Researchers at Intezer and IBM X-Force have stumbled upon an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. The new malware has been dubbed PureLocker because it's written in the PureBasic programming language, which is unusual for ransomware. Furthermore, PureLocker also seems to have links to the malware-as-a-Service (MaaS) provider that has been used by Cobalt gang, FIN6, and other threat groups.
PureLocker comes with evasion methods and design features that have allowed the ransomware to remain undetected for months. The use of PureBasic programming language also gives the attackers an ability to easily port the malware to Windows, Linux, and macOS thus expanding the list of targeted platforms.
The analyzed Windows sample was masquerading as the C++ cryptography library called Crypto++, and managed to remain undetected by VirusTotal antivirus engines for more than three weeks. Also, when executed in a sandbox the file did not exhibit malicious or suspicious behaviour, the researchers noted.
Further analysis showed that the file was not related to Crypto++, but it did include reused code from several malware families, mainly from Cobalt gang binaries. However, the majority of the code appeared to be unique, indicating that it’s likely a new or highly modified malware.
The malware executed as a COM server DLL by regsrv32.exe, which will invoke the DllRegisterServer export, where the malware’s code resides. The malware strings are encoded and stored as Unicode hex strings. Each string is decoded on demand by calling a string decoding function.
The malware checks if it was executed as intended or if it is being analyzed or debugged, and exits immediately if the checks fail (although it doesn’t delete itself likely in order not to raise suspicion). The malware deletes itself only after it has been successfully executed.
The researchers believe that the malware is a part of a targeted and multi-stage attack, given that it checks whether the “/s /i” arguments are used at execution, to ensure no dialogues are displayed to the user. It checks if it is executed by “regsrv32.exe” and if its file extension is either “.dll” or “.ocx”. It also verifies that the current year on the machine is 2019, and that it has administrator rights. If any of these checks fail, the malware will cease its activity without performing any malicious actions.
The PureLocker malware uses an anti-hooking technique by manually loading another copy of “ntdll.dll” and resolving API addresses manually from there in attempt to evade user-mode hooking of ntdll functions. While it is a known trick, it is unusual to find such a technique in a ransomware, the researchers said.
The malware encrypts the files on the victim’s machine with the standard AES+RSA combination, using a hard-coded RSA key and adding the “.CR1” extension to each encrypted file. PureLocker mostly encrypts data files and securely deletes the original files in order to prevent recovery. Once the encryption is completed, the malware presents a ransom note instructing the victim to contact the attacker via encrypted Proton email service, with the attackers using different email address for each attack.
Another noteworthy thing is that the “CR1”string appears in the attacker email addresses, the encrypted file extension, and ransom note. The researchers believe that this string (since this is RaaS) likely is the identifier of the operators of these specific samples.
“PureLocker is a rather unorthodox ransomware. Instead of trying to infect as many victims as possible, it was designed to conceal its intentions and functionalities unless executed in the intended manner. This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months,” the research team concluded.