[ad_1]
Replace 05.27.22: An unknown APT group is concentrating on Russian authorities entities with no less than 4 separate spear-phishing campaigns because the starting of the battle in Ukraine. Supply: Safety Affairs.
Overview
BlackBerry Menace Intelligence has recognized a brand new Ransomware-as-a-Service (Raas) household, and tracked its lineage to its possible beta stage launch. Like so many different strains of ransomware, LokiLocker encrypts your recordsdata and can render your machine unusable in case you do not pay up in time. Nonetheless, like its namesake god Loki, this menace appears to have a number of delicate methods up its sleeve – not least being a possible “false flag” tactic that factors the finger at Iranian menace actors.
In Norse mythology, Loki was the consummate trickster who had the flexibility to shapeshift at will. One of many many hot-headed hearth gods, Loki was an enemy to the opposite gods themselves, usually getting into their banquets uninvited and demanding their foods and drinks. LokiLocker is equally insistent on buying that to which it has no authentic declare.
LokiLocker is a comparatively new ransomware household concentrating on English-speaking victims and Home windows® PCs; the menace was first seen within the wild in mid-August 2021. It shouldn’t be confused with an older ransomware household known as Locky, which was infamous in 2016, or LokiBot, which is an infostealer. It shares some similarities with the LockBit ransomware (registry values, ransom be aware filename), but it surely would not appear to be its direct descendant.
Just like the god it’s named after, LokiLocker enters the sufferer’s life uninvited and begins searching for property to purloin. The menace then encrypts their recordsdata, and calls for they pay a financial ransom to revive entry. The malware is written in .NET and guarded with NETGuard (modified ConfuserEX) utilizing a further virtualization plugin known as KoiVM. KoiVM was once a licensed business protector for .NET purposes, however round 2018, its code was open-sourced (or probably leaked), and it’s now publicly out there on GitHub. Though Koi appears to be in style with hacking instruments and cracks, we haven’t seen a number of different malware utilizing it up to now.
Loki the Destroyer
LokiLocker encrypts sufferer’s recordsdata on native drives and community shares with a regular mixture of AES for file encryption and RSA for key safety. It then asks the sufferer to e-mail the attackers to acquire directions on easy methods to pay the ransom.
LokiLocker additionally boasts an non-obligatory wiper performance – if the sufferer doesn’t pay up within the timeframe specified by the attacker, all non-system recordsdata shall be deleted and the MBR overwritten, wiping all of the sufferer’s recordsdata and rendering the system unusable. With a single stroke, everybody loses.
LokiLocker works as a limited-access Ransomware-as-a-Service scheme that seems to be bought to a comparatively small variety of rigorously vetted associates behind closed doorways. Every affiliate is recognized by a selected username and is assigned a singular chat-ID quantity. There are at present about 30 completely different “VIP” associates throughout the LokiLocker samples that BlackBerry researchers have discovered within the wild.
One of many earliest samples of this ransomware was initially distributed inside Trojanized brute-checker hacking instruments comparable to:
- PayPal BruteChecker
- Spotify BruteChecker
- PiaVPN Brute Checker By ACTEAM
- FPSN Checker by Angeal (Cracked by MR_Liosion)
Brute-checkers are instruments used to automate validation of stolen accounts, and achieve entry to different accounts, through a way known as credential stuffing. It’s potential that the LokiLocker model distributed with these hacking instruments constituted some form of beta testing section earlier than the malware was provided to a wider vary of associates.
The victims we’ve noticed appear to be scattered all over the world (which isn’t surprising, on condition that completely different associates might need completely different concentrating on patterns), with the principle focus in Jap Europe and Asia.
Though we’ve been unable to reliably assess precisely the place the LokiLocker RaaS originates, it’s value mentioning that each one the embedded debugging strings are in English, and – in contrast to nearly all of malware originating from Russia and China – the language is essentially freed from errors and misspellings.
Additionally, maybe extra curiously, a few of the cracking instruments used to distribute the very first samples of LokiLocker appear to be developed by an Iranian cracking workforce known as AccountCrack. Furthermore, no less than three of the recognized LokiLocker associates use distinctive usernames that may be discovered on Iranian hacking channels. It’s not completely clear whether or not this implies they honestly originate from Iran or that the true menace actors try to forged the blame on Iranian attackers.
Diving into LokiLocker
To examine the C# code, we should first open the binary in DNSpy to decompile it. We are able to see the unique filename of “svchost.exe,” and a reference to NETGuard/KoiVM v0.2.0-custom, as seen in Determine 1.
Determine 1 – KoiVM obfuscator model
Once we examine the namespace, we’re instantly confronted with two labelled courses, “Koi” and “NETGuard,” in addition to quite a few courses with obfuscated operate names. These operate names are all prefixed with multiples of the letter “Z,” as seen in Determine 2. This holds true for the opposite namespaces as effectively.
Determine 2 – Koi, NETGuard and obfuscated class names
KoiVM, because the identify suggests, is a digital machine (VM) designed to work on ConfuserEx, a C# obfuscator. The virtualization works as a more difficult type of obfuscation. As described within the documentation for KoiVM, that is carried out by “turning the .NET opcodes into new ones that solely are understood by our machine.”
Usually, vanilla implementations of KoiVM could be devirtualized utilizing a device named OldRod, which was developed particularly to defeat KoiVM virtualization and make the decompiled code extra comprehensible to the human eye. Nonetheless, it’s trivial to switch KoiVM in order that OldRod can not discover particular signatures or required knowledge. And until you modify the device itself to deal with these modifications, it may end up in an unsuccessful try at devirtualization.
With the pattern analyzed by BlackBerry researchers, OldRod fails, as there isn’t any #Koi stream listed inside the COR20 MetaData Tables Header, which brings us again to sq. one.
It’s necessary to notice the presence of a number of namespaces of curiosity, significantly these starting with “Loki,” comparable to these pictured in Determine 3. If we examine the code contained inside the courses, we will see that there’s an issue (for now!): They’re both empty, or DNSpy threw an error when decompiling them.
Determine 3 – Loki features – Empty or unable to be decompiled
Loki.Pinvoke comprises the category ZZZZX (as seen in Determine 4), which itself comprises wrappers to numerous Home windows APIs. Calling one among these wrappers will import the DLL and the required operate. This has the additional advantage of eradicating any direct calls to the Home windows API. For instance, any name to the Kernel32.dll’s FindNextFile want solely name the C# operate ZZZZZf.
Determine 4 – WinAPI wrappers
Additionally of be aware is the “affiliate config,” which comprises a number of configuration choices that we’ll discover in larger element additional on.
Determine 5 – Loki config
Now that we’ve checked out some key options of the binary, it’s time to get our fingers soiled and dig deeper into this ransomware.
Unpacking
Whereas OldRod couldn’t devirtualize the binary for us, all will not be but misplaced. With a little bit of old school elbow grease and debugging magic, we will nonetheless work our manner via the binary the old school manner. We discovered that DNSpy fails to place a breakpoint on the entry level or course of creation, and that by navigating to the primary namespaces constructor (.cctor) we may breakpoint the preliminary name to the Koi() operate and step in, main us to Determine 6 under.
Determine 6 – KoiVM virtualized features
There are 324 calls to features inside the Koi() class. Nonetheless, many are repeated and are presumably organising the VM setting. Of the calls we’re fascinated with, solely three are necessary – the primary, penultimate, and final.
First Unpacking Perform
The primary operate fetches the module base deal with and proceeds to decode a piece of itself in-memory, via a sequence of convoluted XORs and variable assignments. As soon as that is carried out, VirtualProtect known as with PAGE_EXECUTE_READWRITE permissions.
A remaining loop then decodes extra knowledge into the identical location that had its permissions modified. The general function of this primary operate seems to be to decode some further decoding features for later use.
Second (Final) Unpacking Perform
Initially, a big byte array is outlined inside a world variable, as seen in Determine 7, the place every byte is XOR’d towards its place within the byte array. As soon as this operation has accomplished, the ensuing knowledge is decompressed utilizing GZIP.
Determine 7 – ByteArray definition, XOR decoding, GZip decompression
This knowledge is then used to populate the features that have been beforehand empty or unable to be decompiled, which we noticed initially inside the “Loki.*” courses proven in Determine 3.
This Isn’t Even My Closing Kind Perform!
Whereas the necessary features have now been decoded and resolved, there’s one remaining step to be taken earlier than execution is handed into Loki’s core. This operate destroys the executable, to evade scanning options via a number of distinct means.
Much like the primary operate, the deal with to the module in-memory is retrieved. From there, a number of operations happen, such because the overwriting of two strings into the Import Descriptor Desk for CoreExeMain and Mscoree.dll, with NtContinue and Ntdll.dll respectively. As soon as this has been accomplished, the file modifications the permissions of the PE Part Desk Header and the COR20 MetaData Desk Headers. It does this so it could possibly overwrite these headers with null bytes. Determine 8 under exhibits a snippet of this operate for reference.
Determine 8 – IDT manipulation & overwriting of headers
As soon as this operate completes, the binary then jumps to the start of the principle operate of the LokiLocker core, as proven in Determine 9, under.
Now that we’ve completed unpacking the pattern, let’s take a look at the core performance of LokiLocker.
Performance
Debug Logging
LokiLocker could be executed with a –log parameter, which is able to save an in depth, verbose log of the an infection in “<malware_execution_path>logs.txt.”
Determine 9 – Relabelled “predominant” operate with “–log” execution parameter
Whereas the core pattern continues to be obfuscated to a sure extent, the presence of those extremely descriptive debugging strings makes this laborious evaluation somewhat bit simpler.
Persistence
Upon execution, the malware copies itself to “%ProgramData%/winlogon.exe,” units its attributes to hidden and system, and creates a mutex known as “LokiLocker.”
It achieves persistence in a number of methods:
- By making a scheduled process to execute the malware binary on every logon:
schtasks /CREATE /SC ONLOGON /TN Loki /TR %ProgramDatapercentwinlogon.exe /RU SYSTEM /RL HIGHEST /F
|
- By including the next worth to the SoftwareMicrosoftCurrentVersionRun underneath each HKCU and HKLM keys:
“Michael Gillespie” = %ProgramDatapercentwinlogon.exe
|
- By copying the malware executable to the Widespread Startup folder
Michael Gillespie, cited within the instance above, is the identify of a well known anti-ransomware researcher, who may be very energetic on Twitter and the Bleeping Computer systems discussion board. It’s not the primary time malware writers have given a “shout-out” to safety researchers like this, but it surely’s a uncommon occasion. One other related instance was Maze ransomware, which used the identify of one other well-known anti-ransomware researcher as its “killswitch” file identify.
Preparation
Earlier than the encryption course of begins, the malware performs the next actions:
- Reads its configuration; default config choices are hard-coded within the binary’s Config class, however they are often supressed by values learn from the config file
- If config file known as loki.txt file exists, it copies it to %ProgramDatapercentconfig.Loki and reads the config values from there
- Shows a faux Home windows Replace display, if configured to take action
- Kills specified processes
- Stops specified providers
- Disables Home windows Activity Supervisor, if configured to take action, and drops wvtymcow.bat file with the next contents to the Startup folder:
REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fac
|
- Deletes system backup and shadow copies
- Disables Home windows Error Restoration
- Disables built-in firewall
- Removes system restore factors
- Empties Recycle.bin
- Disables Home windows Defender
- Adjustments Consumer Login Word (as seen in Figures 10 and 11)
Determine 10 – Code to vary consumer login
Determine 11 – LokiLocker’s consumer login be aware
- Adjustments authentic gear producer (OEM) information within the registry SOFTWAREMicrosoftWindowsCurrentVersionOEMInformation (as seen in Determine 12)
Determine 12 – Code that modifications OEM info
Community Communication
The malware sends a beacon containing the next info in a POST request to the index.php script hosted on the command-and-control (C2) server, as seen in Determine 13. The C2’s URL is hard-coded within the binary’s config and is about to loki-locker[.]one. The “consumer” and “chat-id” fields are hard-coded, whereas the opposite info is generated primarily based on the sufferer’s system properties:
- unique-id=<volume_serial_number>
- disk-size=<size_of_main_drive>
- consumer=<hardcoded_affiliate_username>
- cpu-name=<cpu>
- ram-size=<physical_memory>
- os-name=<name_of_operating_system>
- chat-id=<hardcoded_number>
Determine 13 – A part of community communication code (POST to index.php)
The URL resolves to 91[.]223[.]82[.]6. The user-agent utilized in all communication is Loki/1.0.
As a response from C2, the malware expects an obfuscated public key within the type of a JSON object. The response buffer can have most measurement of 0x100000 (1048576 bytes).
“message_id” : [int]
}
|
The malware additionally communicates with the “tg.php” script on the identical server, as seen in Determine 15, which seems to be the API endpoint for standing updates from the bot. It’s primarily used to tell the C2 in regards to the development of the encryption course of. The next parameters could be handed to the script:
- unique_id
- motion
- msg-id
- chat-id
- standing
- elapsed-time
The ensuing request seems to be like this:
Determine 14 – LokiLocker’s POST request
Determine 15 – A part of community communication code (POST to tg.php)
Encryption
The malware creates an RSA-2048 key pair for the sufferer, encrypts it with the attacker’s public RSA key, after which saves it to the registry.
The malware creates the important thing HKCUSoftwareLoki and the next values:
- Public – comprises the sufferer’s public RSA key within the XML format, which is then obfuscated with XOR 0x11.
<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>
|
- Full – comprises the sufferer’s full key pair, encrypted with attacker’s public key. A base64-encoded copy can be saved to the file “cpriv.Loki” in every drive’s root listing and within the consumer’s particular directories.
<RSAKeyValue><Modulus>modulus</Modulus><Exponent>public_exponent</Exponent><P>prime_1</P><Q>prime_2</Q><DP>exponent_1</DP><DQ>exponent_2</DQ><InverseQ>coefficient</InverseQ><D>private_exponent</D></RSAKeyValue>
|
- Timer – a date-time worth, which is the ransom expiration date within the format of yyyyy,MM,dd,HH,mm,ss, encoded with XOR 0x54. That is the precise time after which the malware will wipe the drives by deleting all non-system recordsdata and overwriting the MBR. The default date is 30 days after the preliminary malware execution date, however this may be modified through config file.
Comparable registry entries are utilized by variations of LockBit ransomware.
There are 5 completely different RSA public keys saved within the malware binary, although the attackers may provide one other public key through the C2. Because the C2 server is identical for all associates, this implies that the RaaS homeowners left themselves the choice to ship in their very own public key to safe the sufferer’s non-public key, that means they might have the ability to decrypt recordsdata from all their associates’ victims.
If configured to take action, the malware will scan the community for any out there community shares. It should then start the encryption course of, beginning with the next particular folders within the native consumer’s listing:
- Favorites
- Latest
- Desktop
- Private
- MyPictures
- MyVideos
- MyMusic
LokiLocker then proceeds to create a separate thread for encrypting every of the native drives and/or community shares, relying on its configuration.
Every file is encrypted with AES-256 in GCM mode, utilizing a randomly generated key; the hot button is then encrypted utilizing the sufferer’s public RSA key.
The encryption thread additionally performs the next actions:
- Adjustments labels of all encrypted volumes to “Locked by Loki”
- Drops ransom notes to every encrypted folder
- Drops an HTA file known as “information.Loki”
- Drops and executes a launcher for the HTA file utilizing a random identify within the %ProgramData% listing
- Adjustments the desktop wallpaper as proven in Determine 16
- Creates a thread that can immediately kill cmd.exe, taskmgr.exe and regedit.exe processes, if launched
- If configured to take action, shuts down the system after encryption
Determine 16 – LokiLocker desktop wallpaper
Wiper Performance
If configured to take action, the malware will try and wipe the system if the ransom isn’t paid inside the specified time-frame. As proven in Determine 18, it can delete recordsdata on all the sufferer’s drives, apart from the system recordsdata, and it’ll additionally attempt to overwrite the Grasp Boot Document (MBR) of the system drive to render the system unusable. It should then show the next message from the attackers after a reboot:
Determine 17 – LokiLocker’s message proven after rebooting the wiped system
After overwriting the MBR, LokiLocker will attempt to crash the system by forcing a Blue Display of Dying (BSOD).
Determine 18 – LokiLocker’s wiper code
Config
LokiLocker options a number of configurable sections. Many of the configurable info is hard-coded into the shopper binary through the constructing course of, whereas some settings could be modified on runtime utilizing a easy textual content file.
In addition to the affiliate-related info and execution choices, different fields that is perhaps configurable through the constructing course of are a listing of instructions to be executed via cmd.exe, and a listing of processes and providers the malware will try and kill. Throughout the samples we’ve seen, these fields have been constant up to now.
Affiliate Config
The primary “affiliate” config part comprises info such because the identify of affiliate, e-mail addresses, C2 URL, readme file identify and content material, and the extension to be added to the encrypted recordsdata. It additionally has a chat ID quantity – presumably used to establish the sufferer after they attain out to the attackers – and a timeout worth (in days) after which the malware will try and wipe the system.
The affiliate config is saved within the Loki.Config class and presumably embedded by the ransomware builder through the technology of a shopper binary.
Config Key
|
Config Worth
|
Electronic mail 1
|
“d4rkw4ve[at]tutanota[.]com”
|
Electronic mail 2
|
“dark4wave[at]yandex[.]com”
|
Marketing campaign or Affiliate identify
|
“darkwave”
|
Chat ID
|
<redacted>
|
Extension
|
“. Loki”
|
Readme file identify
|
“Restore-My-Recordsdata.txt”
|
Ransom be aware
|
See Determine 21
|
Wiper timeout
|
30
|
C2 URL
|
“loki-locker.one”
|
Execution Choices
The Config class additionally shops the default values for extra execution choices. These choices could be modified via a easy textual content file that must be positioned in the identical folder because the ransomware binary.
Config Choice
|
Description
|
Default setting
|
replace
|
Show faux Home windows replace display
|
false
|
nostartup
|
Don’t copy ransomware executable to startup
|
true
|
nons
|
Don’t scan for / encrypt community shares
|
false
|
nocdrive
|
Don’t encrypt the C Drive
|
true
|
justns
|
Scan for / encrypt solely community shares
|
false
|
nofuck
|
Don’t wipe the system and the MBR
|
true
|
disabletask
|
Disable the Activity Supervisor
|
false
|
clast
|
Encrypt the C Drive Final
|
false
|
full
|
Full encryption
|
false
|
norun
|
Exit the method
|
false
|
shutdown
|
Shutdown the system after displaying ransom be aware
|
false
|
|
Customized config file identify
|
“loki.txt”
|
|
Vacation spot of config file
|
“config.Loki”
|
Executed Instructions
netsh firewall set opmode mode=disable
netsh advfirewall set currentprofile state off
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin delete catalog -quiet
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
schtasks /CREATE /SC ONLOGON /TN Loki /TR %APPDATApercentwinlogon.exe /RU SYSTEM /RL HIGHEST /F
|
Processes and Providers to Kill
Processes and Providers to Kill
|
||
wxserver
wxserverview
sqlservr
ragui
supervise
tradition
rtvscan
defwatch
winword
qbw32
qbdbmgr
qbupdate
qbcfmonitorservice
axlbridge
qbidpservice
httpd
fdlauncher
msdtsrvr
tomcat6
zhudongfangyu
vmware-usbarbitator64
vmware-converter
dbsrv12
msftesql
sqlagent
sqlbrowser
sqlwriter
oracle
ocssd
dbsnmp
synctime
agntsvc
|
mydesktopqos
isqlplussvc
xfssvccon
mydesktopservice
ocautoupds
agntsvc
agntsvc
agntsvc
encsvc
firefoxconfig
tbirdconfig
ocomm
mysqld
mysqld-nt
mysqld-opt
dbeng50
sqbcoreservice
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thebat64
thunderbird
visio
winword
wordpad
|
defwatch
ccevtmgr
ccsetmgr
savroam
sqlserv
sqlagent
sqladhlp
culserver
rtvscan
sqlbrowser
sqladhlp
qbidpservice
quickboooks.fcs
qbcfmonitorservice
sqlwriter
msmdsrv
tomcat6
zhundongfangyu
vmware-usbarbitator64
vmware-converter
dbsrv12
dbeng8
wrapper
mssqlserver
mssql
contoso1
msdtc
sqlserveragent
vds
|
Record of International locations (to Skip?)
The malware defines an array of strings, which presumably comprises a listing of nations to exclude from encryption. In all of the samples we’ve seen up to now, this record comprises just one entry – “Iran” – as seen in Determine 19. Plainly this performance will not be but applied, as there are not any references to this array within the code. Nonetheless, just like the references to Iranian attackers and hacking instruments, it may simply as effectively be a false flag meant to misdirect our consideration.
Determine 19 – “Iran” string
Dropped Recordsdata
HTA file
In addition to the plain textual content readme file, the malware additionally drops an HTA file just like the one pictured in Determine 20, which shows an HTML formatted ransom be aware on sufferer’s desktop.
Determine 20 – Message displayed by the HTA file
All of your recordsdata have been encrypted by Loki locker!
All of your recordsdata have been encrypted on account of a safety drawback along with your PC.
If you wish to restore them, please ship an e-mail {EMAIL_1}
You need to pay for decryption in Bitcoin. The value relies on how briskly you contact us.
After fee we’ll ship you the decryption device.
You need to 48 hours(2 Days) To contact or paying us After that, you must Pay Double.
In case of no reply in 24 hours (1 Day) write to this e-mail {EMAIL_2}
Your distinctive ID is : {UNIQUE_ID}
You solely have LIMITED time to get again your recordsdata!
If timer runs out and also you dont pay us , all of recordsdata shall be DELETED and also you laborious disk shall be severely DAMAGED.
You’ll lose a few of your knowledge on day 2 within the timer.
You should buy extra time for pay. Simply e-mail us.
THIS IS NOT A JOKE! you may look ahead to the timer to expire ,and watch deletion of your recordsdata 🙂
What’s our decryption assure?
Earlier than paying you may ship us as much as 3 take a look at recordsdata totally free decryption. The entire measurement of recordsdata have to be lower than 2Mb (non archived), and recordsdata shouldn’t comprise useful info. (databases,backups, giant excel sheets, and many others.)
Consideration!
DO NOT pay any cash earlier than decrypting the take a look at recordsdata.
DO NOT belief any middleman. they wont enable you and chances are you’ll be sufferer of rip-off. simply e-mail us , we enable you in any steps.
DO NOT reply to different emails. ONLY this two emails will help you.
Don’t rename encrypted recordsdata.
Don’t attempt to decrypt your knowledge utilizing third occasion software program, it could trigger everlasting knowledge loss.
Decryption of your recordsdata with the assistance of third events could trigger elevated value (they add their price to our) or you may grow to be a sufferer of a rip-off.
|
Determine 21: Ransom textual content
The HTA code additionally shows a faux Home windows Replace field as proven in Determine 22, then executes a brand new ransomware course of from “C:ProgramDatawinlogon.exe,” and tries to entry https[:]//picc[.]io/X8GRzsw.gif. The URL resolves to three[.]64[.]163[.]50, however the content material was now not out there on the time of writing.
Determine 22 – A part of HTA code
The HTA code creates a Google Tag Supervisor (gtag) knowledge layer, as proven in Determine 23, to retailer some metadata:
Determine 23 – Use of gtag by the HTA code
HTA Launcher
LokiLocker drops a small binary that’s used to show the message included in Determine 24, and to launch the “information.Loki” HTA file with the usage of mshta.exe. The binary is compiled on the fly from an embedded C# code utilizing a C# compiler.
Determine 24 – HTA launcher code
This file and all different recordsdata in your laptop are encrypted by Loki locker.
If you wish to restore this file and remainder of your recordsdata, Please ship us message to this e-mail : <attackers_email>
Write this ID within the title of your message : <victim_id>
We are going to enable you, in any steps.
In case of no reply in 24 hours, write us to this e-mail : <attackers_email_2>
|
Determine 25: MessageBox textual content
Community Scanner
We famous two types of community scanning used together with LokiLocker. The primary was an inbuilt community scanner, which may establish community shares to be able to mount and encrypt them.
The menace actors distributing LokiLocker have additionally been noticed utilizing a community scanner utility known as “NS” that they dropped into the sufferer’s setting. The device is an easy command line scanner that lists mounted and unmounted native drives and community shares, as proven in Determine 26.
Determine 26: NS.exe device
NS.exe has been on VirusTotal since 2018, and it has been seen throughout a number of completely different ransomware campaigns: Dharma, Phobos, LockBit, Revil – to call just some. There’s not a lot intel round this device, but it surely appears to be distributed on the darkish web as a part of or alongside many RaaS-based threats.
Conclusions
LokiLocker ransomware is adept at inflicting mayhem on the consumer’s endpoints, and, like its namesake Norse god, can show to be vengeful and harmful if not appeased with a (monetary) providing. LokiLocker’s use of KoiVM as a virtualizing protector for .NET purposes is an uncommon technique of complicating evaluation. We haven’t seen a number of different menace actors utilizing it but, so this can be the beginning of a brand new development.
The inclusion of the “Iran” code can be intriguing, because it’s not completely clear if or how that snippet was supposed for use. Usually, nation lists are supposed to exclude “pleasant territories” from potential hurt. However as this code doesn’t appear to be used, it may very well be a ruse, included in hopes that researchers will pin the blame for LokiLocker’s creation on Iran. There’s additionally the truth that a few of the earliest recognized LokiLocker associates go underneath usernames that may be discovered completely on Iranian hacking channels. Furthermore, Iranian cracking instruments have been used to distribute the preliminary samples of this ransomware. These particulars additional muddy the waters. With tricksters and menace actors, it may be tough to inform the distinction between a significant clue and a false flag – and one can by no means ensure simply how far down the rabbit gap the deception goes.
To guard towards infections by LokiLocker and related RaaS choices, the perfect rule is to all the time have a backup copy of your knowledge (or your organization’s knowledge). This ought to be saved offline and unplugged, ideally, in case your backup drives get hit by LokiLocker and encrypted, too.
When downloading recordsdata, together with new applications and software program, take care to solely obtain from trusted, official websites, quite than third-party or peer-to-peer (pirate) websites, which frequently harbor malicious recordsdata inside seemingly innocuous or “cracked” software program. The identical goes for e-mail attachments – even attachments from trusted contacts ought to be handled with a wholesome dose of warning (and ideally, scanned with an up-to-date antivirus program earlier than opening).
On the time of penning this, there isn’t any free device to decrypt recordsdata encrypted by LokiLocker. If you’re already contaminated with LokiLocker ransomware, the advice by most official safety authorities – such because the FBI – is to not pay the ransom. Fairly aside from the truth that each sufferer who pays the ransom perpetuates the worldwide development of ransomware, do not forget that you’re coping with criminals right here, and there’s no assure that you just’ll regain entry to your knowledge, even in case you pay up. Lastly, even in case you’re knowledge is restored, there isn’t any strategy to know whether or not the menace actor planted a backdoor someplace in your machine, for straightforward future entry. In spite of everything, individuals who pay one ransom can usually be persuaded to pay one other.
In the case of ransomware of all sorts, usually the perfect factor we will do as defenders is to make each effort to remain one step forward of the menace actors, even when the journey proves complicated and arduous.
If you’re a sufferer of ransomware:
Appendix
IOCs
0684437b17ae4c28129fbb2cfe75b83cc8424ba119b9ca716ad001a284d62ead
|
SHA256
|
15d7342be36d20ce615647fac9c2277f46b6d19aa54f3cf3d99e49d6ce0486d0
|
SHA256
|
1a4a3bfb72f3a80e4b499ecebe99f53a2b7785eace7f612b3e219409d1e1ffc7
|
SHA256
|
2a7f01d924a4fc38c9fad586634eccbc28de07d97531c4a02eb6085359093a45
|
SHA256
|
37702b94f9fc14a406312a2a392ad9553cf05c4b6870d94b5cf4781c02c29414
|
SHA256
|
4215b5ce91deb97011cba2dd94d5bac1a745d6d55f6938b86e209eaaf8e655df
|
SHA256
|
52c045b57e24585467be13454c5db551987fd23bfa931a7f6ab41e6f11b8a7ec
|
SHA256
|
55da12a82c8e0b9fda5dbba6612627c0ee5d13d55e3bcc1df2ca9785c97caf64
|
SHA256
|
5ccee068daf8a672d0e63e334e00985aa7fe56aa26b6c036d562728fdf968237
|
SHA256
|
6205056cd92c75579f56bd0ce7159fae9f360d4c183beb10743330952bf22056
|
SHA256
|
630e24cc1c4c95321965ad967e77e1888c48c4b1f653d800c7df08e879814787
|
SHA256
|
75a5d27c77cf8515cff84d789f0e8f849b37e15b9b5f1c0801bab414061048a6
|
SHA256
|
78a530f35d1cc89fc757b7661cbd57b2e9e46aeed53e2e66247db66c214a2ba0
|
SHA256
|
7f23ea1e5ab087ba2c4e0ea251d680ef5190d49181efcc222702075b276d5990
|
SHA256
|
8630df622ee773c3d9c934fe9d925c019b43232e8f2810ee651dcf5f3ec79893
|
SHA256
|
88acae18f2cf7de7bb76784d45d9612561c8890872ea3629f0608577928745a5
|
SHA256
|
8de5b9332556da8f401c5cbf3cea1dbc1e1ba277c0efa85dce8cd36310c2936c
|
SHA256
|
8f78555f0f62b4f280a77109dbaa4aeb5c347d1ea38b521f98c57a7acea8087e
|
SHA256
|
8f8cf6b8cd0c789d3f67f6291bb7c0c5416e27320631c852152a63513185941e
|
SHA256
|
a1e30ea263ba21d656717f7f7824ecb2dc90896f55eae134afaf7691209979fd
|
SHA256
|
ac1b326f23e17726a2b90ce8a9d29c6e44a2cb37b431e2b94734bdd17618ae26
|
SHA256
|
adacbc5402326f87c76cc7737ad924ce5bd7394400ef86a48fa754af9d22da66
|
SHA256
|
b01a96892f3efdaa6682078339b23d8954d571c27ee15a4ce9ef8ad6c415f06d
|
SHA256
|
b8996e435ba229837d13f9837f6c0451f50a5767b0d1f1bb715670c802a1d564
|
SHA256
|
c3fe7ee5451108c16d7730d0bf589f70b841f3846908c1761d827a70f3462ef0
|
SHA256
|
c80513aaff11a2a2914d3a674737f63fbc04c6d5de7fda6f8b6e07df580664cf
|
SHA256
|
c8e8599e8d86ff7daf02ea9c01d31f4cdcf829314c76b84d1b1b8a982d1299c5
|
SHA256
|
cb17673f3cde6e542db3ff5facee2a01fdec462be275e9274c512038470009d1
|
SHA256
|
da0a82d322502cd6d156649dee1e0a45348df0dce272b6ae2dd81af25f774c62
|
SHA256
|
df24b04f6ff0ac50fbf1c01ee02f809c1c3f9fbe9d14eefc3306b1b586bf943e
|
SHA256
|
e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
|
SHA256
|
f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7
|
SHA256
|
fe930861d5eec95a3ea1239e7a8f4182a2cf5b094ac3a48c4cb2f0ef39facd05
|
SHA256
|
fffcf4be17e732aa3a5387e747290236d0f75ff3a24cb43eca793668d7772ddd
|
SHA256
|
4e6471c4574152d0eb2d2c608e540e505f3db41b50997d1f06c47e587a355d80
|
SHA256
|
7c890018d49fe085cd8b78efd1f921cc01936c190284a50e3c2a0b36917c9e10
|
SHA256
|
9ab1694c978f11521c6bca73d40256e4b433f3279792db8ae1fecc5e0ad174c9
|
SHA256
|
ebc955f12b0a2b588efca6de0af144dd00e33ead80185a887bf7c97329b28ec6
|
SHA256
|
1e6ecdb54224eea50476be03d5a48083deae15301f26ba3519e0c0a5eb77b1f4
|
SHA256
|
268c2924d45c0c7be9b67b85f03ddf5df97f2bc8963faefe1bec244e0cb95225
|
SHA256
|
36b5fe49cd81393f8c60c70c941a1e6aaf181775b0614f1c4a142f38c7af1a81
|
SHA256
|
42088f0e3e9c70b7d1d238f7e3b03a3ca177748ba2568adba9104bbed2827734
|
SHA256
|
6d1ecc48069eae14a831af05d29d2d25c0fa9f7c62f1f51c44d0d70fb014a590
|
SHA256
|
84d9ef8cb92d57b178cce655f3f7808c6f5cf42f15c468f741b253f37ffc39fc
|
SHA256
|
bb382bbc0756832748b33f0d7f7ec218d570afa031937259e69237df4945d074
|
SHA256
|
ca478cb334360bef31d394438cba1449dfe0b8d751cc8eb679f09e12e5068d1a
|
SHA256
|
e9e80fd3fe71d133609f5bc75081b13123e4f9a5ed1920050727955185f3ce52
|
SHA256
|
fe40e5c6244c7e0a256689b6ea0881998fef897cece79a2add3ba8f7a23f4f2b
|
SHA256
|
8cb1e9c99ad716a2541697a6d4ada32433b56e11dfe6aa1cb7c4fbc72b4bad2e
|
SHA256
|
c1e8c720da2297aa4432364441b341ec85e6f7f571cf6348ffdc51f4ae96418a
|
SHA256
|
loki-locker[.]one
|
C2 area
|
194.226.139[.]3
|
C2 IP
|
91.223.82[.]6
|
C2 IP
|
SoftwareLokipublic
|
Reg worth
|
SoftwareLokifull
|
Reg worth
|
SoftwareLokitimer
|
Reg worth
|
SoftwareMicrosoftCurrentVersionRunMichael Gillespie
|
Reg worth
|
%ProgramDatapercentwinlogon.exe
|
Executable
|
%ProgramDatapercentconfig.Loki
|
Config file
|
<malware_path>loki.txt
|
Config file
|
<malware_path>logs.txt
|
Log file
|
Restore-My-Recordsdata.txt
|
Readme file
|
Information.Loki
|
HTA file
|
Cpriv.Loki
|
Knowledge file
|
Loki/1.0
|
Consumer Agent
|
.Loki
|
File extension
|
.Adair
|
File extension
|
.Boresh
|
File extension
|
.Rainman
|
File extension
|
.Spyro
|
File extension
|
Identified Affiliate Names
AbolSpyro
AdairFile
Ahmad_C4
Darwin
Fardinyps
Fuck3r_life
Helpmezeus
John
Kingbo
LokiBlack
Mindnear
Miracle
Miveh_sabzikosher
Roxlock
Shadow
ShreAzm0
Sirer
darkages
darkkiller
arkwave
ghost
h33shmat
hijack
jhnvjfygbjdhf
mjid4MB
mr_noobx
numbervpss
optimus982
pf9922
qazw
sidewinder
Identified Electronic mail Addresses
BlackSpyro[at]mailfence[.]com
BlackSpyro[at]tutanota[.]com
DecNow[at]MsgSafe[.]io
DecNow[at]TutaMail[.]Com
Decoder[at]firemail[.]cc
Decryptfiles[at]goat[.]si
Filemanager[at]mailfence[.]com
Helpingdecode[at]tutanota[.]com
Miiracle11[at]yandex[.]com
Miracle11[at]keemail[.]me
PayForDecrypting[at]gmail[.]com
PayForDecrypting[at]outlook[.]com
Rdpmanager[at]airmail[.]cc
RoxLock[at]keemail[.]me
RoxLock[at]mailfence[.]com
Shadow0[at]mailfence[.]com
Shadow11[at]mailfence[.]com
Skydancerf5[at]cock[.]li
Sapphire01[at]keemail[.]me
Sapphire02[at]mailfence[.]com
Unlockpls.dr01[at]protonmail[.]com
Unlockpls.dr01[at]yahoo[.]com
adairfile[at]mailfence[.]com
adairfile[at]tutanota[.]com
admindec[at]rape[.]lol
anoniran[at]protonmail[.]com
badlamadec[at]msgsafe[.]io
d4rkw4ve[at]tutanota[.]com
dark4wave[at]yandex[.]com
darkish.killer[at]mailfence[.]com
darkkiller[at]cock[.]li
decryptyourfiles[at]firemail[.]cc
decsup[at]tuta[.]io
falcon9[at]cyberfear[.]com
filemanager[at]cock[.]li
jesushelp01[at]techmail[.]information
jesushelp02[at]mailfence[.]com
kingbo[at]tutanota[.]com
kingboo[at]mailfence[.]com
kingvps1[at]mailfence[.]com
kingvps[at]mailfence[.]com
lockirswsuppurt[at]mailfence[.]com
lockteam[at]cock[.]li
lockteam[at]keemail[.]me
loki.black[at]mailfence[.]com
loki.black[at]msgsafe[.]io
loki.assist[at]bingzone[.]web
loki.assist[at]mailfence[.]com
loki.support01[at]techmail[.]information
loki.support02[at]mailfence[.]com
loki01[at]keemail[.]me
loki02[at]mailfence[.]com
lordpdx[at]tutanota[.]com
mrcrypt2[at]mailfence[.]com
mrcrypt[at]msgsafe[.]io
mrrobot13[at]cock[.]li
pf2536[at]protonmail[.]com
pf2536[at]tutanota[.]com
puffcrypt[at]gmail[.]com
rain.man13[at]mailfence[.]com
rain_man13[at]keemail[.]me
skydancerf5[at]tutanota[.]com
tran9ino00[at]protonmail[.]com
wannayourdata[at]gmail[.]com
xmagic22[at]tutanota[.]com
xmaster22[at]tutanota[.]com
[ad_2]
Supply hyperlink