Intezer and IBM X-Force have examined the PureLocker ransomware, which is written in PureBasic and is capable of attacking Windows, Linux, and macOS.Interestingly that the PureLocker operators supposedly use the services of the same MaaS provider, and are associated with the hack groups Cobalt and FIN6.
PureLocker went unnoticed for several months, as the authors of the malware in various ways avoided the attention of researchers.
For example, a sample for Windows masked itself as a C ++ cryptographic library called Crypto ++, and used the functions commonly found in libraries to play music.
As a result, the malware remained unnoticed by antivirus solutions on VirusTotal for several weeks.
“In addition, PureLocker does not exhibit malicious and suspicious behavior if it runs in a sandbox or debugging environment. Moreover, in this case, the payload is generally deleted after execution”, – say Intezer and IBM X-Force specialists.
If the talk is about file encryption, here PureLocker differs little from other ransomware, although it does not seek to infect the maximum number of victims, but is used for covert, targeted attacks. It changes the file extension to CR1 and uses AES and RSA algorithms, without leaving victims the opportunity to recover data by deleting shadow copies.
The malware does not block all files in a compromised system, avoiding executable files.
After examining the malware in details, the experts noticed interesting feature: malware, of course, has nothing to do with Crypto ++, and although for the most part it turned out to be unique, it also noticed code inherent in other families of malware, mainly related to hack Cobalt group.
As it turned out, PureLocker uses the More_Eggs backdoor, which is sold on the darknet and is also known as Terra Loader and SpicyOmelette. Researchers have long associated this backdoor with the MaaS (Malware-as-a-Service) provider, whose services are used by the Cobalt and FIN6 groups.
“It’s interesting to note that the code of the evasion and anti-analysis functionalities described in this blog is directly copied from the “more_eggs” backdoor loader. Some of these duplicated features have allowed the ransomware to stay undetected by evading automated analysis systems. This provides an example of the importance of code reuse analysis for malware detection and classification”, — write Intezer и IBM X-Force researchers.