GandCrab – The new Ransomeware in the block

A few days ago, I was examining files that we’ve detected in one of our customers.

I encountered an interesting PDF (SHA1 – d75e3d2c235bf1e52cca16f597fe05fcfce89ad6) which is the dropper and installer of the new version of GandCrab Ransomware.

A lot was said about Ransomwares, dozens of solutions claim to protect against it and yet we encounter new ones, almost on a daily basis.

As most of the malwares these days, the creators of GandCrab used emails as their primary attack vector to install the Ransomware. Here’s how they did it;

When the PDF is opened, the user sees the captcha shown in figure 1.

Figure 1

 

This captcha is an image that leads to the following URL –

http://butcaketforthen[.]com/docs/Feb-00974.doc

When clicked, the server sends a doc file.

The docfile (SHA1 – 9742c3bd6845af4134f53764afcc60de6458f0d9) is a simple doc file that like most of the VBA Macro-based infectors, asks the user to ‘Enable Content’ (shown in figure 2)

Figure 2

 

When the user enables the content, it allows the VBA code to run.

The file contains an invalidly signed macro that holds a lot of code, probably used to deceive and have a legitimate-macro look at first glance.

Looking at the code’s entry point, we see an AutoOpen function that runs automatically when the document is being opened and the content is enabled (shown in figure 3).

Trying to avoid signatures, the authors of this infector are avoiding some of the suspiciously looking strings in their code. This is why we don’t see “Powershell” or “WebClient” here.

Figure 3

 

We can see “cmd.exe”, some url and strings concatenated from a form’s labels. A quick glance at the embedded objects of the document reveals what’s probably going to be the rest of our cmd line (figure 4).

Figure 4

 

As the code is running, a cmd process is started with the arguments shown in figure 5.

Figure 5
Figure 5

 

This powershell command downloads a script from http://sorinnohoun[.]com/sc1/sct5  and calls a function called “Invoke-GandCrab”.

Looking at the powershell script (SHA1-d9fb7d948fb35550a6fe82c9c94fb609d9a1f682), we see a large, well documented function called “Invoke-Inj” that injects a dll into a process. Just after that, there’s a function called “Invoke-GandCrab” (visible in figure 6, without the base64 content).

Figure 6
Figure 6

 

That function has a base64 string that holds the entire malicious dll which is the ransomware itself. The dll is being decoded and transferred into the injector.

Once the PS code is loaded, “Invoke-GandCrab” is called. The dll is loaded and in that point- the bad guys has won.

 

About the author

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *