Russian hacking group Evil Corp deploys new ransomware WastedLocker via fake application updates
Evil Corp is an international cybercrime network that uses malicious software to steal money from its victims’ bank accounts. In the last decade, Evil Corp has stolen millions of dollars from hundreds of bank accounts worldwide. Many consider Evil Corp to be the world’s largest, most harmful hacking group.
The Russian cybercrime group, Evil Corp, has added new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise and deployed via fake application/program updates.
Evil Corp uses multiple different types of malware to infect user machines. Its latest strain of malware, Dridex, uses a combination of techniques to automate the theft of users’ banking credentials. The terms are used interchangeably. Dridex is distributed using massive phishing email campaigns that send millions of messages per day.
The Evil Corp gang, also known by CrowdStrike as Indrik Spider, started as affiliates for the ZeuS botnet. As their attacks evolved, the group created ransomware called BitPaymer which was delivered via the Dridex malware in targeted attacks against corporate networks.
The new WastedLocker ransomware appeared in May 2020 (a technical description is included below). The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. The abbreviation of the victim’s name was also seen in BitPaymer, although a larger portion of the organization name was used in BitPaymer and individual letters were sometimes replaced by similar-looking numbers.
The first WastedLocker example was found contained the victim name as in BitPaymer ransom notes and also included both a protonmail.com and tutanota.com email address. Later versions also contained other Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses. Interestingly the user parts of the email addresses listed in the ransom messages are numeric (usually 5 digit numbers) which is similar to the 6 to 12 digit numbers seen used by BitPaymer in 2018.
WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT Intell. On examination, the code turned out to be very basic and used also by other malware families such as Netwalker, Gozi ISFB v3, ZLoader, and Smokeloader. The crypter mainly contains junk code to increase the entropy of the sample and hide the actual code.
WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly. First, Wastedlocker decrypts the strings which are stored in the .bss section and then calculates a DWORD value that is used later for locating decrypted strings that are related to the encryption process.
This is described in more detail in the String encryption section. In addition, the ransomware creates a log file lck.log and then sets an exception handler that creates a crash dump file in the Windows temporary folder with the filename being the ransomware’s binary filename. WastedLocker chooses a random name from a generated name list in order to generate filename or service names.
What are your views on the WastedLocker ransomware? do mention it in the comment section below. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here