StorageCrypt ransomware, a coinminer and more

Lawrence over at Bleeping Computer posted an interesting blog yesterday:
StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.

There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.


Windows artifacts

美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.

This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:

1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success![autorun]Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host IP: Rnd IP:DiskC:\dntboot.binip packet too_bigip unload

Whatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.

In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in this analysis result from 2013 by Team Cymru's TotalHash.

I've uploaded the unpacked sample on Hybrid Analysis.


Linux artifacts

The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned CVE-2017-7494 from earlier this year.

There are several components, which are listed in the table below.

Filename	Hash	Purpose
kJn8LUAZ.so	6b5b4fce04f36101c04c0c5b3f7935ea	Downloads ‘sambacry’
ZbdofxPY.so	053bb22c2cedf5aa5a089bfd2acd31f6	Downloads ‘sambacry’
sambacry	ffe17e314f7b1306b8badec03c36ccb4	Fetch other payloads
httpd1	a5e8cb2e7b84081f5b1f2867f2d26e81	Miner config
minerd32	a016b34ade18626f91d14e46588d6483	Coinminer
watchcat32	ac9ad6bc8cd8118eaeb204c2ebf95441	Watchdog

The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.

These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:

while true do  

 ps -ef|grep -E "wget|curl"|grep -v $$|grep -v 45.76.102.45|awk '{print $2}'|xargs kill -9 

done

Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:

{
        "url" : "stratum+tcp://xmr.pool.minergate.com:45560",
        "user" : "madhatterss@protonmail.com",
        "pass" : "x",
        "algo" : "cryptonight"
}

While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.

If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.

Indicators

Rick and Morty episode? Nope, another CoinMiner

Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.

A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!

In fact, this file is a self-extracting and password-protected archive which contains two other files:

Figure 1 - two new files in the archive

One file is indeed a legitimate video file, which features the following:

Figure 2 - clip

This short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.

Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.

In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:

Figure 3 - Passwords, and cryptominer pool (click to enlarge)

The line of interest is as follows, in where the IP points to a US server:

START "{1}" /B /WAIT /LOW "%ALLUSERSPROFILE%\{1}\{1}.exe" -o 173.44.42.189:8080 -u off.x -p off.x -k --nicehash -o us-east.cryptonight-hub.miningpoolhub.com:17024 -u off.y -p off.y -k -v 0 --donate-level 1 -B

Basically, this is yet another cryptominer or coinminer. This one is rather interesting, for several reasons. If you'd like to know more, feel free to have a play around with the files, they are included as IOCs at the end of this post.



Disinfection

If you've been hit by this, then...:

• Navigate to C:\ProgramData or %ALLUSERSPROFILE%
• Search for a folder with random names. If you don't see any, you may want to follow the instructions here. Delete said folder, if possible. If not possible:
• Open Task Manager, and search for any process with a random name. End the process and repeat step 1 to 2.
• Perform a scan with your installed antivirus product.
• Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.

You may also leave a comment should any difficulties arise.

Prevention

• Install an antivirus (free or not).
• Enable showing file extensions. This is hidden by default by Windows, and will enable you to see if that 'video' is indeed a video, or not. Guide here.
• Do not download any torrents or at least try to avoid those that are either suspicious-looking, or too good to be true.

Conclusion

Coinminers have been on the rise for a while now, and illegitimately use a person's machine for mining, which may additionally lead to an increased (and undesired) CPU usage.

While coinminers for now are relatively less dangerous than what's usually out there, for example banking trojans, it should not be underestimated - and the sample analysed in this post proves the point, as it employed some rather unique, or at least varied, techniques.

It is likely safe to assume that not only the malicious use of coinminers will increase, but also that other malware may jump aboard - attempting to maximize profits (or vice versa, a coinminer with added persistence or other malware on board). The latter has already been observed, for example, in AdylKuzz.

IOCs