Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer)

by Prapattimynk, Monday, 13 May 2024 (2 weeks ago)
Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer)


AhnLab SEcurity Intelligence Center (ASEC) has been continuously covering malware disguised as copyright violation warnings and resumes as a means of distributing ransomware and Infostealers.

  • [Warning] Distribution of Malware Disguised as Resumes and the Fair Trade Commission [1]
  • Distribution of Malware via Resume/Copyright-Related Emails (Ransomware, Infostealer) [2]
  • Makop Ransomware Distributed as Copyright Violation Related Materials [3]
  • Makop Ransomware Disguised as Resume Being Distributed in Korea [4]
  • LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails [5]
  • LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed [6]
  • LockBit Ransomware Being Mass-distributed With Similar Filenames [7]
  • Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes [8]
  • Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes [9]

The distribution of a new malware strain has been identified based on a recent copyright infringement warning, and it will be covered here.

1. Overview

The content of the email remains largely unchanged, but a change in the method of delivering malware has been confirmed. Previously, compressed files with passwords set were attached to emails, but now, the method has been changed to include external links in the email to induce downloads.

Figure 1. An email containing a copyright violation warning

Clicking on the hyperlink “Check copyright violation content” in the body downloads a compressed file. Although no separate password is set for the compressed file, an additional ALZ compressed file named “Copyright summary.alz” exists within the initially downloaded compressed file (Lee eu***_240423.zip).

Figure 2. The compressed file downloaded via the external link
Figure 3. The web source of the site where the compressed file is downloaded

Figure 3 above shows the web source of the page where the file is downloaded, and the atob function is used to decode the Base64 encoded string data, which is then saved to the user’s PC as a compressed file. During the analysis process, additional web pages that distribute the same compressed file have been identified, and the web source formats of these pages are all identical. It has been confirmed that malware is being distributed through phishing emails with the same format as Figure 1.

Figure 4. Malware being distributed through double compression

The compressed file downloaded from this web page does not have a separate password set, but an additional ALZ format compressed file exists inside. This is interpreted as an attempt to bypass detection by anti-malware products based on compression option settings.

Figure 5. The two executable files confirmed upon final decompression

Upon final decompression, two executable files with HWP/Excel icons can be seen. These two executable files were confirmed to be the Vidar Infostealer and the Beast ransomware, respectively.

  • Please check the Copyright violation summary_240423 and take action1.exe (Excel icon, Vidar Infostealer)
  • Please check the Copyright violation summary_240423 and take action.exe (HWP icon, Beast Ransomware)

In cases where two executable files are distributed together, there have been instances where files with the same hash but different names were packaged together, as well as cases where ransomware and Infostealers were distributed together, as in this case. This has been frequently observed not only in content related to copyright infringement but also in phishing emails disguised as resumes, a tactic commonly used for distributing the LockBit ransomware. It appears that the intention is for malicious behaviors to be carried out on the user’s PC regardless of which file is executed.

2. Beast Ransomware

The Beast ransomware was created by the group known for creating and distributing the Monster ransomware. It is recognized as the evolution of Monster. During the analysis process, two types of Beast ransomware were obtained based on the infection results. One type encrypts the original files, compresses them along with a ransom note, and adds “[affected system ID].BEAST.zip” to the file extension (Figure 6). The other type simply adds “[affected system ID].BEAST” (Figure 7).

However, as seen in Figure 7, it was observed that while the original file was encrypted, there was no change in the compression format. However, the ransom note implies a change to the compression format, as indicated by the following statement. The Beast ransomware in Figure 7 is believed to have unintentionally failed to perform compression during the creation process.

  • “If you found this document in a zip, do not modify the contents of that archive!

Furthermore, this ransomware scans for active SMB ports, indicating an intention to search for connectable shared folders on infected systems for the purpose of propagating through lateral movement.

Figure 6. Beast ransomware encrypting the original files and then compressing them with a ransom note
Figure 7. Ransomware adding the BEAST extension after encrypting original files

3. Vidar Infostealer

The other file (Excel icon) distributed alongside the Beast ransomware was identified as the Vidar malware, a type of Infostealer that has the capability to leak user information. Before engaging in data-stealing activities, Vidar connects to a C2 server to receive commands. It then additionally downloads various DLL files to collect user information.

Unlike typical Infostealers, Vidar does not only target user account info on web browsers and email clients. For web browsers, it can target various information such as cookies, AutoFill data, credit card numbers, and even files present on the user’s PC.

Figure 8. Vidar C2 server

As seen in Figure 8, the Vidar malware utilizes public platforms such as Telegram and Steam Community for communication with its C2 server. It searches for identifying strings on these platforms to locate the C2 address and then communicates with the actual C2 server to collect stolen information. By utilizing this method, even if the original C2 is blocked by security products, the threat actors can simply create a new C2 server and modify the content, thereby evading network detection.

4. Conclusion

The amounts demanded by threat actors as ransom payments for decrypting files after infecting systems are exorbitantly high, and there is no guarantee that paying these amounts will result in the recovery of data on the affected systems or that the threat actor will fulfill any requests. Therefore, it is crucial not to execute suspicious files at all.

As seen in this case, ransomware that utilizes fake resumes or copyright violations continues to be distributed with altered internal malware or distribution methods. Hence, users need to exercise extra caution. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
Ransomware/Win.Generic.R646126 (2024.04.24.02)

[Behavior Detection]
Ransom/MDP.Decoy.M1171

[IOC]
78cee04912b214f3436e3fed0c8a120f
bbda482f1ecce55c24e1a444c03da58e

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.