBoxVM”, “sqlagent”, “sqlbrowser”, “sqlservr”, “code”, “steam”, “zoolz”, “agntsvc”, “firefoxconfig”, “infopath”, “synctime”, “VBoxSVC”, “tbirdconfig”, “thebat”, “thebat64”, “isqlplussvc”, “mydesktopservice”, “mysqld”, “ocssd”, “onenote”, “mspub”, “mydesktopqos”, “CNTAoSMgr”, “Ntrtscan”, “vmplayer”, “oracle”, “outlook”, “powerpnt”, “wps”, “xfssvccon”, “ProcessHacker”, “dbeng50”, “dbsnmp”, “encsvc”, “excel”, “tmlisten”, “PccNTMon”, “mysqld-nt”, “mysqld-opt”, “ocautoupds”, “ocomm”, “msaccess”, “msftesql”, “thunderbird”, “visio”, “winword”, “wordpad”, “mbamtray”
  • Terminated Services: “BackupExecAgentBrowser”, “veeam”, “VeeamDeploymentSvc”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”, “vss”, “sql”, “svc$”, “AcrSch2Svc”, “AcronisAgent”, “Veeam.EndPoint.Service”, “CASAD2DWebSvc”, “CAARCUpdateSvc”, “YooIT”, “memtas”, “sophos”, “veeam”, “DefWatch”, “ccEvtMgr”, “SavRoam”, “RTVscan”, “QBFCService”, “Intuit.QuickBooks.FCS”, “YooBackup”, “BackupExecAgentBrowser”, “BackupExecRPCService”, “MSSQLSERVER”, “backup”, “GxVss”, “GxBlr”, “GxFWD”, “GxCVD”, “GxCIMgr”, “VeeamNFSSvc”, “BackupExecDiveciMediaService”, “SQLBrowser”, “SQLAgent$VEEAMSQL2008R2”, “SQLAgent$VEEAMSQL2012”, “VeeamDeploymentService”, “BackupExecJobEngine”, “Veeam.EndPoint.Tray”, “BackupExecManagementService”, “SQLAgent$SQL_2008”, “BackupExecRPCService”, “zhudongfangyu”, “sophos”, “stc_raw_agent”, “VSNAPVSS”, “QBCFMonitorService”, “VeeamTransportSvc”

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/56010/