Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers.
The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks.
Built to dodge detection
The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback.
For instance, if the malware determines that it’s running in a debugger environment, it exits straight away. Furthermore, the payload deletes itself after execution.
This and more allowed PureLocker to stay under the radar for months in a row. For the past three weeks, PureLocker evaded the detection of antivirus engines on VirusTotal almost entirely.
The name of the ransomware derives from the programming language it’s written in, PureBasic, an unusual choice that provides some benefits, the researchers say in a report.
Encryption adds .CR1 extension
As far as file encryption is concerned, PureLocker is not different from other ransomware. It uses AES and RSA algorithms and leaves no recovery option by deleting the shadow copies.
The malware does not lock all files on a compromised system, avoiding executables. Encrypted items are easy to recognize by the .CR1 extension that is appended after the process.
A ransom note is left on the system desktop in a text file called “YOUR_FILES.” No amount is given in the ransom; instead, victims need to contact the cybercriminals at a Proton email address, a different one for each compromise.
The researchers noticed that the “CR1” string is present not only in the extension of the encrypted files but also in the ransom note and the email addresses.
A theory is that the string is specific to the affiliate spreading these specific samples since PureLocker is a ransomware-as-a-service business.
Code reuse from Cobalt and FIN6 malware
Researchers at Intezer and IBM X-Force say that PureLocker has been on the market for several months and reuses code from a backdoor called “More_Eggs” available on the dark web from a seasoned malware provider; the backdoor is also known as Terra Loader and SpicyOmelette.
Analysis of the ransomware showed that it uses code from multiple malicious binaries used by the Cobalt Group that focuses on attacking financial institutions.
The researchers determined that parts of a specific component used by Cobalt in the third stage of an attack are present in PureLocker. It is the JScript loader for the “more_eggs” backdoor, described by security researchers at Morphisec.
In previous research, IBM X-Force revealed that FIN6, another cybercriminal group targeting financial organizations, also used the “more_eggs” malware kit.
Most of the code in PureLocker is unique, though. This suggests that the malware is either a new one or an existent threat that has been heavily modified.
Reusing code from other malware is what helped this ransomware keep a low profile and not trigger antivirus alerts all this time. Details about its victims and the ransom demands are unknown at this time but now that it made it on researchers’ radar, PureLocker will definitely get more attention from the infosec community.
>> Source Link