The Matrix sequel! not the movie but a Ransomware
Here we go again, 2017 has truly introduced herself with ransomware attacks. Security researchers from Malwarebytes has
found that Matrix Ransomware has risen again and it is now being distributed
through the RIG exploit kit.
The Matrix Ransomware was first spotted in 2016
by Palo Alto Networks researchers, since then the malware had slowly faded
until these days.
The Matrix Ransomware exploit vulnerabilities
in Internet Explorer (CVE-2016-0189) and flash (CVE-2015-8651). For the user to
become infected, the user only requires to visit a website that includes
malvertisements using a vulnerable machine and they will become infected with
the ransomware.
When a machine is infected with the latest
version of the Matrix Ransomware, the malware will encrypt all the files on the
user’s computer, change the file names, and add the .pyongyan001@yahoo.com
extension to the file name.
Then the ransomware will leave ransom notes
named “#_#WhatWrongWithMyFiles#_#.rtf” in with the encrypted files. In the end,
it will present a ransom screen that provides data on what has occurred to the
files.
Matrix Ransomware uses Malicious Shortcuts to
Spread to Other Computers:
Matrix Ransomware also include a worm feature
that allows to to spread and infect other machines through folder shortcuts. It
will then make a copy of the ransomware executable and save it as desktop.ini
in the original, but now hidden, folder.
Notice how the Documents and Downloads folder
now show a shortcut symbol. If you go into the properties of this shortcut, you
will see that it attempts to launch a program.
The full command of this infected shortcut is: %SystemRoot%\system32\cmd.exe /C explorer.exe "Documents" & type "Documents\desktop.ini" > "%TEMP%\OSw4Ptym.exe" && "%TEMP%\OSw4Ptym.exe"
Notice how the Documents and Downloads folder now show a shortcut symbol. If you go into the properties of this shortcut, you will see that it attempts to launch a program.
Using
the above example, when a user tries to open the Documents folder, the
following steps will be executed:
- Use explorer.exe to launch the hidden Documents folder so that
the user can see their files as normal and everything appears to be
working correctly.
- Copy the Documents folder's desktop.ini file, which is
actually the ransomware executable, to %Temp%\OSw4Ptym.exe.
- Execute the %Temp%\OSw4Ptym.exe file.
- Matrix will now infect the new computer, or if it’s running on
an already infected computer, check for new files to encrypt.
This
method allows Matrix to spread to new computers via both network shares and
removable drives.
Matrix
Ransomware being Updated Frequently
We are
also seeing that the Matrix Ransomware is being updated frequently. The first version was discovered around
December 2016, followed by a new version of April 3rd, and then April 6th. Each
of these version have different characteristics, encrypted file extensions,
email addresses, and ransom note filenames.
version
|
Ransom note
|
Encrypted file extension
|
Email address
|
Eworm functionality
|
Ver 1
|
matrix-readme.rtf
|
.matrix |
matrix9643@yahoo.com
redtablet9643@yahoo.com
|
no
|
Ver 2
|
Bl0cked-ReadMe.rtf
|
.b10cked
|
bluetablet9643@yahoo.com
decodedecode@yandex.ru
|
yes
|
Ver 3
|
WhatHappenedWithFiles.rtf
|
None
|
redtablet9643@yahoo.com
decodedecode@tutanota.com
|
no
|
Additional
Behavior and Decryption
While Matrix is running, it is very chatty with
the Command & Control servers. In each stage of the encryption process,
Matrix connects back to the C2 server and issues an update as to how far along
in the process it is. Like Spora, Matrix will also upload a list of file
extension and amount of files per extension that were encrypted. It is not
known if Matrix also changes its ransom demand based on the types of files
uploaded.
Last but not least, Matrix performs the follow
behavior on the infected computer:
·
Deletes Shadow
Volume Copies so that the victim's cannot use them to recover files.
·
Executes bcdedit.exe
/set {default} recoveryenabled no in order to prevent the victim from going
into recovery mode.
·
Executes bcdedit.exe
/set {default} bootstatuspolicy ignoreallfailures to further prevent access to
recovery options.
·
Utilizes a RTF
ransom note and a HTA file ransom note.
The RTF version for the latest variant can be seen below.
Files associated with the Matrix Ransomware:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\[random].hta
%UserProfile%\AppData\Roaming\[victim_id].pek
%UserProfile%\AppData\Roaming\[victim_id].sek
%UserProfile%\AppData\Roaming\errlog.txt
%UserProfile%\AppData\Roaming\[random].cmd
%UserProfile%\AppData\Roaming\[random].afn
%UserProfile%\AppData\Roaming\[random].ast
%UserProfile%\AppData\Roaming\[random].hta
matrix-readme.rtf
Bl0cked-ReadMe.rtf
WhatHappenedWithFiles.rtf
Hashes:
SHA256:
467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
Network Communication:
stat3.s76.r53.com.ua/addrecord.php
stat3.s76.r53.com.ua/uploadextlist.php
Comments
Post a Comment