Ransomware, Trojan and Miner together against “PIK-Group”

Security expert Marco Ramilli analyzed a new piece of malware apparently designed to target PIK-Group that implements ransomware, Trojan, and Miner capabilities.

When an unknown sender suggests me to click on a super wired url, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a huge company, well I kinda looking forward to it! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” file. The zip file wrapped out an interesting “cyrillic looking” javascript file named: Группа Компаний ПИК подробности заказа, which according to google translate would be: “PIK Group of Companies order details”. It looks like a crafted file for PIK-Group , one of the most important real estate companies based in Russia with more then 14k employees! By analysing such a script it’s clear that it wont be a piece of cake. The script is heavily obfuscated with more techniques. As you might appreciate from Stage0 (following image) there are two main obfuscation streams: the first one is implemented by introducing fake static forks such as: “if” and “cases” and the second one is implemented by dynamically building function blocks from nested strings which are either dynamically built and separated into multiple concatenation steps.

The script eventually drops and executes (Stage0 Execution phase follows) a fake image file (msg.jpg) which actually is an UPX packet windows PE acting as second stage. The second stage drops and executes three additional modules: a backdoor, a Miner and finally a quite known Ransomware. It actually weird to understand the attacker’s needs, at such point, why so many different actors in an unique attack ?

According to pcrisk, the first downloaded module (327B0EF4.exe) looks like a well-known Troldesh Ransomware. This particular ransomware renames files so that they comprise a line of characters and digits and adds the “.crypted000007” extension to each. For example, after encryption, the file “1.jpg” might have an appearance similar to this example: “hmv8IGQE5oYCLEd2IS3wZQ==.135DB21A6CE65DAEFE26.crypted000007”. Furthermore, Crypted000007 creates ten ransom-demand messages (with identical content) called “README1.txt”, “README2.txt” … “README10.txt” and places them on the desktop. This virus also changes the desktop wallpaper. The following image shows the ransom note that I’ve got during the infection phase.

The second installed module (37ED0C97.exe) is well-known piece of software as well. It’s a Miner called nheqminer. Nheqminer is a great implementation of equihash mining, mainly used on NiceHas but forked many times and todays is getting used for several spare projects as well. Nheqminer is a specific miner for Zcash value based on common PCs. You might want to checkout more here. Exploring memory snapshots during its execution can be easy to figure out the miner runs over Zcash.Flypool server mining for the following wallet address.

According to zcashnetwork the attacker’s wallet received from mining activity 4.89 ZCash (lsat transaction on February 26th, 2019) so far. This amount suggests that the attacker activity is started (re-started) few days ago or its infected botnet is not so big at that time.

According to Virustotal the third installed module ( B56CE7B7.exe) is another well-known software called Trojan-Heur and (in)famous during 2017 to perform brute force attack on WordPress based websites.

A typical behaviour for Trojans like HEUR.Trojan.Win32.Generic is one or all of the following:
Download and install other malware.
Use your computer for click fraud.
Record your keystrokes and the sites you visit.
Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
Give a remote malicious hacker access to your PC.
Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software

Indeed it behaviour perfectly fits the Malware family behaviour. Once installed on victim PC it starts to brute force many websites looking for weak credentials. Once it finds weak credentials it installs itself into the WordPress website maintaining the original name: “pik.zip”. Thanks to this characteristic it would be possible to enumerate infected website through a combined searches on google engine (please see dropping urls).

The following image shows the main actor connections and their relationships. The analysed implant is quite interesting since rises many questions, for example: Why the attacker pretends to build a targeted attack to PIK-Group (using crafted strings) with refurbished malware ? Why the implant installs a “miner” and a “ransomware” as well ? While it might be understandable the usage of software for harvesting money, why the attacker introduced a brute force Trojan bot ?

On my personal point of view, it’s a quite weird behavior goes pretty far from classical state-sponsored attacks. We are facing an actor who apparently wants money (ransomware and miner), but also want credentials and want to be able to control the victim’s box in the future. But we are facing again an actor who is using the victim to brute force third-party random websites as well. This activity is quite heavy and it ‘s easy to be detected and to be blocked from security administrators or IT guys, which is clearly, in opposition to mining (which wants to remain stealth as more as possible) and to trojan as well (who wants to propagate itself silently). We might assume a malware building factory who is overselling a small botnet. In any case, I don’t think it would be a state sponsored-attack against PIK-Group but rather a nice way to maximize profits on a relatively small botnet.

Further details, including Indicator of Compromise (IoCs) are reported in the analysis published by Marco Ramilli.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PIK Group, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]