Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
This ransomware is being propagated with the version info marked as “System Boot Info”, disguising itself as a normal program file related to boot information.
Figure 1. File version infoIt was created in a .NET format and includes a loader and the actual ransomware data within it. It ultimately loads and executes the ransomware file through the loader. Among the data in the resources, it decodes and runs ‘dVvYsaL’ on the memory. This data holds the loader and ransomware data. Such a method has been covered in a previous ASEC blog post.
The resource area also holds pornographic photos and the contents are shown in Figure 2 below.
Figure 2. Resources including the loader file
Figure 3. Execution logic
Figure 4. Loader fileThe additionally executed loader file drops a copy under the name ‘GvsqHuTYODA.exe’ into the %AppData% directory and proceeds with task scheduler registration.
- schtasks.exe /Create /TN “Updates\GvsqHuTYODA” /XML “%Temp%\tmpF6C.tmp”
Figure 5. Registering to the task schedulerAfter registering to the task scheduler, the file recursively executes the PE file that performs the ransomware behavior along with the “{path}” parameter to encode files.
Figure 6. The ultimately executed ransomwareThe executed process goes through a logic to check for a virtual environment before infecting the system.
Figure 7. Logic to check for virtual environment
Figure 8. Logic to check for virtual environmentAfterward, to expand the range of infection, it goes through a logic that checks the drive information before moving on to the file encryption routine.
Figure 9. Exploring the driveThe file encryption process is made up of the thread that encrypts shared folders and the thread that encrypts the local environment.
Figure 10. Infection thread
Figure 11. Part of the shared folder encryption code
Figure 12. File encryption logicFile encryption is conducted on all folders aside from the Windows folder, and after encryption, volume shadows are deleted to hinder system recovery.
Figure 13. Deleting the volume shadowsThe following ‘ReadMe.txt’ ransom note can be found in the path where file encryption occurred. The string “CRYPTO LOCKER” is found at the end of infected files.
Figure 14. Ransom note
Figure 15. Infected fileAhnLab’s anti-malware software, V3, detects and responds to PE files used in TZW file extension ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
- Ransomware/Win.Generic.C5355494 (2023.01.11.02)
- Trojan/Win.MSILKrypt.C5020026 (2022.03.21.01)
- Trojan/Win32.RansomCrypt.R343432 (2020.07.08.05)
[Behavior Detection]
- Malware/MDP.Inject.M218 (2019.10.30.02)
[IOC Info]
- eae94abe9753634f79a91ecb4da7ff72
- 10daa4697b861d3dc45a0a03222ba132
- f1ab4f5cbf5fc72c4033699edadc4622
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post TZW Ransomware Being Distributed in Korea appeared first on ASEC BLOG.
Article Link: TZW Ransomware Being Distributed in Korea - ASEC BLOG