1. Overview of RCRU64

Malware Family RCRU64
Threat Type Ransomware Virus

Description

The RCRU64 ransomware is mainly spread through email attachments in phishing attacks, malicious software downloads, and vulnerability exploitation. It encrypts files on infected computers and demands a ransom from victims in return for the decryption key.

 

2. Analysis of RCRU64

2.1 Introduction

Sangfor FarSight Labs discovered a new variant of the RCRU64 ransomware family after capturing a sample during its recent operations. After our investigation, we discovered that the affected host had abnormal login activity and a weak RDP password. Therefore, we speculate that the attacker exploited RDP to gain access and execute the ransomware. Information about the sample is summarized in the table below:

File Name Hash Function
5-NS new.exe 6bffc6c7caa2eb2fa90fac0317f63338 Netscan
closeapps.bat 9b0d6df42f879ba969f82c7a0ab48bc6 Terminate Process
RESTDB@my.com.exe af967e2c4e72b4c279561757fe06e834  Ransomware
shadows all.cmd b1d9eea40a08eeb5d3ee646ff61e41ba Delete shadow copies

 

2.2 Analysis

2.2.1 MITRE ATT&CK

Tactic Technique Sub-technique Operation
Execution
TA0002
System Services T1569 Service Execution T1569.002 Uses sc.exe to modify service status.
Command and Scripting Interpreter
T1059
Windows Command Shell T1059.003 Uses a series of Windows commands such as tasklist, taskkill, and systeminfo.
Windows Management Instrumentation T1047 N/A Uses WMIC to delete shadow copies.
 Native API T1106  N/A Uses native Windows system calls to make analysis more difficult.
 Scheduled Task/Job T1053 Scheduled Task T1053.005  Uses schtasks.exe and at.exe to add and modify scheduled tasks.
Persistence
TA0003
Create or Modify System Process T1543 Windows Service T1543.003 Creates a service for self-startup.
 Boot or Logon Autostart Execution T1547 Registry Run Keys / Startup Folder T1547.001  Releases a PE file in the startup directory.
Defense Evasion
TA0005
Impair Defenses T1562 Disable or Modify System Firewall T1562.004   Modifies Windows Firewall configurations.
Deobfuscate/Decode Files or Information T1140 N/A Uses base64 encoding.
Indicator Removal T1070 File Deletion T1070.004 Deleting the ransomware files after the ransomware program is executed.
Virtualization/Sandbox Evasion T1497 System Checks T1497.001 Queries disk information and operating system information to determine whether it is in a virtualized environment and uses the sleep function to evade dynamic analysis.
Discovery
TA0007
File and Directory Discovery T1083 N/A Queries specified files, folders, and file extensions.
 System Information Discovery T1082 N/A   Queries the operating system version.
Process Discovery T1057 N/A Uses the NtQuerySystemInformation API to enumerate all currently running processes.
System Time Discovery T1124 N/A Queries the local system time.
Account Discovery T1087 Local Account T1087.001 Enumerates files in the directory \Users\All Users\Microsoft\Windows\Caches, which stores Windows user credentials such as usernames and passwords for automatic filling when the user logs in.
Impact
TA0040  
Inhibit System Recovery T1490 N/A  Deletes shadow copies and disables Windows system recovery.
Data Encrypted for Impact T1486  N/A  Encrypts files on the computer.

 

2.2.2 Technical Analysis

Upon execution, the sample encrypts files on the system and releases a ransom note. The ransom note window pops up and instructs the victim to communicate with the attacker and pay the ransom. Encrypted files are appended with the extension "_[ID-ALK8Z_Mail-RESTDB@my.com].TGH". For example, a file named "hello.docx" was renamed to "hello.docx_[ID-ALK8Z_Mail-RESTDB@my.com].TGH". There are two ransom note files, a TXT file named "Restore_Your_Files.txt" and an HTA file named ReadMe.hta. The ransom notes show that victims can contact the attacker via email and pay in Bitcoin. The ransom amount is not specified in the note.

The content of the Restore_Your_Files.txt ransom note is shown below:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 1

The content of the ReadMe.hta ransom note is shown below:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 2

Encrypted files appear as follows:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 3

2.2.2.1 Determining File Type

The ransomware released multiple files, which are executed based on the file extension. The "sub_48B6A0" function is used to obtain file handles and determine whether to open files in a specific way based on their attributes. If the file name ends with ".exe", ".EXE", ".com", ".COM", ".bat", ".BAT", ".cmd", or ".CMD", the file needs to be opened in a specific way.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 4

2.2.2.2 Clearing Windows Event Logs

The following code executes the "wevtutil.exe el" command to list all available event logs in the system and then executes "wevtutil.exe cl" to clear all the event logs that were queried.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 5

2.2.2.3 Creating New Files

The ransomware samples dropped the following files:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 6

The functions of each file are described below:

S-2153.bat: The content of the "S-2153.bat" file is shown in the image below. This file determines if the "S-8459.vbs" file exists and executes it.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 7

S-8459.vbs: The content of the "S-8459.vbs" file is shown in the image below. This script checks if there is a batch file named "S-6748.bat" in the AppData folder and executes it.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 8

S-6748.bat: The content of the "S-6748.bat" file is shown in the image below. This file checks if a process named "dcdcf" is running in the system. If not, it deletes all shadow copies, starts the process named "RESTDB@my.com.exe", and checks if the process is running. If the process is running, it waits for 15 seconds; otherwise, it will continue with the subsequent operations.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 9

SysMain.sys: The content of the SysMain.sys file is shown in the image below. The content of this file is base64 encoded and, when decoded, contains an X.509 certificate. An X.509 certificate is a digital certificate used to verify the identity and integrity of public keys, which can increase its deception and trustworthiness.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 10

This file deletes the scheduled task named "Microsoft_Auto_Scheduler", "S-8459.vbs", and "S-2153.bat" before deleting itself.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 11


The ransomware sample copies itself to the "C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" directory and renames it to "Xinfecter.exe". The hash of this file is identical to "RESTDB@my.com.exe", indicating that they are the same file.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 12

2.2.2.4 Creating A Scheduled Task

The following command creates a scheduled task named "Microsoft_Auto_Scheduler", which runs the "S-2153.bat" file every 6 minutes.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 13

The batch command contains multiple commands, whose functions are as follows:


reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f 
Adds a DWORD value named "DisableAntiSpyware" in the registry and sets its value to 1 to disable the anti-spyware feature of Windows Defender.
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Adds a DWORD value named "EnableLUA" in the registry and sets its value to 0 to disable User Account Control (UAC).

vssadmin.exe Delete Shadows /All /Quiet
Deletes all shadow copies in quiet mode
wmic shadowcopy delete Deletes shadow copies
netsh advfirewall set currentprofile state off Turns off the Windows Firewall

netsh firewall set opmode mode=disable
Disables the Windows Firewall

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
Enables the Network Discovery rule 
wbadmin delete catalog -quiet Deletes all backups in the Windows backup catalog quietly

 


New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 14

2.2.2.5 Terminating Services

The following commands terminate processes and services that are occupying files. Specifically, it uses the Windows "taskkill" command to terminate processes and services related to databases, text editors, browsers, email clients, and so on.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 15

2.2.2.6 Querying Host Information

The sample executes the following commands to obtain host information to determine if it is running in a virtualized environment.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 16

The executed commands are as follows:

echo %date%-%time% Obtains the current date and time
systeminfo|find /i "os name" Checks the name of the OS
systeminfo|find /i "original" Queries the original installation date and time of the computer's Windows OS
ver Displays the OS version

 

2.2.2.7 Selecting File Extensions, Filenames, and Directories for Encryption

The following file extensions are encrypted:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 17

 

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs

The following files are not encrypted:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 18

S-inf.sys / S-2153.bat / S-8459.vbs / S-6748.bat / N-Save.sys / ReadMe.hta / io.sys / ntdetect.com/ ntldr / thumbs.db/ autorun.inf / ntuser.dat/ bootfont.bin / Restore_Your_Files.txt/ Xinfecter.exe / bootmgr / SysMain.sys / desktop.ini / BOOTSECT.BAK / boot.ini / R_cfg.ini

The following code is used to traverse directories and process the filenames of each file. Specifically, the code uses Windows API functions such as "FindFirstFileW", "FindNextFileW", and "FindClose" to traverse directories. During the traversal, each filename is processed to determine if it ends with ".msi", ".scr", "_Eg", or contains specific strings. If the filename meets these criteria, some operations are executed, otherwise, the file is skipped. Finally, some memory is released.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 19

.exe / .dll / .msi / .log / .lnk / .ini / .ico / .cmd / .bat / .scr / .cpl / .icl / ._Enc / ._Eg

The following directories are not encrypted: 

\\Local Settings\\Application Data\\Microsoft\\Credentials
\\Application Data\\Microsoft\\Credential
\\Users\\All Users\\Microsoft\\Windows\\Caches
\\Recovery
\\Windows
\\Documents and Settings\\
\\Local Settings\\Temporary Internet Files
\\Start Menu
\\Documents and Settings\\All Users\\Start Menu
\\WINDOWS
\\Boot
\\$RECYCLE.BIN
\\System Volume Information
\\Users\\Default\\ntuser.dat

2.2.2.8 Writing The Ransom Note

The following image shows the ransom note in HTA format:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 20

The following image shows the ransom note in text format:

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 21

2.2.2.9 Opening The Ransom Note Window

The following command is used to open the ransom note window:

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\John\Desktop\ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

2.2.2.10 Encryption Algorithm

  1. Traverse files and folders: First, determine whether a file is encrypted by checking whether the file name contains "_[ID-" and "_Mail-", and then determine whether the file extension to be encrypted is in the list of encrypted extensions. If so, encrypt the file.
  2. Generate AES key and IV: The ransomware generates a random AES key and a random IV (Initialization Vector) as parameters for encrypting files. These parameters are hard coded into the ransomware's code.
  3. Use AES to encrypt the file: The ransomware uses the generated AES key and IV to encrypt targeted files.
  4. Use RSA to encrypt the AES key and IV: The ransomware uses the RSA public key to encrypt the generated AES key and IV. The encrypted AES key is then appended to the encrypted file for use during decryption.
  5. Add the extension "_[ID-ALK8Z_Mail-RESTDB@my.com].TGH" to the encrypted file.
  6. Generate ransom note: Create a ransom note in each folder after the encryption process is complete.

New RCRU64 Ransomware Variant Discovered by Sangfor FarSight Labs 22

2.3 IOCs

Sha256
5c428f3ab071e48f70bf4e7ef1d8c377fd954c92dcac08f37eb9a42ce499442d
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
67f0f6bfd582388917adcbfb294901f37e3979455880065220dcda03c7dd8f1a
6a180ebb123cc8970249ff9cc4496cd811b4d5d6a7356709c65cac188e3f742b
a2bb1178b6d17512f2606ad01cdc245ea52e91d17f6740d7dfdbef3a76e19c77
c3d7188add8892823fa6169f4ba3523b43e4cba6c9fff6931b3c482d077137c9
e928295cc90b8a0aac825a86f21e99b92f1c8665085c6e4cc3fc88cc63958e68
fe0383f9fa9df8b28729104c896eebc79dad0e9fc6f68612868385467e18fbc8

2.4 Sangfor Solution

Sangfor Endpoint Secure supports the detection and removal of the RCRU64 ransomware. Please update Endpoint Secure and the signature database to the latest version and configure the relevant security policies for protection to take effect.

Sangfor Endpoint Secure is a powerful Endpoint Detection and Response (EDR) solution that goes beyond traditional anti-malware and antivirus software. Sangfor Endpoint Secure leverages Sangfor’s proprietary Engine Zero AI malware detection engine and Neural-X threat intelligence platform to deliver robust malware protection for endpoints.

Endpoint Secure is built with innovative anti-ransomware tools, including the world’s first and only endpoint ransomware honeypot, which quickly detects and kills the ransomware encryption process, minimizing any damage to the system. The encryption controlling application is also identified and then located on other infected systems allowing “One-Click Kill” to eradicate the detected ransomware throughout the organization with just a single mouse click. In the Advanced Threat Detection Test conducted by AV-Test, Endpoint Secure achieved 100% protection in ten ransomware scenarios.

Sangfor NGAF, Sangfor IAG, Sangfor Cyber Command, and Endpoint Secure integrate together as part of Sangfor’s Anti-Ransomware solution. With security deployed at the perimeter, endpoint, and network, Sangfor’s Anti-Ransomware is a holistic solution that breaks every step of the ransomware kill chain. Sangfor Anti-Ransomware is a modular solution that can be tailored to meet the ransomware protection requirements of any organization.

2.4 Sangfor Solution

About Sangfor FarSight Labs

Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

CVE-2024-38063: Windows TCP/IP Remote Execution Code Vulnerability

Date : 09 Sep 2024
Read Now

What is Brain Cipher? The Ransomware that Took Down the Indonesian National Data Center

Date : 01 Jul 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure