BlackMatter Ransomware Evaluation; The Darkish Facet Returns

BlackMatter is a brand new ransomware risk found on the finish of July 2021.

This malware began with a powerful group of assaults and a few promoting from its builders that claims they take one of the best components of different malware, comparable to GandCrab, LockBit and DarkSide, regardless of additionally saying they’re a brand new group of builders. We at McAfee Enterprise Superior Risk Analysis (ATR), have critical doubts about this final assertion as evaluation reveals the malware has a fantastic deal in frequent with DarkSide, the malware related to the Colonial Pipeline assault which caught the eye of the US authorities and regulation enforcement businesses world wide.

The primary purpose of BlackMatter is to encrypt information within the contaminated laptop and demand a ransom for decrypting them. As with earlier ransomware, the operators steal information and personal data from compromised servers and request an extra ransom to not publish on the web.

COVERAGE AND PROTECTION ADVICE

McAfee’s EPP resolution covers BlackMatter ransomware with an array of prevention and detection methods.

ENS ATP supplies behavioral content material specializing in proactively detecting the risk whereas additionally delivering identified IoCs for each on-line and offline detections. For DAT primarily based detections, the household will probably be reported as Ransom-BlackMatter!<hash>. ENS ATP provides 2 further layers of safety because of JTI guidelines that present assault floor discount for generic ransomware behaviors and RealProtect (static and dynamic) with ML fashions concentrating on ransomware threats.

Updates on indicators are pushed by GTI, and prospects of Insights will discover a threat-profile on this ransomware household that’s up to date when new and related data turns into out there.

TECHNICAL DETAILS

BlackMatter is usually seen as an EXE program and, in particular circumstances, as a DLL (Dynamic Library) for Home windows. Linux machines might be affected with particular variations of it too however on this report, we’ll solely be masking the Home windows model.

This report will give attention to model 1.2 of BlackMatter whereas additionally noting the necessary modifications within the present model, 2.0.

BlackMatter is programmed in C++ and has a dimension of 67Kb.

FIGURE 1. Details about the malware

The compile date of this pattern is the twenty third of July 2021. Whereas these dates might be altered, we expect it’s right; model 1.9 has a compile time of 12 August 2021 and the most recent model, 2.0, has a date 4 days later, on the sixteenth of August 2021. Is obvious that the malware builders are actively enhancing the code and making detection and evaluation tougher.

The primary motion carried out by BlackMatter is preparation of some modules that will probably be wanted later to get the required features of Home windows.

FIGURE 2. BlackMatter looking for features

BlackMatter makes use of some methods to attempt to make evaluation tougher and keep away from debuggers. As an alternative of looking for module names it should examine for hashes precalculated with a ROT13 algorithm. The modules wanted are “kernel32.dll” and “ntdll.dll”. Each modules will attempt to get features to order reminiscence within the course of heap. The APIs are searched utilizing a mixture of the PEB (Course of Surroundings Block) of the module and the EAT (Export Desk Handle) and enumerating all operate names. With these names it should calculate the customized hash and examine in opposition to the goal hashes.

FIGURE 3. BlackMatter detecting a debugger

At this level BlackMatter will make a particular code to detect debuggers, checking the final 2 “DWORDS” after the reminiscence is reserved, looking for the bytes “0xABABABAB”. These bytes at all times exist when a course of reserves reminiscence within the heap and, if the heap has one particular flag (that by default is about when a course of is in a debugger), the malware will keep away from saving the pointer to the reminiscence reserved so, on this case, the variables will hold a null pointer.

In Home windows working programs the reminiscence has completely different situations primarily based on whether or not a program is working in regular mode (as normal) or in debugging mode (a mode utilized by programmers, for instance). On this case, when the reminiscence is reserved to maintain data, whether it is in debugging mode, Home windows will mark the tip of this reminiscence with a particular worth, “0xABABABAB”. BlackMatter checks for this worth and, if discovered, the debugger is detected. To keep away from having it run usually it should destroy the operate tackle that it will get earlier than, which means it should crash, thus avoiding the execution.

FIGURE 4. Making ready the safety stub operate

After this examine it should create a particular stub within the reserved reminiscence which may be very easy however efficient in making evaluation tougher because the stub will must be executed to see which operate is named and executed.

This process will probably be accomplished with all features that will probably be wanted; the hashes are saved hardcoded in the course of the “.textual content” part in little structs as information. The tip of every struct will probably be acknowledged by a examine in opposition to the “0xCCCCCCCC” worth.

FIGURE 5. Hashes of the features wanted

This habits highlights that the BlackMatter builders know some methods to make evaluation tougher, although it’s easy to defeat each by patching the binary.

After this, the ransomware will use one other trick to keep away from using debuggers. BlackMatter will name the operate “ZwSetInformationThread” with the category argument of 0x11 which is able to cover the calling thread from the debuggers.

If the malware executes it appropriately and a debugger is connected, the debugging session will end instantly. This code is executed later within the threads that will probably be used to encrypt information.

FIGURE 6. One other approach to detect a debugger

The subsequent motion is to examine if the consumer that launched the method belongs to the native group of Directors within the machine utilizing the operate “SHTestTokenMembership”. Within the case that the consumer belongs to the administrator group the code will proceed usually however in different circumstances it should get the working system model utilizing the PEB (to keep away from utilizing API features that may alter the model) and, whether it is out there, will open the method and examine the token to see if that belongs to the Directors group.

FIGURE 7. BlackMatter checking if it has administrator rights

Within the case that the consumer doesn’t belong to the Administrator group the method token will use a intelligent trick to escalate privileges.

The primary motion is to arrange the string “dllhost.exe” and enumerate all modules loaded. For every module it should examine one area within the preliminary construction that each one executables have that retains the bottom reminiscence tackle the place it is going to be loaded (for instance, kernel32.dll in 0x7fff0000) and can evaluate with its personal base tackle. Whether it is equal, it should change its title within the PEB fields and the trail and arguments path to “dllhost.exe” (within the case of the trail and argument path to the SYSTEM32 folder, the place the legit “dllhost.exe” exists). This trick is used to attempt to mislead the consumer. For every module discovered it should examine the bottom tackle of the module with its personal base tackle and, at that second, will change the title of the module loaded, the trail, and arguments to mislead the consumer.

FIGURE 8. Decryption of the string “dllhost.exe”

The method title will probably be “dllhost.exe” and the trail would be the system listing of the sufferer machine. This trick, apart from not altering the title of the method within the TaskManager, could make a debugger “assume” that one other binary is loaded and take away all breakpoints (relying on the debugger used).

FIGURE 9. Altering the title and path within the PEB

The second motion is to make use of one exploit utilizing COM (Part Object Mannequin) objects to attempt to elevate privileges earlier than ending its personal occasion utilizing the “Terminate Course of” operate.

For detection, the module makes use of an undocumented operate from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a operate as a callback the place it could get the arguments and examine the PEB. On this callback the malware will set the brand new Unicode strings utilizing “RtlInitUnicodeString”; the strings are the trail to “dllhost.exe” within the system folder and “dllhost.exe” because the picture title.

The exploit used to bypass the UAC (Consumer Entry Management), which is public, makes use of the COM interface of CMSTPLUA and the COM Elevation Moniker.

Within the case that it has administrator rights or makes use of the exploit with success, it should proceed making the brand new extension that will probably be used with the encrypted information. For this job it should learn the registry key of “Machine Guid” within the cryptographic key (HKEY LOCAL MACHINE).

This entry and worth exist in all variations of Home windows and is exclusive for the machine; with this worth it should make a customized hash and get the ultimate string of 9 characters.

FIGURE 10. Creating the brand new extension for the encrypted information

Subsequent, the malware will create the ransom be aware title and calculate the integrity hash of it. The ransom be aware textual content is saved encrypted within the malware information. Normally the ransom be aware title is “%s.README.txt”, the place the wildcard is crammed with the brand new extension generated beforehand.

The subsequent step is to get privileges that will probably be wanted later; BlackMatter tries to get many privileges:

FIGURE 11. Setting particular privileges

After getting the privileges it should examine if it has SYSTEM privileges, checking the token of its personal course of. Whether it is SYSTEM, it should get the suitable consumer for logon with the operate “WTSQueryUserToken”. This operate solely can be utilized if the caller has “SeTcbPrivilege” that, by default, solely SYSTEM has.

FIGURE 12. Acquiring the token of the logged on consumer

After getting the token of the logged on consumer the malware will open the Home windows station and desktop.

Within the case that it doesn’t have SYSTEM permissions it should enumerate all processes within the system and attempt to duplicate the token from “explorer.exe” (the title is checked utilizing a hardcoded hash), if it has rights it should proceed usually, in any other case it should examine once more if the token that was duplicated has administrator rights.

On this case it should proceed usually however in different circumstances it should examine the working system model and the CPU (Central Processing Unit) mode (32- or 64- bits). This examine is completed utilizing the operate “ZwQueryInformationProcess” with the category 0x1A (ProcessWow64Information).

FIGURE 13. Checking if the working system is 32- or 64-bits

Within the case that the system is 32-bits it should decrypt one little shellcode that may inject in a single course of that may enumerate utilizing the standard “CreateRemoteThread” operate. This shellcode will probably be used to get the token of the method and elevate privileges.

Within the case that the system is 64-bits it should decrypt two completely different shellcodes and can execute the primary one which will get the second shellcode as an argument.

FIGURE 14. BlackMatter making ready shellcodes to steal system token

These shellcodes will enable BlackMatter to raise privileges in a clear manner.

Is necessary to grasp that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, however not solely will it examine the title of the method, it should additionally examine that the method has the privilege “SeTcbPrivilege”. As solely SYSTEM has it by default (and it’s one permission that can not be faraway from this “consumer”) it is going to be that this course of is working below SYSTEM and so it turns into the right goal to assault with the shellcodes and steal the token that will probably be duplicated and set for BlackMatter.

FIGURE 15. Checking if the goal course of is SYSTEM

After this it should decrypt the configuration that it has embedded in a single part. BlackMatter has this configuration encrypted and encoded in base64.

This configuration has a remarkably related construction to Darkside, providing one other clear trace that the builders are one and the identical, regardless of their claims on the contrary.

After decryption, the configuration can get this data:

After getting the configuration and parsing it, BlackMatter will begin checking if it must make a login with some consumer that’s within the configuration. On this case it should use the operate “LogonUser” with the data of the consumer(s) which can be saved within the configuration; this data has one consumer and one password: “check@enterprise.com:12345” the place “check” is the consumer, “@enterprise.com” is the area and “12345” the password.

The subsequent motion will probably be to examine with the flag to see if a mutex must be created to keep away from having a number of cases.

This mutex is exclusive per machine and relies within the registry entry “MachineGuid” in the important thing “Cryptography”. If the system has this mutex already the malware will end itself.

Making a vaccine with a mutex can typically be helpful however not on this case because the builders change the algorithm and solely have to set the flag to false to keep away from creating it.

FIGURE 16. Creation of the mutex to keep away from a number of cases

After, it should examine if it must ship data to the C2. If it does (often, however not at all times) it should get data of the sufferer machine, comparable to username, laptop title, dimension of the onerous disks, and different data that’s helpful to the malware builders to know what number of machines are contaminated.

This data is encoded with base64 and encrypted with AES utilizing the important thing within the configuration.

FIGURE 17. Encrypted data despatched to the C2

The C2 addresses are within the configuration (however not all samples have them, on this case the flag to ship is fake). The malware will attempt to hook up with the C2 utilizing a standard protocol or will use SSL checking the preliminary “http” of the string.

FIGURE 18. Get data of the sufferer machine and consumer

The data is ready in some strings decrypted from the malware and despatched in a POST message.

FIGURE 19. Select to ship by HTTP or HTTPS

The message has values to mislead checks and to attempt to cover the true data as rubbish. This “faux” information is calculated randomly.

The C2 returns rubbish information however the malware will examine if it begins and ends with the characters “{“  and “}”; if it does the malware will ignore sending the data to a different C2.

FIGURE 20. Checking for a reply from the C2 after sending

BlackMatter is a multithread software and the process to ship information to the C2 is completed by a secondary thread.

After that, BlackMatter will enumerate all items which can be FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for every unit that has it and are the proper sort. One distinction with DarkSide is that it has a flag for this habits whereas  BlackMatter doesn’t.

The subsequent motion is to delete the shadow volumes utilizing COM to attempt to keep away from detection utilizing the conventional applications to handle the shadow volumes. This differs with DarkSide that has a flag for this objective.

FIGURE 21. Destruction of the shadow volumes utilizing COM

BlackMatter will examine one other flag and can enumerate all companies primarily based on one checklist within the configuration and can cease goal companies and delete them.

This habits is identical as DarkSide.

FIGURE 22. Stopping companies and deleting them

Processes will probably be checked and terminated as with DarkSide, primarily based on different configuration flags.

After terminating the processes BlackMatter will cease the threads from getting into suspension or hibernating if somebody is utilizing the pc to forestall both of these outcomes occurring when it’s encrypting information. That is accomplished utilizing the operate “ZwSetThreadExecutionState”.

FIGURE 23. Stopping the machine being suspended or hibernated

The subsequent motion will probably be to enumerate all items, fastened and on the community, and create threads to encrypt the information. BlackMatter makes use of Salsa20 to encrypt some a part of the file and can save a brand new block ultimately of the file, protected with the RSA key embedded within the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many different ransomwares.

After the encryption it should ship to the C2 all details about the encryption course of, what number of information had been crypted, what number of information failed, and so forth. This data is shipped within the method beforehand described, however provided that the config is about to true.

FIGURE 24. Launch of the mutex

If one mutex was created on this second it is going to be launched. Later it should examine the way in which that the machine boots with the operate “GetSystemMetrics”. If the boot was accomplished in Protected Mode BlackMatter will set some keys for persistence within the registry for the subsequent reboot after which assault the system, altering the desktop wallpaper.

FIGURE 25. Figuring out whether or not the system boots in secure mode or regular mode

After all, it should disable the safeboot choices within the machine and reboot it (it is likely one of the the reason why it wants the privilege of shutdown).

To make sure it could launch in secure mode, the persistence key worth with the trail of the malware will begin with a ‘*’.

FIGURE 26. Setting the persistance registry key

If the machine begins within the regular manner, it should change the desktop wallpaper with an alternate generated in runtime with some textual content concerning the ransom be aware.

FIGURE 27. BlackMatter makes the brand new wallpaper in runtime

VERSIONS 1.9 AND 2.0

The brand new variations have some variations in contrast with variations 1.2 to 1.6:

• Adjustments within the stub era code. Beforehand just one sort of stub was used, however in more moderen variations a number of forms of stubs are employed, with one chosen randomly per operate. Anyhow the stubs might be eliminated with none drawback by patching the binary.
• A brand new byte flag within the configuration that remarks if it must print the ransom be aware utilizing the out there printer within the system. Similar to Ryuk however as a substitute BlackMatter makes use of APIs from “winspool.drv”.
• Eliminated one C2 area that was shut down by the supplier.

Further modifications in model 2.0:

• This model modifications the crypto algorithm to guard the configuration making it extra advanced to decrypt it.
• Eliminated the final C2 that was shut down by the supplier.
• Added a brand new C2 area.

These modifications counsel the builders are energetic on social media, with an curiosity in malware and safety researchers.

VACCINE

In contrast to some ransomware we’ve seen prior to now, comparable to GandCrab , BlackMatter has good code, nevertheless it does have some design flaws that can be utilized in some circumstances to keep away from having the malware encrypt the information.

This vaccine isn’t meant for use within the regular manner, fairly solely in particular circumstances as, whereas it really works, different applications might be affected (we clearly can’t check all third occasion applications however potential points are prone to embody information corruption and unpredictable habits), and the repair isn’t everlasting.

Steps to make the vaccine (proceed at your individual threat):

• Open regedit (or one other registry editor) and go to the important thing in HKEY_LOCAL_MACHINE> Cryptography.
• On this key might be seen a string worth named “MachineGuid” with a particular worth. This worth is exclusive for the machine and is used for some purposes to establish the machine. BlackMatter makes use of it to make the mutex and, very importantly, the brand new extension for the encrypted information.
• Make a brand new worth of sort string with a random title and put the identical worth as seen in “MachineGuid” to have a backup of it.
• Take away the “MachineGuid” worth, after which make it once more however with the binary sort As an alternative of string sort, with the identical title, “MachineGuid”.
• Shut the registry editor.

On this second BlackMatter can’t have an effect on the machine because it wants the registry key to make the ransom extension, and crucial factor is, if it can’t make it, it should return the operate WITHOUT decrypting the config that’s wanted too. On this case it should destroy the recycle bin and shadow volumes in any case however later it should end because it doesn’t have any habits to do, RSA Key to guard the information, or something to ship to the C2 because the flag was by no means learn from the config (and the default values are false for all of them).

Although the habits of different applications could also be unpredictable, the vaccine is straightforward to make, and the system will boot, displaying that the BlackMatter programmers made a mistake within the design of the code.

This vaccine works for all variations, together with 2.0.

MITRE ATT&CK

The pattern makes use of the next MITRE ATT&CK™ methods:

CONCLUSION

BlackMatter is a brand new risk within the ransomware area and its builders know full effectively methods to use it to assault their targets. The coding fashion is remarkably much like DarkSide and, in our opinion, the individuals behind it are both the identical or have a really shut relationship.

BlackMatter shares a whole lot of concepts, and to a point code, with DarkSide:

• Configurations are remarkably related, particularly with the final model of Darkside, apart from the change within the algorithm to guard it which, regardless of having much less choices, stays with the identical construction. We don’t assume that the builders of BlackMatter achieved this similarity by reversing DarkSide as that degree of coding talent would have allowed them to create a completely new ransomware from the bottom up. Additionally, the concept that the DarkSide builders gave or offered the unique code to them doesn’t make any sense as it’s an outdated product.
• Dynamic features are utilized in an identical approach to DarkSide.
• It makes use of the identical compression algorithm for the configuration.
• The sufferer id is saved in the identical manner as DarkSide.

It is very important hold your McAfee Enterprise merchandise up to date to the most recent detections and keep away from insecure distant desktop connections, preserve safe passwords which can be modified regularly, take precautions in opposition to phishing emails, and don’t join pointless units to the enterprise community.

Regardless of some efficient coding, errors have been made by the builders, permitting this system to be learn, and a vaccine to be created, although we’ll stress once more that it could have an effect on different applications and isn’t a everlasting resolution and needs to be employed provided that you settle for the dangers related to it.