
Yoroi
Founded Year
2014Stage
Corporate Majority | AcquiredAbout Yoroi
Yoroi is a managed security service provider. It provides cybersecurity solutions against industrial espionage, internal threats, and advanced targeted attacks. On October 13th 2020, Tinexta acquired a majority stake in Yoroi. The terms of the transaction were not disclosed.
Missing: Yoroi's Product Demo & Case Studies
Promote your product offering to tech buyers.
Reach 1000s of buyers who use CB Insights to identify vendors, demo products, and make purchasing decisions.
Missing: Yoroi's Product & Differentiators
Don’t let your products get skipped. Buyers use our vendor rankings to shortlist companies and drive requests for proposals (RFPs).
Latest Yoroi News
Sep 30, 2022
Dissecting BlueSky Ransomware Payload Introduction BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered inside cracks of programs and videogames. For these reasons, we at Yoroi malware ZLab decided to keep track of the threat, following the distribution of the samples, and we decided to provide a technical analysis of the ransomware payload. Figure 1: Bluesky Control Flow Technical Analysis The API Loading Scheme The sample starts by walking the PEB (Process Environment Block) to dynamically load the APIs. It is a common technique to not statically show them in the import table, it walks one of the three linked lists located in the PEB_LDR_DATA such as InLoadOrderModuleList. In this way, the sample is able to enumerate the modules contained inside the linked list and to compare them with the hashed names hidden inside the code in order to correctly import the desired ones. In this case, the APIs are hashed with djb2 algorithm. Figure 2: Dynamically loading APIs The following figure shows the routines to dynamically load the function: Figure 3: "mw_load_function routine" The obfuscated Stack Strings Instead, other critical strings are obfuscated through the stackstrings method and a simple routine to encrypt them Figure 4: Strings Decryption Routine However, the algorithm is easy to revert, and we developed an easy script to decrypt the stackstrings: string = [123,82,90,123,45,56,32,88,94] decrypted = "" for i in string: decrypted += chr((34 * (i - 94) % 127 + 127) % 127) print(decrypted) Anti-Debug Technique Once resolved the first functions, the sample calls NtSetInformationThread with ThreadHideFromDebugger hiding the thread and if any breakpoint is placed causing the crash of the process, you can read more about this anti-debug technique here Figure 5: NtSetInformationThread anti-debug Privilege Escalation While analyzing the sample, we also found similarities with Conti Ransomware in how the strings are obfuscated and some other routines, like how BlueSky removes the shadow copies through the WMI COM Interface. It abuses the “ICMLuaUtil COM Interface (3E5FC7F9-9A51-4367-9063-A120244FBEC7)”. However, this technique is a well-known and documented technique publicly available on the internet, adopted both in intrusion and malware development operations. Figure 6: Bypassing UAC via ICMLuaUtil The sample calls RtlAdjustPrivilege API call with the token “SeDebugPrivilege”, in order to gain the privilege to arbitrary manipulate every file and process. Figure 7: Evidence of privilege escalation method Generating the Victim ID Figure 8: Hash custom routine The sample proceeds creating a mutex “Global\\{generated_id}” in this case being “Global\1580B4213F8F3E90E4E0E3CD1F6FAC52” Figure 9: Mutex Creation The Encryption Routine Now it’s time to encrypt the files. The first operation of the sample is to aquire a handle to the cryptographic provider PROV_RSA_FULL by calling CryptAcquireContextA: Figure 10: Acquiring a handle to PROV_RSA_FULL BlueSky stores the information related to the encryption, in the registry key “HKCU\SOFTWARE\1580B4213F8F3E90E4E0E3CD1F6FAC52\”. To store the recovery information, it uses “ChaCha20 + Curve25519 + RC4 (on RECOVERYBLOB)”, meanwhile “ChaCha20 + Curve25519” for the encryption Figure 11: BlueSky Recovery Information Below the encryption routine: Figure 12: Encryption routine BlueSky creates a list of the excluded files inside the code. The list is the following: Extensions (ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx) Directories ($recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser) Filenames (# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db) Exception Handling and other features The sample implements also some interesting Exception Handling features in order to avoid the system crash. In detail, before proceeding to the encryption BlueSky checks if after calling CreateFileW the LastErrorValue is ERROR_SHARING_VIOLATION if true, the sample calls NtQueryInformatonFile retrieving the FileProcessIdsUsingFileInformation which contains a list of the PIDs which use the file. If the PID isn’t equal to itself or the PID of explorer.exe retrieved before, it calls NtQueryInformatonProcess with ProcessInformationClass set to 29 (ProcessBreakOnTermination) to retrieve a value indicating whether the process is considered critical. In this case, the malware skips that file and keeps encrypting others. Figure 13: Checking file availability The sample can prevent the system from entering sleep or turning off the display by calling SetThreadExecutionState to ES_CONTINUOUS Figure 14: Preventing sleep mode At the end of the encryption, the ransom note points to the blog of the attackers: Figure 15: BlueSky Ransomware Website Conclusion Blusky ransomware is a proof that even nowadays cyber criminals use basic and highly effective social engineering techniques. When we are looking for a cracked software, we have to know that there is always a price and in this case it’s a ransomware with a high ransom. So, it is necessary to sensibilize people to avoid installing cracked software, not only inside the company perimeter, but also inside the home devices. It is a simple but effective preventive measure to defend against similar threats. The attention for emerging threats is one of the core activities of Yoroi and we think that BlueSky needs to be observed with attention. Yara Rules rule bluesky_ransomware{ meta: author = "Yoroi Malware ZLab" description = "Rule for BlueSky Ransomware" last_updated = "2022-09-14" tlp = "WHITE" category = "informational" hash = "9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f" strings: //sub_00407a30 $1 = {55 8b ec 83 ec ?? 56 e8 ?? ?? ?? ?? 85 c0 0f 84 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 0f 11 4? ?? 68 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? 0f 11 4? ?? e8 ?? ?? ?? ?? 0f 10 4? ?? 83 c4 ?? 8b d0 8d 4? ?? 50 83 ec ?? 8b cc 6a ?? 6a ?? 83 ec ?? 0f 11 01 8b c4 0f 10 4? ?? 0f 11 00 ff d2 85 c0 0f 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4d c8 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 0f 10 4? ?? 8b 4? ?? 83 ec ?? 8b c4 83 ec ?? 8b 11 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 0f 10 4? ?? 51 0f 11 00 ff 52 28 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 85 f6 78 ?? 8b 4? ?? 8d 5? ?? 52 68 ?? ?? ?? ?? 50 8b 08 ff 5? ?? 85 c0 78 ?? 8b 4? ?? 6a ?? ff 7? ?? 8b 08 50 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 50 08 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? ff d0 5e 8b e5 5d c3} condition: uint16(0) == 0x5A4D and $1} This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB Seat
Yoroi Frequently Asked Questions (FAQ)
When was Yoroi founded?
Yoroi was founded in 2014.
Where is Yoroi's headquarters?
Yoroi's headquarters is located at Via Giovanni Battista Martini 6, Rome.
What is Yoroi's latest funding round?
Yoroi's latest funding round is Corporate Majority.
Who are the investors of Yoroi?
Investors of Yoroi include Tinexta.
Discover the right solution for your team
The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.