Yoroi

Sep 30, 2022

Dissecting BlueSky Ransomware Payload Introduction BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered inside cracks of programs and videogames. For these reasons, we at Yoroi malware ZLab decided to keep track of the threat, following the distribution of the samples, and we decided to provide a technical analysis of the ransomware payload. Figure 1: Bluesky Control Flow Technical Analysis The API Loading Scheme The sample starts by walking the PEB (Process Environment Block) to dynamically load the APIs. It is a common technique to not statically show them in the import table, it walks one of the three linked lists located in the PEB_LDR_DATA such as InLoadOrderModuleList. In this way, the sample is able to enumerate the modules contained inside the linked list and to compare them with the hashed names hidden inside the code in order to correctly import the desired ones. In this case, the APIs are hashed with djb2 algorithm. Figure 2: Dynamically loading APIs The following figure shows the routines to dynamically load the function: Figure 3: "mw_load_function routine" The obfuscated Stack Strings Instead, other critical strings are obfuscated through the stackstrings method and a simple routine to encrypt them  Figure 4: Strings Decryption Routine However, the algorithm is easy to revert, and we developed an easy script to decrypt the stackstrings:  string = [123,82,90,123,45,56,32,88,94] decrypted = "" for i in string: decrypted += chr((34 * (i - 94) % 127 + 127) % 127) print(decrypted) Anti-Debug Technique Once resolved the first functions, the sample calls NtSetInformationThread with ThreadHideFromDebugger hiding the thread and if any breakpoint is placed causing the crash of the process, you can read more about this anti-debug technique here   Figure 5: NtSetInformationThread anti-debug Privilege Escalation While analyzing the sample, we also found similarities with Conti Ransomware in how the strings are obfuscated and some other routines, like how BlueSky removes the shadow copies through the WMI COM Interface. It abuses the “ICMLuaUtil COM Interface (3E5FC7F9-9A51-4367-9063-A120244FBEC7)”. However, this technique is a well-known and documented technique publicly available on the internet, adopted both in intrusion and malware development operations. Figure 6: Bypassing UAC via ICMLuaUtil The sample calls RtlAdjustPrivilege API call with the token “SeDebugPrivilege”, in order to gain the privilege to arbitrary manipulate every file and process. Figure 7: Evidence of privilege escalation method Generating the Victim ID Figure 8: Hash custom routine The sample proceeds creating a mutex “Global\\{generated_id}” in this case being “Global\1580B4213F8F3E90E4E0E3CD1F6FAC52”  Figure 9: Mutex Creation The Encryption Routine Now it’s time to encrypt the files. The first operation of the sample is to aquire a handle to the cryptographic provider PROV_RSA_FULL by calling CryptAcquireContextA:  Figure 10: Acquiring a handle to PROV_RSA_FULL BlueSky stores the information related to the encryption, in the registry key “HKCU\SOFTWARE\1580B4213F8F3E90E4E0E3CD1F6FAC52\”. To store the recovery information, it uses “ChaCha20 + Curve25519 + RC4 (on RECOVERYBLOB)”, meanwhile “ChaCha20 + Curve25519” for the encryption  Figure 11: BlueSky Recovery Information Below the encryption routine:  Figure 12: Encryption routine  BlueSky creates a list of the excluded files inside the code. The list is the following:  Extensions (ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx)  Directories ($recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser)  Filenames (# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db)  Exception Handling and other features The sample implements also some interesting Exception Handling features in order to avoid the system crash. In detail, before proceeding to the encryption BlueSky checks if after calling CreateFileW the LastErrorValue is ERROR_SHARING_VIOLATION if true, the sample calls NtQueryInformatonFile retrieving the FileProcessIdsUsingFileInformation which contains a list of the PIDs which use the file. If the PID isn’t equal to itself or the PID of explorer.exe retrieved before, it calls NtQueryInformatonProcess  with ProcessInformationClass set to 29 (ProcessBreakOnTermination) to retrieve a value indicating whether the process is considered critical. In this case, the malware skips that file and keeps encrypting others. Figure 13: Checking file availability  The sample can prevent the system from entering sleep or turning off the display by calling SetThreadExecutionState to ES_CONTINUOUS  Figure 14: Preventing sleep mode  At the end of the encryption, the ransom note points to the blog of the attackers:  Figure 15: BlueSky Ransomware Website  Conclusion Blusky ransomware is a proof that even nowadays cyber criminals use basic and highly effective social engineering techniques. When we are looking for a cracked software, we have to know that there is always a price and in this case it’s a ransomware with a high ransom. So, it is necessary to sensibilize people to avoid installing cracked software, not only inside the company perimeter, but also inside the home devices. It is a simple but effective preventive measure to defend against similar threats. The attention for emerging threats is one of the core activities of Yoroi and we think that BlueSky needs to be observed with attention. Yara Rules rule bluesky_ransomware{ meta: author = "Yoroi Malware ZLab" description = "Rule for BlueSky Ransomware" last_updated = "2022-09-14" tlp = "WHITE" category = "informational" hash = "9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f" strings: //sub_00407a30 $1 = {55 8b ec 83 ec ?? 56 e8 ?? ?? ?? ?? 85 c0 0f 84 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 0f 11 4? ?? 68 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? 0f 11 4? ?? e8 ?? ?? ?? ?? 0f 10 4? ?? 83 c4 ?? 8b d0 8d 4? ?? 50 83 ec ?? 8b cc 6a ?? 6a ?? 83 ec ?? 0f 11 01 8b c4 0f 10 4? ?? 0f 11 00 ff d2 85 c0 0f 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4d c8 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 0f 10 4? ?? 8b 4? ?? 83 ec ?? 8b c4 83 ec ?? 8b 11 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 0f 10 4? ?? 51 0f 11 00 ff 52 28 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 85 f6 78 ?? 8b 4? ?? 8d 5? ?? 52 68 ?? ?? ?? ?? 50 8b 08 ff 5? ?? 85 c0 78 ?? 8b 4? ?? 6a ?? ff 7? ?? 8b 08 50 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 50 08 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? ff d0 5e 8b e5 5d c3} condition: uint16(0) == 0x5A4D and $1} This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB Seat