Latest campaign of Maze ransomware has targeted and encrypted data from Berkine, a joint venture between Sonatrach, the state-owned oil company of Algeria, and the US firm formerly known as Anadarko Petroleum Corporation, through its subsidiary Anadarko Algeria Company. The main goal of the ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. What’s more alarming is, upon failure of acquiring a ransom payment, they have exposed the data of Sonatrach on a victim-shaming website.
The threat actors targeted victims with a macro containing Word file. Upon enabling macros, the ransomware is downloaded which encrypts victim’s files and exfiltrates data to a C2 server, leaving behind an encrypted device with a ransom note.
Maze ransomware operators often leverage malspam campaigns to distribute it. They also make use of exploit kits such as Fallout and Spelevo. It was discovered less than a year ago in May 2019, and has gained popularity among cyber criminals. The Maze ransomware, earlier dubbed as “ChaCha ransomware” is known for using 2048 bit Rivest-Shamir-Adleman (RSA) and the ChaCha20 stream cipher to encrypt individual files. The malware is a binary file of 32 bits, usually packed as an EXE or a DLL file. It appends different extensions to the files during the encryption process. After encryption, it changes the wallpaper of the targeted machine to a ransom note.
The Maze ransomware categorizes target devices based upon their importance. It then demands a suitable ransom payment based on the value of the device. This unusual tactic is so far seen in Maze ransomware alone. It categorizes the target devices as follows:
• standalone server • server in corporate network • workstation in corporate network • home computer • primary domain controller • backup server • very valuable for you
The Maze ransomware is not alone in victim shaming when a ransom payment is not made. Other emerging ransomware have also posted the victim’s data online to pressurize them and future targets into making the demanded transactions. Such confidentiality breaches have recently been made by operators of Sodinokibi, Nemty, Clop and others as well.
Extensive amount of confidential data including financial records as well as business and investment plans have been leaked. Some of these files can be spotted in the image below.
These files contain very confidential information of the company. For instance, this business evaluation report was also exposed in the breach:
Analysis shows that the language code used to program the ransomware is Korean. The image shows that it is 32-BIT binary file. Each Word document was embedded with a macro that downloaded Maze ransomware from the actor-controlled server. The macro then wrote the ransomware payload to C:\Windows\Temp\wordupd.tmp and executed it.
After Maze encrypted the victim’s files, it made HTTP POST requests to several IP-based URLs that began with the first octet 91. Only a few of these requests returned a 200 response code, indicating a successful connection.
The malware start preparing various functions that appears to save memory addresses in global variables perhaps to mislead the analysis or something else, that is still up for a debate.
The malware checks for debugger presence to avoid detection and analysis by PEB field “IsDebuggerPresent”. This field is a Boolean field that is filled from Windows with 1 (True) if the application is running inside of a debugger or 0 (False) if it is not. If the malware detects a debugger it will remain in an infinite loop without making anything while wasting system resources.
The malware, after creating the mutex, makes calls to the function “GetLastError” to check against two errors:
0x05 -> ERROR_ACCESS_DENIED. If the malware gets this error, it means that the mutex already exists in the system but, for some reason, the malware cannot access it (perhaps privileges, policies, etc).
0xb7 -> ERROR_ALREADY_EXISTS. If the malware gets this error, it means that the mutex already exists in the system and can be accessed.
The malware tries to delete the shadow volumes in the system using the “wmic.exe” program with the switches “shadowcopy” and “delete”.
The malware tries to delete the shadow copies two times, once before crypting the files in the infected system and secondly after crypting them.This execution is done with the function
“CreateProcessW” but, to increase the level of obfuscation, the malware is launched with this command:
The malware is capable of keeping track of existing profile of the user login into the system.C:\Users\user\AppData\…\profiles.ini, data. It drop its decrypt file C:\Users\user\AppData\…\DECRYPT-FILES.txt, Little-endian(Means it may be taking a dump because it is linked to elf file..). It creates many of shortcut linked files in recycle bin for hiding itself which point to different app data and program data directory. It also makes a call to onion domain aoacugmutagkwctu.onion/%USERID%.
It is important to take into consideration that the malware forges the POST string to make the connection with a random choice from a list of possible strings such as “forum”, “php”, “view”, etc., to make detection harder with IPS or other filters on the network. The IP addresses are detected as from the Russian Federation but that does not prove that the malware came from this country; it could be deliberate misdirection but, with the language checks of CIS countries, it certainly appears possible.
Two sample ransom notes are given below. The ransom note demands the victim to install tor browser for the ransom payment to proceed.
Maze is a ransomware using advanced tricks to complicate its analysis by disabling disassemblers and using pseudocode plugins.