Threat Research

Hakuna Matata Ransomware Targeting Korean Companies – ASEC BLOG

Securonix

Hakuna Matata ransomware has been used against Korean companies, featuring a ClipBanker function that alters Bitcoin wallet addresses in the clipboard. The operation commonly begins with RDP-based access via brute force/dictionary attacks, then encrypts files with AES-256 (CBC) and RSA-2048 while evading detection by deleting logs and persisting via Run Keys. #HakunaMatata #ClipBanker #RDP #KoreanCompanies #NirSoft

Keypoints

  • The attack targets Korean companies with Hakuna Matata ransomware, noted by ASEC.
  • Hakuna Matata includes a ClipBanker feature that changes the clipboard’s Bitcoin address to the attacker’s wallet.
  • Initial access is inferred to be via exposed RDP, with brute force or dictionary attacks and credential theft.
  • NirSoft credential-stealing tools are used, with tools placed in directories like β€œC:Temp” and β€œMPass” for credential collection.
  • Encryption uses AES-256 (CBC) with a random key/IV, then encrypts the AES key with RSA-2048; many extensions are targeted.
  • The malware stops certain processes, deletes volume shadow copies, disables protections, and persists via a Run Key; it also changes the desktop background.
  • Ransom note provides contact emails and lists two Bitcoin wallets for payment.

MITRE Techniques

  • [T1133] External Remote Services – Based on various circumstances, it is speculated that Remote Desktop Protocol (RDP) was used as the initial attack vector.
  • [T1021.001] Remote Services – Threat actors log in to the system via RDP with the obtained account credentials.
  • [T1110] Brute Force – They perform a brute force attack or a dictionary attack on externally exposed systems with RDP enabled.
  • [T1078] Valid Accounts – If a user has inappropriate account credentials, threat actors can easily take those credentials.
  • [T1060] Registry Run Keys/Startup Folder – The ransomware registers a Run Key to execute again after reboot.
  • [T1070.001] Clear Windows Event Logs – It deletes the event log to hinder forensic analysis.
  • [T1490] Inhibit System Recovery – It deletes volume shadow copies to hinder recovery.
  • [T1489] Service Stop – It terminates database and Office-related processes to facilitate encryption.
  • [T1486] Data Encrypted for Impact – AES-256 (CBC) encryption of files, with RSA-2048 protecting the AES key.
  • [T1036] Masquerading – It disguises itself by copying to %LOCALAPPDATA%rundll32.exe as a normal process.
  • [T1115] Clipboard Data – ClipBanker changes the clipboard Bitcoin address to the attacker’s wallet address.

Indicators of Compromise

  • [File name] ver7.exe – Ransomware file name used in the attack.
  • [File name] MPassBulletsPassView64.exe – NirSoft-based credential viewer used by the threat actor.
  • [Directory] C:Temp – Directory where credential-related tools were installed.
  • [Directory] MPass – Directory containing credential-stealing tools.
  • [Directory] M!logs – Location where credentials may be saved.
  • [Process] ProcessHacker.exe, RCH.exe – Tools observed in the toolkit; one is unconfirmed, the other linked to Hakuna Matata activity.
  • [Email] keylan@techmail[.]info, gerb666@proton[.]me – Threat actor contact emails stated in the ransom note.
  • [Wallet] bc1qpkgejqerp74g23m7zhjkuj6e9c3656tsppqlku, 16JpyqQJ6z1GbxJNztjUnepXsqee3SBz75 – Attacker Bitcoin wallet addresses used for payments.
  • [Wallet/Address] – (two wallet addresses shown above)
  • [Ransom note filename] β€œ[Computer name]-ID-Readme.txt” – Ransom note naming convention.
  • [File extension] .myd, .ndf – Extensions targeted for encryption (among many listed).
  • [MD5] 1a5dd79047766bd09c27f0336dd22142 – Sample hash referenced for detection.

Read more: https://asec.ahnlab.com/en/56010/