The PureLocker ransomware – so-called because it’s written in the PureBasic programming language – has been spotted being used in targeted attacks against both Windows and Linux-based production servers at enterprises. Researchers said it shows unusual characteristics that underscore the innovation that malware developers are putting into their wares.
PureBasic for instance is not a common programming language, but it’s one that offers adversaries several advantages, according to an analysis on Wednesday by Intezer and IBM’s X-Force IRIS team.
“This unusual choice poses advantages for the attacker,” researchers wrote. “AV vendors have trouble generating reliable detection signatures for PureBasic binaries. In addition, PureBasic code is portable between Windows, Linux and OS-X, making targeting different platforms easier.”
The analysis also showed other unusual attributes within PureLocker, mainly on the evasion front. For instance, the malware attempts to evade user-mode API hooking of NTDLL functions by manually loading another copy of “ntdll.dll” and resolving API addresses manually from there. API hooking allows antivirus systems to see exactly what function is called by a program, when and with what parameters.
“While it’s a known [evasion] trick, it’s rarely used in ransomware,” the researchers noted.
Also, the malware instructs a command-line utility in Windows called regsrv32.exe to install PureLocker’s library component silently, without raising any dialogues. Later on, the malware verifies that it has indeed been executed by regsrv32.exe, and that its file extension is either .DLL or .OCX. The malware also verifies that the current year on the machine is 2019, and that the victim has administrator rights, researchers said. If any of these checks fail, the malware will exit without performing any malicious activity, all in an attempt to conceal its functionality.
“This type of behavior is not common in ransomware, which typically prefer to infect as many victims as possible in the hopes of gaining as much profit as possible,” researchers said.
If all anti-analysis and integrity tests performed by the malware are satisfied, it proceeds to encrypt the files on the victim’s machine with a standard AES+RSA encryption combination, using a hard-coded RSA key, according to the analysis. It adds the “.CR1” extension for each encrypted file. The ransomware then secure-deletes the original files in order to prevent recovery, and leaves a ransom note file on the user’s desktop. Then, it deletes itself.
The approach to the ransom is another unusual aspect of PureLocker – the adversaries don’t ask for a specific currency or ransom amount inside of the note itself, instead telling the victim to email the attackers at an anonymous and encrypted Proton email address, which also includes the “CR1” nomenclature.
“Each sample we analyzed contained a different email address, which might be how the attackers can link between different victims and their respective decryption keys (each email corresponds to a specific RSA key pair),” according to the analysis.
Researchers believe that all of this means that PureLocker is meant to be just one piece of a complex attack chain: “Being a DLL file designed to be executed in a very specific manner reveals this ransomware is a later-stage component of a multi-stage attack,” they wrote.
Targeted Attacks Hatched from more_eggs
Though the firms didn’t observe other parts of the suspected campaign, such as how the ransomware is finding its way onto desktops in the first place, code clues point to a possible connection to known, sophisticated threat actors.
The majority of PureLocker is new and unique, PureLocker does reuse some code snippets from known malware families, mainly the “more_eggs” backdoor malware. More_eggs is sold as-a-service on the Dark Web. Organized financial threat groups such as the Cobalt Group and the FIN6 gang are among those that have been seen using it, according to the researchers.
“The code-reuse connections to Cobalt Group are related to a specific component used by the group in its attack chain…a Stage 3 dropper DLL [used for evasion and anti-analysis functionalities],” explained the researchers. “More specifically, this component is the loader part of the more_eggs JScript backdoor, also known as SpicyOmelette.”
The Cobalt Group was recently discovered to have been been buying its malware kits from a malware-as-a-service (MaaS) provider on underground cybercrime forums.
“These findings strongly suggest that the MaaS provider of more_eggs has added a new malware kit to its offerings, by modifying the more_eggs loader’s payload from a JScript backdoor to a ransomware,” they concluded.
Ransomware attacks have doubled from last year, according to Mimecast’s State of Email Security Report, with 53 percent of organizations experiencing attacks that directly impacted business operations. In fact, 86 percent of organizations that were attacked suffered at least two days of downtime. PureLocker, according to Mimecast’s head of e-crime, Carl Wearn.
“The discovery of ‘PureLocker’ ransomware is a clear example of the sustained and continuing efforts ransomware threat actors are putting into the development of targeted ransomware,” he said, via email. “These capabilities will continue to evolve and security vendors will continue to research and identify new strains of malware and the means to defend against them.”