Revision
In the first part of this series we looked at how the MailTo solution software installs and configures itself on the victim system, and in the second part we looked at how malware runs and infiltrates the system. In this article we examine what distinguishes redeemable software from other malware and what gives it a deadly hitch, encryption.
Encryption
Immediately before encryption begins, MailTo performs the following tasks:
- Adjusts the symbolic rights for SeDebugPrivilege and SeImpersonatePrivilege. Check this Windows Plesk server support.
- Collect coins from logged in users to mimic them
- The scanning system processes the information for later use to remove process/services from the ransom file archive.
We found that the reimbursement program uses this implementation of the 25519 curve:
This is implemented to create a key used with the ChaCha stream encryption to encrypt files. It is impossible to decrypt encrypted files without the ransom owner’s private key.
MailTo encrypts the following numbers with the ChaCha :
- Local Hard Disk Drives
- Network shares
- Hidden network resources (IPC$, Admin$)
MailTo ransomware has three main wires that perform encryption, with each wire having its own purpose. One of these streams is for encrypting local disks, while the other two streams are for encrypting shared network hosts.
Encryption wire 1
The first thread created for the encoding process serves as the encoding role for local players using the GetLogicalDriveStringsW API feature. This function displays a list of shared stations and network addresses. This routine starts by creating threads for each file and folder to encrypt the volumes found. An attempt is made to connect to the network nodes using the current user access token and the API functions WNetUseConnectionW and WNetAddConnection2W.
Encryption wire 2
The second thread created executes the GetLogicalDriveStringsW command again to get the list of shared drives and network addresses. In this stream, the drives are only filtered through the network drives. Before connecting to the network locations, the redemption software will call ImpersonateLoggedOnUser to try to access the network locations with different access tokens collected from authorized users.
Encryption wire 3
The third feed behaves similar to the second feed created to display all users currently logged in, but collects shared network drives in a different area. GetNetShares and WNetEnumResourceW are used to iterate on shared drives and network paths. GetNetShares also gets hidden network shares such as IPC$ and Admin$.
File encryption
When it comes to encrypting a single file, the repurchase program is reliable enough to encrypt that file. When we say this, we mean that if a process or service contains a file that the blackmailer wants to encrypt, the blackmailer will kill the process or service before it. If the blackmailer does not have access to the file or network path, it will iterate all double tokens of users who have logged on to the computer and try to encrypt the file with those tokens. If the repurchase program is disabled and the file is only partially encrypted, but then executed again, it checks the last four bytes of the file for a CRC32 hash of its public ECC key. If all four bytes match the CRC32 hash of their public key, the repurchase program knows that the file is fully and correctly encrypted.
Completion
Purchase notice
When MailTo has completed the encryption, a laptop will be opened with a redemption message.
Figure 1 – Ransom demand
Installation
As soon as a repurchase message is displayed, MailTo removes the following entries from the system, if they exist:
- Files
- Program files (x86)//< nomunique.exe>
- Program files/< unique name >/< unique name.exe>
- C:UserAppDataRaming
- Key to the register
- HKEY_LOCAL_MACHINESFTWAREMircrosoftWindowsCurrentVersionRun (HKEY_LOCAL_MACHINESFTWAREMircrosoftWindowsCurrentVersionRun)
- HKEY_CURRENT_USER SOFTWARE – WindowsCurrentVersionRun software
Deleting hidden copies
The hidden copy is deleted after MailTo is removed from the system. vssadmin.exe is used with the following command to delete the hidden copy
remove vssadmin.exe shadow /all /still
Removing the shadow copy with this simple vssadmin command is typical for many buy-back programs. It is interesting to note that shadow copy deletion also occurs when executing the injected entry point of Explorer.exe (2).
Figure 26 – Calling the DeleteShadowCopies() function in Explorer.exe (2)
Conclusion
MailTo ransomware is an advanced repurchase program that effectively performs its task of encrypting files. What makes MailTo sensitive is the ability to leave nothing to chance when encrypting files. The redeemable software has been carefully designed to ensure that the privileges are fully utilized by listing each logical drive and network sharing using user accounts. The repurchase program also ensures that he destroys all the pens in the files that do not belong to him. Even if a service or process makes changes to a file, the refund program will eliminate that process/process and encrypt the file. The repurchase program also sets a permanent registry key and does not delete it until the encryption has been completed.
MailTo does its best to minimize its detection vectors by removing itself, hiding the import and using hidden methods to inject it into processes. MailTo avoid the use of suspicious Windows APIs as much as possible by using undocumented Windows features and stay away from the Windows Cryptographic API. Although MailTo has its drawbacks, such as the interruption of the service, this repurchase program manages to encrypt files on the system and the drives on the network without being able to decrypt them without using a private repurchase key.
MailTo is becoming increasingly popular, so be careful and back up your important data offline or online.
Complete Series
Detailed overview of MailTo Ransomware, part
Detailed overview of MailTo Ransomware, part 2
IOC
Postal sample SHA256: 58e923ff158fb5aecd293b7a0e0d30529611 3c6e270786edcc4fea 404c