Meet ransomware Nemty from a fake PayPal site

A new Nemty ransomware has appeared on the network, which is supposedly the successor to GrandCrab or Buran. Malicious software is mainly distributed from a fake PayPal site and has a number of interesting features. Details about the operation of this ransomware - under the cut.







The new Nemty ransomware was discovered by user nao_sec on September 7, 2019. Malicious software was distributed through a site disguised as PayPal ; there is also the possibility of ransomware penetrating a computer through the exploit kit RIG. The attackers chose social engineering methods to force the user to run the cashback.exe file, which he allegedly receives from the PayPal website. It is also curious that Nemty specified the wrong port for the Tor local proxy service, which prevents malware from sending data to the server. Therefore, the user will have to upload encrypted files to the Tor network himself if he intends to pay the ransom and wait for decryption from the attackers.



A few interesting facts about Nemty suggest that it was developed by the same people or cyber criminals associated with Buran and GrandCrab.

• Like GandCrab, Nemty has an easter egg - a link to a photo of Russian President Vladimir Putin with an obscene joke. The legacy GandCrab ransomware had an image with the same text.
• The language artifacts of both programs point to the same Russian-speaking authors.
• This is the first encryptor to use the 8092-bit RSA key. Although it makes no sense: a 1024-bit key to protect against hacking is quite enough.
• Like Buran, the encryptor is written in Object Pascal and compiled in Borland Delphi.

Static analysis

The execution of malicious code takes place in four stages. The first step is to run cashback.exe, a PE32-executable file under MS Windows with a size of 1198936 bytes. Its code is written in Visual C ++ and compiled on October 14, 2013. It contains an archive that is automatically unpacked when cashback.exe starts. The software uses the Cabinet.dll library and its functions FDICreate (), FDIDestroy () and others to obtain files from the .cab archive.















SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC



After unpacking the archive, three files will appear.









Next, temp.exe, a PE32-executable file under MS Windows with a size of 307200 bytes, is launched. The code is written in Visual C ++ and is packaged by MPRESS packer, a packer similar to UPX.









SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD



The next step is ironman.exe. After running temp.exe decrypts the embedded data in temp and renames it ironman.exe, a PE32-executable file of 544768 bytes in size. Code compiled in Borland Delphi.









SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88



The final step is to restart the ironman.exe file. At runtime, it converts its code and runs itself from memory. This version of ironman.exe is malicious and is responsible for encryption.

Attack vector

Currently, Nemty ransomware is distributed through pp-back.info.







The complete infection chain can be viewed on app.any.run sandbox.

Installation

Cashback.exe - the beginning of the attack. As already mentioned, cashback.exe unpacks the .cab file it contains. Then he creates the folder TMP4351 $ .TMP of the form% TEMP% \ IXxxx.TMP, where xxx is a number from 001 to 999.















Next, a registry key is installed, which looks like this:



[HKLM \ SOFTWARE \ WOW6432Node \ Microsoft \ Windows \ CurrentVersion \ RunOnce \ wextract_cleanup0]

“Rundll32.exe” “C: \ Windows \ system32 \ advpack.dll, DelNodeRunDLL32“ C: \ Users \ MALWAR ~ 1 \ AppData \ Local \ Temp \ IXPxxx.TMP \ "”



It is used to delete unpacked files. Finally, cashback.exe starts the temp.exe process.









Temp.exe - the second stage in the infection chain



This is the process started by cashback.exe, the second step in executing the virus. He tries to download AutoHotKey - a tool for running scripts under Windows - and run the WindowSpy.ahk script located in the resources section of the PE file.









The WindowSpy.ahk script decrypts the temp file in ironman.exe using the RC4 algorithm and the IwantAcake password. The key from the password is obtained using the MD5 hash algorithm.



Then temp.exe calls the ironman.exe process.









Ironman.exe - the third step



Ironman.exe reads the contents of the iron.bmp file and creates an iron.txt file with a crypto-locker, which starts as follows.















After that, the virus loads iron.txt into memory and restarts it as ironman.exe. After that, iron.txt is deleted.



ironman.exe is the main part of the NEMTY ransomware, which encrypts files on the affected computer. Malicious software creates a mutex called hate.









First of all, he determines the geographic location of the computer. Nemty opens a browser and recognizes the IP at http://api.ipify.org . On the site api.db-ip.com/v2/free [IP] / countryName, the country is determined by the received IP, and if the computer is in one of the regions listed below, the execution of the malware code stops:

• Russia
• Belarus
• Ukraine
• Kazakhstan
• Tajikistan

Most likely, the developers do not want to attract the attention of law enforcement agencies in their countries of residence, and therefore do not encrypt files in their “native” jurisdictions.



If the victim's IP address does not belong to the list above, then the virus encrypts the user's information.







To prevent file recovery, their shadow copies are deleted:









Then a list of files and folders that will not be encrypted is created, as well as a list of file extensions.

• windows
• $ RECYCLE.BIN
• rsa
• NTDETECT.COM
• ntldr
• MSDOS.SYS
• IO.SYS
• boot.ini AUTOEXEC.BAT ntuser.dat
• desktop.ini
• CONFIG.SYS
• BOOTSECT.BAK
• bootmgr
• programdata
• appdata
• osoft
• Common files

log LOG CAB cab CMD cmd COM com cpl CPL exe EXE ini INI dll DDL lnk LNK url URL ttf TTF DECRYPT.txt NEMTY
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Obfuscation

To hide URLs and embedded configuration data, Nemty uses a base64 and RC4 encoding algorithm with the fuckav keyword.









The decryption process using CryptStringToBinary is as follows

Encryption

Nemty uses three-layer encryption:

• AES-128-CBC for files. A 128-bit AES key is randomly generated and used the same for all files. It is stored in the configuration file on the user's computer. IV is randomly generated for each file and stored in an encrypted file.
• RSA-2048 for file encryption IV. A key pair is generated for the session. The private key to the session is stored in the configuration file on the user's computer.
• RSA-8192. The main public key is built into the program and is used to encrypt the configuration file, which stores the AES key and the secret key for the RSA-2048 session.
• Nemty first generates 32 bytes of random data. The first 16 bytes are used as the AES-128-CBC key.

The second encryption algorithm is RSA-2048. The key pair is generated by the CryptGenKey () function and imported by the CryptImportKey () function.









After the key pair for the session is generated, the public key is imported into the MS Cryptographic Service Provider.









An example of a generated public key for a session:









Next, the private key is imported into the CSP.









An example of a generated private key for a session:









And the last is the RSA-8192. The main public key is stored in encrypted form (Base64 + RC4) in the .data section of the PE file.









The RSA-8192 key after decoding base64 and decrypting RC4 with the password fuckav looks like this.









As a result, the entire encryption process is as follows:

• Generation of a 128-bit AES key that will be used to encrypt all files.
• Create IV for each file.
• Creating a key pair for an RSA-2048 session.
• Decryption of an existing RSA-8192 key using base64 and RC4.
• Encrypt file contents using the AES-128-CBC algorithm from the first step.
• Encryption IV using the RSA-2048 public key and encoding in base64.
• Adding encrypted IV to the end of each encrypted file.
• Adding the AES key and RSA-2048 session private key to the config.
• The configuration data described in the section Collecting information about an infected computer is encrypted using the RSA-8192 primary public key.
• The encrypted file is as follows:

Example of encrypted files:

Collecting information about an infected computer

The ransomware collects keys to decrypt infected files, so that an attacker can actually create a decryptor. In addition, Nemty collects user data, such as username, computer name, hardware profile.









It calls the GetLogicalDrives (), GetFreeSpace (), GetDriveType () functions to collect information about the disks of the infected computer.



The collected information is stored in a configuration file. Having decoded the line, we get a list of parameters in the configuration file:









Example configuration of an infected computer:









The configuration template can be represented as follows:



{"General": {"IP": "[IP]", "Country": "[Country]", "ComputerName": "[ComputerName]", "Username": "[Username]", "OS": "[OS]", "isRU": false, "version": "1.4", "CompID": "{[CompID]}", "FileID": "_ NEMTY_ [FileID] _", "UserID": "[ UserID] "," key ":" [key] "," pr_key ":" [pr_key]



Nemty stores the collected data in JSON format in the% USER% / _ NEMTY_.nemty file. A fileID of 7 characters in length is randomly generated. For example: _NEMTY_tgdLYrd_.nemty. FileID is also appended to the end of the encrypted file.

Foreclosure Message

After encrypting the files on the desktop, the _NEMTY_ [FileID] -DECRYPT.txt file appears as follows:









At the end of the file is encrypted information about the infected computer.

Network communication

The ironman.exe process downloads the Tor browser distribution from the address https://dist.torproject.org/torbrowser/8.5.4/tor-win32-0.4.0.5.zip and tries to install it.



Nemty then attempts to send configuration data to 127.0.0.1:9050, where it expects to find a working Tor browser proxy. However, by default, the Tor proxy listens on port 9150, and port 9050 uses the Tor daemon on Linux or the Expert Bundle on Windows. Therefore, no data is sent to the attacker server. Instead, the user can manually download the configuration file by visiting the Tor decryption service at the link provided by the ransom message.



Connection to Tor proxy:









HTTP GET creates a request at 127.0.0.1:9050/public/gate?data=









Here you see the open TCP ports that are used by the TORlocal proxy:









Nemty decryption service on the Tor network:









You can upload an encrypted photo (jpg, png, bmp) to test the decryption service.









After this, the attacker asks to pay a ransom. In case of non-payment, the price doubles.

Conclusion

Currently, decrypting files encrypted by Nemty will not work without paying a ransom. This version of ransomware has similarities with Buran ransomware and legacy GandCrab: compilation on Borland Delphi and images with the same text. In addition, this is the first encryptor to use the 8092-bit RSA key, which, again, makes no sense, since a 1024-bit key is quite sufficient for protection. Finally, curiously, he is trying to use the wrong port for Tor's local proxy service.



However, Acronis Backup and Acronis True Image solutions do not allow Nemty ransomware to user PCs and data, and providers can protect their customers with Acronis Backup Cloud . Full Cyber ​​Defense provides not only backups, but also protection using Acronis Active Protection , a special technology based on artificial intelligence and behavioral heuristics that allows you to neutralize even unknown malware.