Lawrence over at Bleeping Computer posted an interesting blog yesterday:
StorageCrypt Ransomware Infecting NAS Devices Using SambaCry
In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.
There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.
Windows artifacts
美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.
This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:
1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success![autorun]Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view to find to Create file.exeopen=.exeGet Local host IP: Rnd IP:DiskC:\dntboot.binip packet too_bigip unloadWhatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.
In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in this analysis result from 2013 by Team Cymru's TotalHash.
I've uploaded the unpacked sample on Hybrid Analysis.
Linux artifacts
The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned CVE-2017-7494 from earlier this year.
There are several components, which are listed in the table below.
Filename | Hash | Purpose |
kJn8LUAZ.so | 6b5b4fce04f36101c04c0c5b3f7935ea | Downloads ‘sambacry’ |
ZbdofxPY.so | 053bb22c2cedf5aa5a089bfd2acd31f6 | Downloads ‘sambacry’ |
sambacry | ffe17e314f7b1306b8badec03c36ccb4 | Fetch other payloads |
httpd1 | a5e8cb2e7b84081f5b1f2867f2d26e81 | Miner config |
minerd32 | a016b34ade18626f91d14e46588d6483 | Coinminer |
watchcat32 | ac9ad6bc8cd8118eaeb204c2ebf95441 | Watchdog |
The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.
These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:
while true do
ps -ef|grep -E "wget|curl"|grep -v $$|grep -v 45.76.102.45|awk '{print $2}'|xargs kill -9
done
Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:
While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.
{
"url" : "stratum+tcp://xmr.pool.minergate.com:45560",
"user" : "madhatterss@protonmail.com",
"pass" : "x",
"algo" : "cryptonight"
}
While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.
If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.
Indicators