Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.33222

Added to the Dr.Web virus database: 2020-09-27

Virus description added:

Packer: absent

Keys: absent

SHA1 hash:

  • aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7

Description

A trojan-encoder that operates in the 32-bit and 64-bit versions of Microsoft Windows operating systems. It is an executable library written in C++. It uses ChaCha20 and RSA algorithms to encrypt user files. It was first spotted in July 2020. Trojan.Encoder.33222 is a further development of the Maze and Sekhmet encoders, with which it has a lot in common. It is used for targeted attacks on the corporate sector. The encoder’s original name is Egregor Ransomware.

Operating routine

The studied sample is an executable DLL file with the original entry point and three exported functions:

#drweb Trojan.Encoder.33222

The static analysis shows that malicious activity is contained in the DllRegisterServer function. When running the sample on virtual machines, the trojan program is not executed. Since the encoder is designed for targeted attacks, we assume that it is run on command via the command line. For the initial launch, the rundll32.exe C:\Windows\%SAMPLE%, DllRegisterServer -passegregor10 command is used.

After that, the trojan launches the payload, having previously decrypted it with the same algorithm that is used to encrypt user files (ChaCha20). However, in this case, the key and the nonce are accessible. Decryption requires the KojihuDJUFDHGufhdjnbgDfgudfhdfg3 32-byte string as the key and the O_IJDhfs 8-byte string as the nonce:

#drweb Trojan.Encoder.33222

The payload content is hardcoded in the trojan body and encrypted:

#drweb Trojan.Encoder.33222

The payload is a loader in the form of a powershell script that connects to amajai-technologies.industries. At the time of analysis, this server was no longer responding, and the file being uploaded remains unknown. With that, it is worth noting that ransomware operators could steal information through this server. The functionality to operate printers for printing ransom notes in the examined sample was not found and may be contained in the downloaded file.

#drweb Trojan.Encoder.33222

To start further encryption, a batch file is used, which runs the encoder with the DllRegisterServer function, but with different command-line parameters:

#drweb Trojan.Encoder.33222

The payload in the system is disguised as LogMeIn products:

#drweb Trojan.Encoder.33222

It should be noted that the encoder uses the ChaCha20 algorithm (a type of Salsa20 cipher), and not AES, as it is written in some sources. This is confirmed by the expand 16-byte k and expand 32-byte k strings:

#drweb Trojan.Encoder.33222

The use of ChaCha20 is also indicated by the encryption algorithm in the quarter-round function:

#drweb Trojan.Encoder.33222

Below is a comparison between quarter-round of Salsa20 (left) and ChaCha20 (right):

#drweb Trojan.Encoder.33222

To generate the key RtlGenRandom function via the SystemFunction036 call is used. The generator based on RtlGenRandom is considered as cryptographically secure. In this case the decryption is not possible:

#drweb Trojan.Encoder.33222

Most of the code is written manually and obfuscated, which complicates the analysis. The information about the project’s original location is stored in the debugging data: M:\sc\p\testbuild.pdb.

One of the features of this encoder is that the extensions of each file differ even within the same computer. Similar to Sekhmet, a new random extension is used for each file. To identify encrypted files, a four DWORD file marker is used at the end of the file (EOF): 00 00 00 00, 00 00 XX XX, 00 00 XX XX, XX XX 6B B1 (bytes instead of XX are different for each file). Using these values, one can determine that the file was infected by this particular encoder.

#drweb Trojan.Encoder.33222

Clicking on the link provided by the ransomware after infection leads to the operator’s page, accessible through the Tor network.

#drweb Trojan.Encoder.33222

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android