Just days after version four of the GandCrab ransomware was discovered, security researchers have found an update to this malware that is being distributed through compromised websites designed to appear like download sites for cracked applications.
According to a blog post by researchers as Fortinet, V4 of the ransomware switched from using RSA-2048 to the much faster Salsa20 stream cipher to encrypt data, which had also been used by the Petya ransomware in the past.
According to analysis of the code in Gandcrab v4.1, the malware includes a list of websites to which the malware connects to sends data related to the infected machine (ie IP address, username, computer name, network domain).
Researchers also found that the malware has added a network communication tactic that was not observed in the previous version.
"This new version of the GandCrab malware contains an unusually long hard-coded list of compromised websites that it connects to. In one binary, the number of these websites can go up to almost a thousand unique hosts," said researchers. They added that to generate the full URL for each host, a pseudo-random algorithm is used to choose from sets of pre-defined words.
But researchers found no evidence that these hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.
"Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour," said researchers.
Researchers found that this new version of Gandcrab kills off a number of processes on victim’s machines, such as msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe. It does this to make encryption of high value files easier.
The researchers looked into rumours that the new malware could also self-propagate via an "SMB exploit".
"we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation," they said.
Researchers concluded that with GandCrab’s rapid development over the past week, and the public speculation of this exploit propagation functionality, "we would not be a surprise if the threat actors decided to add it in a future update".
Chris Boyd, senior malware analyst at Malwarebytes, told SC Media UK that sending data to uncompromised sites could indicate they're on the malware author's list of possible future attacks, so anyone responsible for a site mentioned should check all their security settings and relevant patches are all up to date.
"Advance warning is quite a rare thing and we should all look to take advantage of it," he said.
Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that the new command-and-control mechanism looks like an attempt to both obscure the real server that GandCrab intends to communicate with, as well as providing failover redundancy.
"Performanta have conducted an independent analysis on hundreds of the hosts found in these new GandCrab samples, and found that a large number of them are, in fact, compromised. Many of the hosts are injected with variations of Black Hat SEO content; these injections may be related to a different actor, but at the very least show that these servers are vulnerable to a takeover attack and may be used by GandCrab," he said.