The experts found a link between the PureLocker ransomware and hack groups Cobalt and FIN6

Intezer and IBM X-Force have examined the PureLocker ransomware, which is written in PureBasic and is capable of attacking Windows, Linux, and macOS.

Interestingly that the PureLocker operators supposedly use the services of the same MaaS provider, and are associated with the hack groups Cobalt and FIN6.

PureLocker went unnoticed for several months, as the authors of the malware in various ways avoided the attention of researchers.

For example, a sample for Windows masked itself as a C ++ cryptographic library called Crypto ++, and used the functions commonly found in libraries to play music.

Read also: Students and schoolchildren responsible for half of DDoS attacks in the third quarter

As a result, the malware remained unnoticed by antivirus solutions on VirusTotal for several weeks.

“In addition, PureLocker does not exhibit malicious and suspicious behavior if it runs in a sandbox or debugging environment. Moreover, in this case, the payload is generally deleted after execution”, – say Intezer and IBM X-Force specialists.

If the talk is about file encryption, here PureLocker differs little from other ransomware, although it does not seek to infect the maximum number of victims, but is used for covert, targeted attacks. It changes the file extension to CR1 and uses AES and RSA algorithms, without leaving victims the opportunity to recover data by deleting shadow copies.

The malware does not block all files in a compromised system, avoiding executable files.
After examining the malware in details, the experts noticed interesting feature: malware, of course, has nothing to do with Crypto ++, and although for the most part it turned out to be unique, it also noticed code inherent in other families of malware, mainly related to hack Cobalt group.

As it turned out, PureLocker uses the More_Eggs backdoor, which is sold on the darknet and is also known as Terra Loader and SpicyOmelette. Researchers have long associated this backdoor with the MaaS (Malware-as-a-Service) provider, whose services are used by the Cobalt and FIN6 groups.

“It’s interesting to note that the code of the evasion and anti-analysis functionalities described in this blog is directly copied from the “more_eggs” backdoor loader. Some of these duplicated features have allowed the ransomware to stay undetected by evading automated analysis systems. This provides an example of the importance of code reuse analysis for malware detection and classification”, — write Intezer и IBM X-Force researchers.

As a result, Intezer analysts suggested that the same people are behind the creation of More_Eggs and PureLocker. So, as in both cases, the components of the COM Server DLL are written in PureBasic, the attack stage in front of the payload looks almost identical (both in terms of functionality and with code point of view), and the encoding and decoding methods are also almost the same.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button