The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
February 2, 2017
Spying on GoldenEye Ransomware
Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise. Over-the-top supervillain – check. Cool spy gadgets – check. Exotic locations – check. And, of course, 007 saves the day.
The film was also slightly ahead of its time. The internet, computers and cyberespionage all factor into the plot. In the movie, a criminal element called Janus conspires to steal vast sums of money from the Bank of England. To cover their tracks and spark a global financial meltdown, they plan to knock out the planet’s electronics and communications with a devastating electromagnetic pulse using two nuclear-armed satellites dubbed Petya and Misha.
If you’ve never seen the movie, parts of the story may still seem familiar. GoldenEye is the latest iteration of James-Bond themed ransomware. As Avast noted, the ransomware previously went by the name Petya-Mischa. And the creators of the ransomware – you guessed it – call themselves Janus in homage to the spy flick.
GoldenEye is a ‘Ransomware as a Service’ (RaaS) with a profit-sharing affiliation model based on the amount of money affiliates bring in on a weekly basis. Late in 2016, the threat community observed GoldenEye offered as an RaaS targeting victims with German-themed lures.
Fidelis Cybersecurity Threat Research observed GoldenEye in a recent campaign and analyzed samples of this ransomware. We’re sharing our findings to inform security professionals of this evolving threat.
Fidelis recently observed a wave of GoldenEye deliveries via email starting on December 1, 2016. While the lures themselves all have German themes, such as the use of ‘Bewerbung’ (“application”) in the title, we saw scattered messages delivered to users elsewhere in Europe, the Middle East and North America.
The delivery tactic typically involves an Excel file with an embedded macro. It is sometimes accompanied by a benign decoy document, possibly to reassure the recipient that all the files attached to the email are safe to open and everything is business as usual. However, once opened, a pop-up window appears asking the user to enable macros – which enables the ransomware.
Later in December, we saw instances of GoldenEye involving higher volumes of emails, indicative that the adversary’s initial trial runs went smoothly and it was time to shift production into high gear.
From our observations, Microsoft Office documents are the primary source of delivery for GoldenEye ransomware. The ransomware uses malicious macro code as a dropper, i.e. it has the next-stage deliverable object already onboard and does not need to download anything. Once it gets through the victim’s firewalls and makes its way into the victim’s inbox, all that separates the victim from a full-on ransomware attack is the user’s judgement to not open the email and its toxic contents.
After pulling out the macro code, we can see pieces or chunks of a next-layer script that has been put into multiple variables and shuffled:
Embedded VBA Macro Code
Second Stage Script
This script is pretty simplistic in that it just collects all the data up and then base64 decodes it before running it. So all we need to do is mimic the script without executing the payload. Doing this confirms that this is a dropper. Here, we see the PE header of our newly dumped executable:
Dropped PE File
After getting through the packer, one of the first things the bot does is check if it’s running from %APPDATA% or not – this is a customary location for applications to store data on a Windows system. If it finds that it isn’t, it will copy itself to that location and launch:
After unpacking all its components, the malware then begins its normal file encryption process, which was previously referred to as Mischa. A ransomware note is placed on the desktop:
GoldenEye Ransom Note
The malware then begins building a list of all files that have an extension that matches one in its list of extensions that will then be encrypted:
The File encryption piece is performed using AES with the key that’s based on part of a SHA512 hash. Both the AES and the SHA512 routines are onboard the malware, but random data is generated using the Microsoft CryptoAPI.
After encryption, the files are given a random extension. Upon examining the decrypter interface it’s safe to say that the extensions are not stored anywhere, that is, they’re probably randomly unique per infection:
For the Master Boot Record (MBR) ransom piece, if the malware has the access, it will XOR encode the old bootloader and move it to another segment and then install its own 16 bit bootloader, which will encrypt the hard drive while pretending to be CHKDSK:
Fake CHKDSK Message from bootloader code
The encryption performed is Salsa20, which originally had a few design flaws. But the newer versions have been fixed and the previous techniques for recovering from the hard drive encryption no longer work.
The actor behind this ransomware goes by the moniker “Janus” on the underground and uses a photo of a character from the movie as a profile picture. Like many colleagues, Janus has been very vocal on social media in attempts to generate interest in their products. One such twitter handle –@JanusSecretary — posts news and updates related to the malware, while boasting that they have a large and successful German-based distributor:
The cybercrime ecosystem is thriving and criminals are continuing to cash in with ransomware attacks. Ransomware-as-a-service gives actors yet another revenue channel and motivates them to innovate and protect their revenue streams. Even as new technical protections are put in place, we expect this ransomware to evolve to evade detection — and scam as many users as possible.
GoldenEye is a great example of how even complex and innovative malware relies on social engineering and manual clicking – in this case, enabling macros in Microsoft Office files – to infect the user’s computer. It also stands in contrast to more traditional types of server-centric exploits that can be patched against. As actors continue to update their tactics, it’s not very surprising that we’ve observed similar instances of embedded malware in many other recent campaigns.
Administrators should pay close attention to these tactics and continually remind their users to never open suspicious attachments delivered via typical spam lures. Use available administrative controls (e.g. lock down the use of macros delivered from outside the organization) to help prevent your organization from becoming a victim.
-Fidelis Threat Research Team
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.