Threat Analysis: Don’t Forget About Kangaroo Ransomware

kangaroo
eric_merritt
October 2, 2017 / Eric Merritt

The age of ransomware is upon us.  Advanced ransomware variants are using NSA-leaked exploits to ravage hundreds of thousands of computers and collect thousands of dollars in bitcoins, while new variants are being produced on a weekly basis.  

With advanced samples taking up most of the media bandwidth, it’s easy to forget there are many other ransomware families out there with more being written every day.  The Kangaroo family of Ransomware is one of those. While this variant may not be using sophisticated APT exploits like other notorious families such as WannaCry and NotPetya, there are some unique factors that should be noted.  Bleeping Computer did a good writeup that covers the general working of the malware, but after reverse engineering a sample the Carbon Black Threat Analysis Unit (TAU) recently received, we found several interesting aspects that were not discussed in the write-up.

Technical Analysis

The Kangaroo ransomware is a straightforward family of malware that doesn’t make any attempt to obfuscate code.  he malicious actor(s) gain access to the system via RDP, drops and executes the malware, and copies off the unique ID and encryption key from the victim system.  

It is fairly rare to require GUI access to infect a system and that sets this family apart in the ransomware world.  For those analysts in the security community that like to discuss attribution, the authors of this malware perform a check at the beginning of the code for the default language of the target system.  If the default language comes back as Russian, Ukrainian, or Belarusian, the ransomware will terminate.

Impersonating Explorer.exe

During the setup phase of the infection, Kangaroo attempts to hide on the victim by impersonating explorer.exe. Three API calls are used to match the version language information of the malware to the native explorer.exe binary:

  1. BeginUpdateResourceW
  2. UpdateResourceW
  3. EndUpdateResourceW

This combination of APIs allows the malware to read in the version information, apply it to the malware, and look like explorer on disk.  

The picture below shows the properties of the native explorer.exe binary.  After being applied to the Kangaroo executable and renamed, the final Kangaroo malware looks like the picture in the bottom right.  With the language information from the system, it now looks like it belongs on the victim system.

TimeStomping Tactic

In order to complete the charade, Kangaroo performs time stomping on the malware by reading in explorer’s create/write/access times and applying them to itself using GetFileTime and SetFileTime.  

S

This combination can make it difficult to locate the malware if traditional timeline forensics are performed on the system.

Performing time stomping and version copying caused TAU researchers to wonder if there were other files that used this to blend in with the system.  Performing a retro hunt with the following YARA rule netted some interesting results.

import “pe”

rule impersonate_file {

condition:

pe.imports(“KERNEL32.DLL”, “BeginUpdateResourceW”) and

pe.imports(“KERNEL32.DLL”, “UpdateResourceW”) and

pe.imports(“KERNEL32.DLL”, “EndUpdateREsourceW”) and

pe.imports(“KERNEL32.DLL”, “GetFileTime”) and

pe.imports(“KERNEL32.DLL”, “SetFileTime”)

}

 

This hunt resulted in about 6,000 matches, with about half of the results considered malicious by 20 or more antivirus solutions.  This does not mean that these are all malicious files and could likely be installers of some sort, but this set of APIs is suspicious at best.

File Extension and File Path Whitelisting

Many ransomware families target certain file extensions for encryption, but an interesting difference this family displays is the use of an encryption whitelist to prevent any damage from occurring to the system itself.  In fact, the Bleeping Computer blog details how you can recover access to the system using safe mode to disable the ransomware after the encryption has been performed.  The users files will still be encrypted, but access to the system can be restored.  The whitelist of files to avoid encrypting uses a combination of extensions, file attributes, and paths:

  • .exe
  • .lnk
  • .dll
  • .tmp
  • .sys
  • .ini
  • .msi
  • .crypted_file
  • .com
  • .bin
  • .bat
  • .dat
  • .mui
  • Instructions_Data_Recovery.txt

The following file attributes are also checked and will not be encrypted

  • FILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_TEMPORARY
  • FILE_ATTRIBUTE_NORMAL

Finally, Kangaroo will avoid encrypting any files in these paths:

  • %WINDIR%
  • \\Microsoft\\Windows

The malware may miss a few user files, but the system will remain up and locked into their splash screen with instructions for purchasing the decryption key.

Covering its Tracks

Kangaroo makes one more attempt to hide its origins on the system by performing some final anti-forensic tasks. Both the SYSTEM and SECURITY logs are cleared and the shadow copy backups are deleted from the system. Kangaroo uses an interesting redirection for deleting shadow copies that could confuse some security products.

By using wmic.exe to create the new cmd.exe process which does the actual vssadmin command to perform the deletion, it can potentially confuse protections meant to stop the shadow copy from being deleted.

Ransom Note

At this point the user will see a splash screen containing information on how to recover the key and decrypt their files.

Conclusion

The majority of ransomware families use mass infectors with heavy-code obfuscation and dramatically affect the stability of the system. Kangaroo takes a vastly different approach requiring actors to have GUI access to the system, no code obfuscation, and maintaining the stability of the system.

While the Kangaroo ransomware family may not be as flashy to the media as families such as WannaCry and NotPetya, they utilize some interesting techniques that should be protected against.  Preventing or limiting access to RDP from the Internet or using two-factor authentication where it is required will protect against the Kangaroo Ransomware family.  At the end of the day, regardless of using a flashy NSA exploit or direct RDP access, if your files are encrypted by ransomware it is going to be a bad day.

IOCs / YARA

IOC

Type

Context

478383fb588665c254d416b7c50a124f82291124b002d9bad9fd758a59fd728f

SHA256

Kangaroo Ransomware sample analyzed

kangarooencryption@mail.ru

Email

Address used in Ransom note

     
TAGS: Carbon Black / Kangaroo Ransomware / Threat Analysis Unit

Related Posts