Ransomware Maze - Ransomware Virus Anatomy

SUMMARY

Labyrinth ransomware previously known in the community as "ChaCha ransomware" was discovered by Jerome Segura on May 29, 2019 [1] .

The main purpose of ransomware is to encrypt all files that may be found on an infected system and then demand a ransom to recover the files. However, the key feature of Maze is the threat that malware authors give to victims that they will publish information over the Internet if they do not pay [2] .

This threat did not go idle because a company's files were posted on the Internet. Although the company filed a lawsuit, the damage had already been done. This is an increasingly common behavior [3] with new ransomware such as Sodinokibi, Nemty, Clop and others.

Last year it was highlighted how [4] ransomware goes in this direction to get money from victims who may be reluctant to pay for decryption.

TELEMETRY MAP

FIGURE 1. MAP OF MAZE INFECTIONS

Introduction

On October 29, a campaign was detected distributing the Maze malware to Italian users. Historically, malware used to obtain login, mainly through exploit kits, weakly encrypted remote desktop connections or email impersonation, or by different agencies or companies, as in the case of Italy [5] , through the Italian Revenue Agency, has used different techniques. These emails came with a Word attachment that used macros to run malware on the system.

The most common exploit kits were Fallout and Spelevo [6] .

Malware is hard programmed with some tricks to prevent its reversal and make static analysis more difficult. This report covers these protections and the behavior of malware in an infected system.

The developers added messages to provoke malware researchers, including the email address of Lawrence Abrams, owner of the "BleepingComputer" with whom they contacted directly. They are very active on social media sites such as Twitter.

MAZE OVERVIEW

Malware is a 32-bit binary file, usually packaged as an EXE or DLL file. This report focuses on the EXE file.

FIGURE 2. INFORMATION ABOUT MALWARE

More information about the example used in this report appears in the following table:

TECHNICAL DETAILS

Labyrinth is a sophisticated malware that uses some tricks to end analytics.

The malware starts preparing some functions that appear to store memory addresses in global variables for later use in dynamic calls, although it does not use these functions later. It is up for debate whether the malware is leftover code at the point of entry or a trick to mislead researchers.

< / p>

FIGURE 3. SAVE THE FUNCTION ADDRESS FOR FUTURE USE IN A DYNAMIC WAY

The malware then enters a large block of garbage code that contains some elements to decrypt the strings and important information for later use. The malware uses some tricks to detect debuggers at this point.

The most important of these:

A great use of the
• PEB field " IsDebuggerPresent ". This field is a Boolean field from Windows that is filled with 1 (True) if the application is running inside a debugger, or 0 (False) if not.

< / p>

FIGURE 4.HIGH USE OF "ISDEBUGGERPRESENT" PEB FIELD TO DETERMINE IF THE APPLICATION IS RUNNING IN A DEBUGGER

If the malware detects a debugger, it will stay in an endless loop doing nothing while wasting system resources.



FIGURE 5. MAZE CAPTURES DEBUGGER AND CONTINUES TO WORK, DRAIN RESOURCES

Poor