Full Report
The AhnLab SEcurity intelligence Center (ASEC) recently discovered ransomware being distributed disguised a password cracker tool. Such tools are typically used in brute force attacks. Brute force attacks involve by trying every possible combination to find the correct password. Attackers repeatedly attempt to breach a system’s authentication procedure to steal passwords. This method is particularly […]
Analysis Summary
# Tool/Technique: Ransomware disguised as Password Cracker
## Overview
This is a piece of ransomware observed being distributed by threat actors disguised as a legitimate password cracking tool to lower user defenses and increase the chances of execution. Upon execution, it masquerades as a brute-force attack tool, collecting user input (Username/Email), connecting to a URL to retrieve a key illusion, and then encrypting local files using AES-256 CFB mode.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Windows (default C:\ directory) and likely Linux/Unix-like systems (/home directory)
- Capabilities: File encryption (AES-256 CFB), deletion of original files, creation of ransom notes, obfuscation using PyInstaller.
- First Seen: Not specified in the text.
## MITRE ATT&CK Mapping
- T1566 - Phishing/Social Engineering
- T1566.001 - Spearphishing Attachment (Indirectly, as it relies on social engineering/deception for execution)
- T1588 - Obtain Capabilities
- T1588.002 - Obtain Capabilities: Tool (Distribution of malware disguised as a desirable tool)
- T1583 - Acquire Infrastructure
- T1583.001 - Acquire Infrastructure: Domains (Implied by connecting to a specific URL to retrieve a key)
- T1059 - Command and Scripting Interpreter (Execution via Python-compiled executable)
- T1486 - Data Encrypted for Impact
- Core encryption mechanism used.
## Functionality
### Core Capabilities
- Execution disguised as a password cracker, requesting Username and Email during startup.
- Deploys a connection to a specific URL upon execution, potentially to retrieve content mimicking a license or key to reinforce the false legitimacy of the crack tool.
- Encrypts files matching a defined list of extensions (e.g., .jpg, .pdf, .docx, .xlsx, .txt).
- Excludes files if the path contains "Program Files" or "Windows".
- Deletes the original file after successfully encrypting its contents into a new file with the `.NS1419` extension.
- Creates a ransom note file named `snapReadme.txt`.
### Advanced Features
- Obfuscation via PyInstaller to compile Python code into an executable file.
- Uses the robust AES-256 algorithm in CFB mode for encryption.
- **Note on Key Handling:** Key-related information is **not** stored or transmitted to the threat actor, making file recovery practically impossible even if the ransom is paid.
- Terminal output is used extensively to show fake "cracking" progress, misleading the user about the actual activity.
## Indicators of Compromise
- File Hashes:
- MD5: `c925c280d41a19ca4c1e89482b1ee508`
- File Names:
- Ransom Note: `snapReadme.txt`
- Encrypted file extension: `.NS1419`
- Registry Keys: None specified.
- Network Indicators:
- Connection to a specific URL (Value not disclosed in the provided text, but noted as connecting to "a specific URL").
- Behavioral Indicators:
- Attempting to write/create files named `snapReadme.txt`.
- File renaming/deletion operations following encryption.
- Directory path checks for "Program Files" or "Windows".
## Associated Threat Actors
- The article does not explicitly name a specific threat actor group, only that it was discovered by AhnLab SEcurity intelligence Center (ASEC).
## Detection Methods
- Signature-based detection: Using the provided MD5 hash.
- Behavioral detection: Monitoring for newly compiled executables masquerading as system/hacking tools that exhibit rapid file encryption behavior or connect to unusual URLs after execution.
- YARA rules: Can be developed based on file structure (PyInstaller artifacts) and strings related to the ransom note or `.NS1419` extension.
## Mitigation Strategies
- **Prevention:** Do not download or execute software from unreliable sources, especially tools promising hacking capabilities (e.g., password crackers). Only install software from official websites or trusted repositories.
- Hardening recommendations: Implement robust endpoint detection and response (EDR) to monitor process behavior, especially execution chains involving Python-compiled binaries. Ensure users run with the least privilege necessary.
## Related Tools/Techniques
- Other malware families distributed via deceptive wrapper tools.
- Various ransomware strains utilizing AES encryption modes.