Malware descriptions

The return of Mamba ransomware

At the end of 2016, there was a major attack against San Francisco’s Municipal Transportation Agency. The attack was done using Mamba ransomware. This ransomware uses a legitimate utility called DiskCryptor for full disk encryption. This month, we noted that the group behind this ransomware has resumed their attacks against corporations.

Attack Geography

We are currently observing attacks against corporations that are located in:

  • Brazil
  • Saudi Arabia

Attack Vector

As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper.

Example of malware execution

Technical Analysis

In a nutshell, the malicious activity can be separated into two stages:

Stage 1 (Preparation):

  • Create folder “C:\xampp\http
  • Drop DiskCryptor components into the folder
  • Install DiskCryptor driver
  • Register system service called DefragmentService
  • Reboot victim machine

Stage 2 (Encryption):

  • Setup bootloader to MBR and encrypt disk partitions using DiskCryptor software
  • Clean up
  • Reboot victim machine

Stage 1 (Preparation)

As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.

DiskCryptor modules

Depending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.

The malware drops the necessary modules

After that, it launches the dropped DiskCryptor installer.

The call of the DiskCryptor installer

When DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters.

The creation of the malicious service’s function

The last step of Stage 1 is to reboot the system.

Force reboot function

Stage 2 (Encryption)

Using the DiskCryptor software, the malware sets up a new bootloader to MBR.

The call for setting up a bootloader to MBR

The bootloader contains the ransom message for the victim.

Ransomware note

After the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper.

The call tree of encryption processes

When the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen.

Ransom notes

Kaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.

Decryption

Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms.

IOCs:

79ED93DF3BEC7CD95CE60E6EE35F46A1

The return of Mamba ransomware

Your email address will not be published. Required fields are marked *

 

  1. someguy

    What disassembler and hex editor do you guys use?

    1. otherguy

      Looks like Hiew and IDA Pro.

    2. Tomáš

      IDA Pro is mostly used

  2. iamnoob

    based from the pic. Disassembler: IDA PRO and Hex View/Editor: HIEW

  3. nilesh

    look like idapro

  4. Simon

    Possible to bruteforce password?

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox