TG Soft Software House - Vir.IT eXplorer: AntiVirus, AntiSpyware and AntiMalware
Detects viruses and malwareIdentifies polymorphic viruses thanks to DEEP SCANMacro Virus AnalyzerINTRUSION DETECTION TechnologyVirus/malware removal toolsInstallation on Active Directory16/32/64 bit Real-Time ProtectionVir.IT Scan MailVir.IT Console Client/ServerVir.IT WebFilter ProtectionAutomatic Live-UpdateVir.IT Personal FirewallItalian Tech SupportAntiMalware Reserch Center


Submit suspicious file
fb rss linkedin twitter

ICSA Lab

Vir.IT eXplorer PRO pass the test VB100 2017-04

AMTSO

OpsWat

EICAR Membro SERIT - SEcurity Research in ITaly

11/12/2016 15:11:45 - New version of Petya Goldeneye 4.0: the ransom got dubled for Mischa and Petya!


After several months of silence, the author of Petya comes alive with a brand new version Goldeneye 4.0.
Last week, starting from the 6th of December, there has been a spam campaign that hit Germany spreading the version of Goldeneye and Petya though e-mails.

The spam campaign was confirmed by Janus, the creator of Petya Goldeneye, on the 7th of December thought a tweet:
 

The C.R.A.M. (Center of Research and Analysis of Malware) of TG Soft has analysed this new variant in order to establish the differences between previous releases.
 

CONTENTS

==> How Petya Goldeneye spreads
 
==> Running Goldeneye: Mischa ransomware

==> Running Goldeneye: Petya ransomware phase 1

==> Running Goldeneye: Petya ransomware phase 2

==> Running Goldeneye: Petya ransomware phase 3 ransom request

==> The ransom requested by Petya Goldeneye

==> Conclusions



How Petya Goldeneye spreads

The new variant of Petya Goldeneye spreads through e-mails. The spam campaign which has been observed starting from the 6th of December hit mainly the german market and, like all previous cases, the e-mail still refers to recruitment possibilities. In this case the e-mail was a candidacy for a work place in the production of optoelectronic devices.

The subject of the e-mail can have the similar form:

Bewerbung als Facharbeiter für die Fertigung optoelektronischer Bauteile


Click to enlarge

Message body:
Sehr geehrte Damen und Herren,

hiermit bewerbe ich mich bei Ihnen für die die Stelle als Facharbeiter für die Fertigung optoelektronischer Bauteile. Meine vollständigen Bewerbungsunterlagen können Sie dem Anhang entnehmen.

Ich freue mich auf Ihre Rückmeldung und stehe Ihnen bei Rückfragen jederzeit gerne zur Verfügung.

Mit freundlichem Gruß

Andreas Meier

Anlagen
Lebenslauf
Zertifikate
Zeugnisse
Kompetenztest

The message infected by Petya contains 2 attachments:
  • Bewerbung von Drescher.xls (size: 1804800 byte, MD5: FEF25AFCCEBE63858C093CB716D03203)
  • Bewerbung von Drescher.pdf (size: 138540 byte, MD5: 16E41EBD9414E9327E9D447E4B5A6FE4)

The Bewerbung von Drescher.xls file contains Excel macros which create and run from the %temp% folder the following file:
Name: rad0A3AB.exe
Size: 368640 byte
MD5: 08828DAF9A027E97FEE2421AC6CBC868




Running Goldeneye: Mischa ransomware

Opening the Bewerbung von Drescher.xls file with the macros activated will result in the running of the rad0A3AB.exe file from the %temp% folder.



In this first fase the 
Mischa ransomware will run, encrypting all document files inside the c:\user(%user%) folder of Windows.
The encrypted documents will be renamed by adding a new casual extension of 8 random characters, for example:

Sheet1.xlsx ==> Sheet1.xlsx.rCazhYJU

The Mischa ransomware will release in every subfolder of the %user% folder the file "YOUR_FILES_ARE_ENCRYPTED.TXT" with the following ransom instructions:

You became victim of the GOLDENEYE RANSOMWARE!

The files on your computer have been encrypted with an military grade encryption algorithm. There is no way
to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy steps:

    1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for
       "access onion page".

    2. Visit one of the following pages with the Tor Browser:

        http://golden5a4eqranh7.onion/rCazhYJU
        http://goldeny4vs3nyoht.onion/rCazhYJU

    3. Enter your personal decryption code there:

        rCazhYJUF1pRVywmEsuUey9LrqMAAQ4yYrdeoNHB93eikeexJNBjaRL64UWfNG6PNSo9us5v9[..]
 




Running Goldeneye: Petya ransomware phase 1

After Mischa ransomware has finished the encryption of the document files inside the %user% folder,Goldeneye will run the Petya ransomware.
 
The dropper of Petya (rad0A3AB.exe) is able to bypass the intermediate level of the User Account Control (UAC), infecting the Master Boot Record of the hard drive by overwriting the first 36 sectors, as represented in the following scheme ==>



 

The sector 0 of the MBR is infected by the Petya loader code and, as we can see in the following image, the length of this code is of 147 byte.


From sector 1 to 0x20 we can find the viral code of Petya.

 


Interesting is the sector 0x20:
 
 

This sector is structured in this way:
  • Off. 0x00 (1 byte): disk status
    • 0: disk to encrypt
    • 1: encrypted disk
    • 2: decrypted disk
  • Off. 0x01 (32 byte): key used for encryption
  • Off. 0x21 (8 byte): initializing vector for the encryption
  • Off. 0x29 (128 byte): Tor-Onion addresses for the payment of the requested ransom
  • Off. 0xa9 (90 byte): Victim's ID
 
Sector 0x21, during the first phase, is only filled with the byte 0x07.

This sector however will be encrypted during phase 2 and during the 3rd and final phase it will be used to ensure the correction of the key.
Clicca per ingrandire l'immagine...
 
Sector 0x22 contains the Master Boot Record encrypted with either xor 0x07 as we can observe in the following image.

Sector 0x23, during this phase only contains 0. 
Clicca per ingrandire l'immagine...
 
At the end of this phase, Petya Goldeneye simulates the BSOD (Blue Screen of Death)
 


Petya Goldeneye during phase 1 hasn't yet started to encrypt the Master File Table (MFT) but it has solely infected the Master Boot Record. In case of BSOD, If the automatic restart service of the computer has been disabled, the machine freezes and it only displays the fake BSOD error.

If we find ourselves in this situation with the BSOD error it is possible to shutdown or restart the computer with a bootable CD/DVD of Windows in order to run "fixmbr" and remove Petya from the Master Boot Record.
Otherwise, if the computer is manually restarted or it has restarted automatically, then the bootloader of the Petya infected MBR will run, initializing the 2nd phase of the Master File Table encryption.




Running Goldeneye: Petya ransomware phase 2

The second phase of Petya begins from the first boot, the MBR code gets loaded at address 0:7c00. The infected MBR by Petya reads 0x20 sectors starting from sector 1 and loads them at address 0:8000.


If the fist byte of the sector 0x20, i.e. that of the field "disk state" has 0 as value then it will start the encryption procedure of the Master File Table of each partition of the disk.

The encryption algorithm used is still Salsa20; here we can see the initialization routine of the input array of Salsa20:

 


During this phase Petya views a fake chkdsk which in reality is only encrypting the Master File Table. The viewed percentage indicates the portion of the encrypted Master File Table.


During this phase, the 0x20 sector gets updated:


The first byte of the 0x20 sector gets updated with the value 1 (encrypted disk) and the 32 bytes of the encryption key get canceled with zeroes. The initialization vector remains intact with an 8 byte value.

On the other hand, sector 0x21 will also result encrypted, as we can see in the following image:

In sector 0x23 we can find the number of encrypted clusters, as we can see in the following image:

At the end of phase 2 of the MFT encryption, the computer will be automatically restarted by Petya.


 



Running Goldeneye: Petya ransomware phase 3 ransom request

During the following boot, Petya reads sector 0x20 and, if the first byte ("disk state") has value 1 then the skull of Petya will be viewed alternating the colors yellow and black.


The image of the skull (drawed with ASCII characters) will flicker between the two images:

By pressing any key, we will be notified that we are victims of GOLDENEYE RANSOMWARE:




 
Petya Goldeneye indicates the .onion sites on which the payment of the ransom should be carried out and the victim's ID.
At this point Petya remains idle until the decryption key for the MFT is inserted.

The key that has to be inputed is a string of 32 characters taken from the following set: 0123456789abcdef

From this 32 character key, Petya will make further operations in order to obtain a new and final 32 byte key.

Petya, in order to verify the correctness of this last generated 32 byte key, obtained from the typed one, will attempt to decrypt the sector 0x21. If each byte of the sector after the decryption has the value 0x07, then the key which has been previously inserted is correct and will proceed to decrypt the MFT.



The ransom requested by Petya Goldeneye

Connecting with the Tor-Onion browser to the previously specified  addresses it's possible to discover the amount of the ransom that has to be paid. On the first page, the ID of the victim is requested.



 

 
On the second page, the total amount that has to be payed is displayed and quantified in Bitcoin currency:

On the third page we can view the address of the wallet on which to transfer the funds in Bitcoin.

It is also possible to send a message to the creators of the fraud that uses Petya Goldeneye:



 
 

Conclusions

This new version of Petya Goldeneye has doubled it's ransom request in order to re-obtain the usability of our PC first and of our files secondly:
  • Petya encrypting the MFT asks for a ransom in order to decrypt it;
  • Mischa encrypts data files and asks for another ransom in order to decrypt them.

In previous versions of Petya the encryption of the MFT was successful only in case the dropper was ran with Administrator priviledges, otherwise it resulted in the encryption of the document files through the Mischa ransomware.
This new release first chain runs the Mischa ransomware and after that it's capable of by-passing the intermediate level the User Account Control (UAC) infecting the Master Boot Record.

The unfortunate victim will be facing the following situation in which he or she will have to pay both the ransom for the decryption of the Master File Table and for the decryption of the data files ciphered by Mischa. In our test the ransoms requested were of 1,39 and 1,32 Bitcoin respectively, as indicated in the two images below:

Petya:
 
Mischa:



Petya's evolution

Name Date Notes
Petya 1. 0 Red version March 2016 It's possible to decrypt the MFT with genetic or metaeuristic algorithms such as "Cuckoo Search"
Petya 2.0 Green version + Mischa May 2016 Petya or Mischa get run.
It's possible to decrypt the MFT through Brute Force (num. of combinations 548)
Petya 3.0 Green version + Mischa July 2016 Petya or Mischa get run.
It's possible to decryopt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT.
Petya Goldeneye Yellow version + Mischa December 2016 First, the data files are encrypted by Mischa, afterwards the MBR gets infected bypassing the intermediate level of the UAC.
It's possible to decrypt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT.

As previously mentioned, the creator of Petya likes to call himself Janus.
Janus is a fan of James Bond, particularly of the movie "Goldeneye". In fact, all names listed Petya, Mischa, Janus are mentioned in Goldeneye.

Furthermore, the author of Petya has 2 twitter accounts:
  • @JanusSecretary
  • @janussec
 



 
Janus likes to "play", moking the German Police force of Osnabruck, exchanging tweets about the Goldeneye ransomware: 

 
 

C.R.A.M.
Center of Research and Analysis of Malware of TG Soft

 





Any information published on our website can be used and posted on other websites, blogs, forums, facebook and/or in any other form both on paper and electronically so long as you always cited source explicitly "Fonte: C.R.A.M. by TG Soft www.tgsoft.it"
fb rss linkedin twitter
 




Legal & Eula | Privacy | Uninstall

TG Soft S.a.s. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283