RaaS, or Ransomware as a Service, enables threat actors that lack the skillset to write their own malware the capacity to infect people’s computers with ransomware through a service, holding the victims’ files hostage for Bitcoin payments. One of the latest RaaS offerings is Satan, a ransomware variant that is easily accessible on a hidden website when browsing with the TOR browser. The website allows anyone to create a ransomware sample which in turn takes a cut of the ransom proceeds from its victims’ payments.
Builder
The TOR hidden service website allows for anyone to create a Satan loader sample after registering for a free account. The front page encourages visitors to register accounts, create a new virus and download it. Although the site handles the building of the initial ransomware loader, it is up for the RaaS user to distribute the malware. Bitcoin payments made by victims are then credited to the RaaS user’s account and the service takes a thirty percent cut for facilitating this cybercrime. The website requires the user to correctly solve CAPTCHAs for any form submitted as a precaution against automated web vulnerability scanners. Below is a screenshot of the front that explains how the service functions:Dropper
Although the RaaS requires its users to distribute the malware themselves, it also provides a dropper service to assist the user in the initial infection process. By utilizing a dropper, malware actors are able to bypass antivirus email scanners by creating malicious CHM or Office documents that download the ransomware loader once these files are opened by a duped victim who perceived these email attachments to be legit. This dropper service contains helper scripts, pictured below, that encrypt the ransomware loaders with a static XOR key, further bypassing virus detection if the system is solely looking for executables in network traffic. The RaaS user is also able to enter a URL where they host the encrypted ransomware loader that the generated droppers will download, decrypt, and execute the ransomware loader. Once this information is entered, the user is then able to copy & paste either a CHM (Windows executable help file) or a malicious DOC macro. Although these malicious scripts are not obfuscated, they still have relatively low AV detection. Per the instructions provided by the dropper service, the CHM generator creates an HTML file which can then be compiled to the Windows executable CHM file using the chmProcessor application, pictured below. The generated HTML file spawns a command shell and executes PowerShell to download, decrypt and execute the ransomware payload. The generated, executable CHM file only had a detection with one of the fifty-four scanning engines in Virus Total when we tested this dropper method in lab. It would appear that script obfuscation is not required to bypass antivirus defenses for these initial, malicious droppers.Loader Analysis
The Satan RaaS malware employs a number of anti-analysis techniques in order to prevent automated or manual analysis of a sample. A review of the malware Hash: b70622bf5192b5a254932451814cc4a1 Version: 1.0.0.13 shows ~20 different checks which are done in order for the malware to continue running and unpack the payload. Cylance has already done a great analysis which covers the majority of these techniques, so this report doesn’t review all of them in detail won’t review all of them in detail.- Calls BlockInput to block user interaction with the system
- Checks for known AVG modules
- Checks for a known Debugger windows using FindWindow
- Checks for KernelDebugger
- Check for attached debuggers calling Checks for a debugger calling isDebuggerPresent and CheckRemoteDebuggerPresent
- Check for a blacklisted analysis modules by calling the GetModuleHandle
- Check for blacklisted analysis Processes by calling FindWindow
- Check if the method wine_get_unix_file_name is exported by kernel32.dll to detect the presence of wine
- Call NTClose and CloseHandle with Invalid handles as an anti-debugging method.
- Create a VEH handler and calls int 3 as an anti-debugging method.
- Hooking Check
- Debugger Check with csrss handle
- Create top level exception handler and trigger by popping a divide by 0 exception as an anti-debugging technique
- Check the OS Version to determine if the sample should run. (No XP support)
- Call NTQueryInformationProcess
- Check for HW BreakPoints
- Check that the filename does not include a blacklisted term
- Check that the username doesn’t contain a blacklisted term
- Check that the path does not contain a blacklisted term.
- al-khaser – “PoC malware with good intentions that aims to stress your anti-malware system..”
- Pafish – “A demonstration tool that employs several techniques to detect sandboxes and virtualization environments..”
Payload
After the anti-analysis checks are passed, the sample spawns a child process of itself and uses Process Hollowing to write the unpacked executable into the spawned process. This follows the standard Process Holllowing technique of:- Opening a suspended Process calling CreateProcess() with the CREATE_SUSPENDED flag
- Call NtUnmapViewOfSection to unmap the virtual address space
- Call VirtualAlloc to re-allocate memory in the launched process
- Call NtWriteVirtualMemory to write the embedded data
- Call SetThreadContext and ResumeThread to execute the injected code
Conclusion
We can see that the Custom Loader used by the ransomware continues to evolve as the author(s) add and remove functionality. As the ransomware uses a custom loader it can be used to identify and cluster samples. This is uncommon with most malware so we would expect that another stage would be added to the execution chain by actors using this:- Stage_1 (generic packer) à Stage_2 (custom loader à Stage 3 (payload)
- The method being used within the infection vector are using obfuscated versions of the provided .chm and macro droppers or writing custom scripts to be used for infection.
- This is being used in low volume campaigns targeting primarily home users.
- Potential operators need to share profits (30%) with the original author(s) and also trust that they would get their cut of ransom for targets.
- Potential operators need to trust the site operators
Reference
AVG Modules- avghookx.dll
- avghooka.dll
- OLLYDBG
- WinDbgFrameClass
- Zeta Debugger
- Rock Debugger
- ObsidianGUI
- Blacklisted Modules
- SbieDll.dll
- dbghelp.dll
- snxhk.dll
- api_log.dll
- dir_watch.dll
- vmcheck.dll
- wpespy.dll
- pstorec.dll
- ollydbg.exe
- ProcessHacker.exe
- tcpview.exe
- autoruns.exe
- autorunsc.exe
- filemon.exe
- Procmon.exe
- Procexp.exe
- idaq.exe
- idaq64.exe
- ImmunityDebugger.exe
- WireShark.exe
- dumpcap.exe
- HookExplorer.exe
- ImportRec.exe
- PeTools.exe
- LordPE.exe
- SysInspector.exe
- Proc_analyzer.exe
- sysAnalyzer.exe
- sniff_hit.exe
- windbg.exe
- joeboxcontrol.exe
- joeboxserver.exe
- sample.exe
- c:InsideTM
- Username Blacklist
- SANDBOX
- VIRUS
- MALWARE
- MALTEST
- TEQUILABOOMBOOM
- Directory Blacklist
- SAMPLE
- VIRUS
- SANDBOX