Threat Intel Digest

February 2020

The Curious Case of a Mysterious DeathRansom

New types of ransomware appear on the Internet almost every day, presenting different styles of infections, exfiltration strategies, and attack vectors. Yet, the main goal of encrypting your files and holding them for ransom remains. And of course, there is always a ransom note.

How do we spot new ransomware? We can only tell if we dig a little deeper into its code. For example, if we look at DeathRansom, we can consider its timestamp, but the timestamp sometimes only indicates a newly compiled version of the ransomware. One significant sign of new ransomware is how it behaves. New ransomware like DeathRansom doesn't really encrypt your files, it only renames the files on the infected machine, but it still displays a ransom note to make your files appear encrypted. After a while, a new version of DeathRansom appears. This time, it really encrypts the files. Most of the time, the malicious actor releases a beta version of their malware to test the water before they issue the really bad, malicious binary.


Thief of the Night

Malware updates are one way to make sure that malware can persist on the Internet. As malware prevention and detection is getting better over time, malware authors scramble to make sure that their executable can survive detection.

Malware can show resistance from analysis by employing different anti-debugging tricks. Proper use of various APIs, such as NtSetInformationThread, NtQueryInformationProcess, and CheckRemoteDebuggerPresent, can be very useful in order to avoid being debugged. Other tricks can also be used to avoid analysis. These tricks do not excuse any malware from being studied, but they allow enough time for a malicious actor to generate another update of the malware, which is stronger than its predecessor. "Predator the Thief" always has a new trick up its sleeve, providing a formidable challenge to the good guys. The malware always has a new version that is stronger and more resilient to detection. Its features are enhanced and modified to be better than the previous version. Like a chicken-and-egg scenario, the defenders analyze and detect the malware, and the malware author creates an updated version of the malware, continuing the prevention and detection cycle.


Metamorfo-sis of Banking Malware

Metamorphosis is vaguely defined as a complete change in appearance. Some malware achieve a level of metamorphosis by employing encryption and polymorphic functions in their malicious code. The malware looks different in every iteration of infection.

Metamorfo malware tries to morph in order to avoid detection. It initially arrives in the form of a phishing email. Once you are tricked into downloading a malicious installer, it again downloads another malicious file. The new file contains the actual malicious binary that performs extractions of information for the malware. It connects and sends the data to its Command-and-Control server, where the domain names are generated dynamically. The malware uses DGA (Domain Generation Algorithm) to avoid being blocked by authorities. DGA is also a process of dynamically creating random-looking domains known to the malware. Looking at how Metamorfo tries to use several malicious files before it delivers its payload, and how it uses DGA to avoid being shut down, we can say that Metamorfo lives up to its name.