Overview
A new ransomware called GandCrab was released
recently that is currently being distributed via exploit kits. GandCrab
has some interesting features not seen before in a ransomware, such as being
the first to accept the DASH currency and the first to utilize the Namecoin
powered .
GandCrab- How its
spreading?
GandCrab is currently being distributed through a malvertising
campaign called Seamless that then pushes the visitors to the RIG
exploit kit. The exploit kit will then attempt to utilize vulnerabilities
in the visitor's software to install GandCrab without their permission. If the
exploit kit is able to install the ransomware, the victim will probably not
realize they are infected until it is too late. The interesting facts about
GandCrab is that it’s the first for ransomware to accept the DASH
currency as a ransom payment.
Another interesting feature is GandCrab's use of the NameCoin
.BIT top-level domain. .BIT is not a TLD that is recognized by the
Internet Corporation for Assigned Names and Numbers (ICANN), but is instead
managed by NameCoin's decentralized domain name system. This means that any software
that wishes to resolve a domain name that uses the .BIT tld, must use a DNS
server that supports it. GandCrab does this by making dns queries using the
a.dnspod.com DNS server, which is accessible on the Internet and can also
be used to resolve .bit domains.GandCrab uses these .bit domains as addresses
for its Command & Control servers. Interestingly, the domain servers used
by this ransomware contain names that you might recognize. The developers of
GandCrab are using NameCoin's DNS as it makes it harder for law enforcement to
track down the owner of the domain and to take the domains down.
How GandCrab Encrypts a
Machine?
When GandCrab is first launched it. will attempt to connect
to the ransomware's Command & Control server. As this server is hosted on
one of Namecoin's .bit domains, it has to query a name server that supports
this TLD. It does this by querying for the addresses of the following domains
using the command nslookup [insert domain] a.dnspod.com. This command
queries the a.dnspod.com name server, which support the .bit TLD. If the
victim's machine is unable to connect to the C2 server, then the ransomware
will not encrypt the computer. It will, though, continue running in the
background trying to get the IP address for the C2 and connect to it.
Once it is able to resolve the domain, it will connect to
the C2 server's IP address. It is not known at this time what data is being
sent and retrieved, but the C2 is most likely sending the public key that
should be used to encrypt the files. During this process, the ransomware will
also connect to http://ipv4bot.whatismyipaddress.com/
to determine the public IP address of the victim. Before GandCrab encrypts the
victim's files it will first check for certain processes and terminate them.
This will close any file handles that are open by these processes so that they
can be properly encrypted
Indicators Of Compromise
(IOC’s)
HASHES
- aedf80c426fb649bb258e430a3830d85
- 6866d8d8bf8565d94e0e1479978cf1e5
- 379e149517f4119f2edb9676ec456ed4
IP
- 92.53.66.11
URLs
- http://gdcbghvjyqy7jclk.onion
- http://gdcbghvjyqy7jclk.onion.top/
- http://gdcbghvjyqy7jclk.onion.casa/
- http://gdcbghvjyqy7jclk.onion.guide/
- http://gdcbghvjyqy7jclk.onion.rip/
- http://gdcbghvjyqy7jclk.onion.plus/
File Associated
- GDCB-DECRYPT.txt
No comments:
Post a Comment