AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.
The ransomware uses .NET Reactor to obfuscate its code, likely to deter analysis. It is possible to observe similar characteristics between the functioning ransomware and the LokiLocker ransomware.
The BlackBit ransomware goes through the following preparations before performing its encryption process.
Persistence
In order to ensure persistence, the ransomware copies itself to the startup path and the %AppData% path using the file name “winlogin.exe” and registers itself to the task scheduler. In addition, it uses BAT files to register related registries in order to prevent the task manager from terminating its processes.
- “C:\Windows\System32\cmd.exe” /C schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\rapit\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
- REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Recovery Prevention
After the process for maintaining persistence is finished, the ransomware deletes files in Recycle.bin and volume shadow to prevent users from recovering their files after the encryption process.
- vssadmin delete shadows /all /quiet
- wbadmin DELETE SYSTEMSTATEBACKUP
- wmic shadowcopy delete
- wbadmin delete catalog -quiet
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
Leaking Information
In addition, the ransomware changes network settings and terminates Windows Defender in order to leak information and prevent detection.
- netsh advfirewall set currentprofile state off
- netsh firewall set opmode mode=disable
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Terminating Process
BlackBit ransomware terminates the following processes. The process is likely done to scan for the VM environment and expand the range of encryption.
- wxserverview
- qbcfmonitorservice
- qbidpservice
- fdlauncher
- zhudongfangyu
- vmware-usbarbitator64
- vmware-converter
- sqlbrowser
- mydesktopqos
- isqlplussvc
- xfssvccon
- mydesktopservice
- ocautoupds
- firefoxconfig
- tbirdconfig
- mysqld-nt
- mysqld-opt
- sqbcoreservice
- thunderbird
- culserver
- quickboooks.fcs
- zhundongfangyu
- mssqlserver
- mssql$contoso1
- sqlserveragent
After finishing the aforementioned process, the ransomware begins to encrypt files. It then creates Restore-My-Files.txt files in each infected folder path and shows the following ransom note.
AhnLab’s anti-malware software, V3, detects and responds to BlackBit ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
Trojan/Win.Avkiller.C5402891 (2023.03.30.01)
[Behavior Detection]
Malware/MDP.Behavior.M29
Ransomware/MDP.Delete.M2117
[IOC]
3a7c3e8a378cd7a4fd83910937c23b19
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post BlackBit Ransomware Being Distributed in Korea appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/51497/