Pierluigi Paganini June 06, 2023

Researchers from security firm Uptycs reported that threat actors linked to the Cyclops ransomware are offering a Go-based information stealer.

The Cyclops group has developed multi-platform ransomware that can infect Windows, Linux, and macOS systems. In an unprecedented move, the group is also offering a separate information-stealer malware that can be used to steal sensitive data from infected systems. This Go-Based info-stealer was developed to target specific files in both Windows and Linux.

The Cyclops group is advertising the ransomware on multiple cybercrime forums, the gang requests a share of profits from those using its malware in financially motivated attacks.

The ransomware supports a complex encryption process

“The encryption is complex; all functions statically implemented using a combination of asymmetric and symmetric encryptions.” reads the report. “After encryption in both Windows and Linux using the public key, CRC32 and a file marker are appended to the end of the file. Used to identify if the file has already been encrypted (so as not to repeat encryption), the Linux file marker is 00ABCDEF, whereas in Windows it’s 000000000000000000000000.”

The Windows version of the info-stealer can be downloaded from the Cyclops admin panel as part of an archive containing the stealer.exe and config.json. The stealer is an executable binary for x64 systems that extracts system information from infected machines.

Upon execution, the stealer reads the config.json file located in the same directory as its execution. The config file contains a list of filenames along with corresponding extensions and sizes.

“The stealer then enumerates directories and checks for the presence of targeted files and specific file extensions. If any matches are found, it creates a new, password-protected zip file (zip file name-n.zip) that includes an exact copy of the identified file along with its corresponding folder tree structure. The data is then exfiltrated to the attacker’s server.” continues the report.

The Linux version of the info-stealer is also obtained from the Cyclops admin panel as an archive file containing the stealer.linux and config.json. This stealer functionality is similar to the Windows version.

The researchers noticed that the Cyclops ransomware encryption logic shares similarities with Babuk ransomware. Both use Curve25519 and HC-256 for Windows encryption and a combination of Curve25519 and ChaCha. The executable strings are encoded and stored as a stack string in the Cyclops ransomware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cyclops ransomware)