Threat Research

Cyble – Utilization Of Leaked Ransomware Builders In Tech-Related Scams

Securonix

Cyble researchers describe a Tech Scam that leverages leaked ransomware builders to distribute a multi-stage downloader and multiple ransomware payloads as part of fraud campaigns. The operation ties phishing, typosquatting, and Dark Web activity to fake antivirus schemes and ransomware deployment. #CraxsRAT #ChaosRansomware #LockBitBlack #NoCry #TORZON #ChaiUrgentCare

Keypoints

  • CRIL documents a new Tech Scam campaign that lures users with a non-existent antivirus site and uses ransomware variants to support its fraud.
  • The dropper is a 32-bit .Net executable that embeds three payloads, decompresses them with Gzip, and drops them in %temp% for execution.
  • A Downloader payload (Vippqmccfq‎.exe) retrieves a batch script from Resources and drops Gwpuae.bat in %temp%, which then downloads additional payloads.
  • The batch script downloads four payloads from a typosquatted domain on GitHub Pages and runs them, all pointing to a non-existent antivirus site.
  • Payloads include CraxsRAT, Chaos ransomware variants, NoCry-related components, and a LockBit Black variant, illustrating a multi-ransomware distribution approach.
  • Indicators show links to phishing sites, a fake LinkedIn talent profile, and IP associations with a Dark Web marketplace (TORZON) and the Chai Urgent Care phishing campaign.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The dropper and batch scripts execute payloads and commands to download and run components. “‘When executed, the dropper employs Gzip decompression to extract these payloads.’”
  • [T1204] User Execution – The initial dropper is run by user action, leading to subsequent payload execution. “‘When executed, the dropper employs Gzip decompression to extract these payloads.’”
  • [T1070.006] Timestomp – The batch and binary components use anti-forensic techniques; the dropper notes use of TimeStomping. “‘TimeStomping; an anti-forensic technique.’”
  • [T1547] Boot or Logon Autostart Execution – Persistence via Run registry key. “‘persistence by making an entry to the ‘SOFTWAREMicrosoftWindowsCurrentVersionRun’ key.’”
  • [T1486] Data Encrypted for Impact – Chaos and NoCry variants encrypt files and append extensions like .encp. “‘the ransomware encrypts files and renames them by adding the “.encp” extension.’”
  • [T1491] Defacement – The ransomware changes the desktop wallpaper and displays ransom notes. “‘changes the desktop background, as shown in the Figure below, and displays the ransom note using .Net forms.’”
  • [T1566] Phishing – The campaign uses typosquatted domains and a non-existent antivirus site to deceive victims. “‘non-existent Antivirus Site redirects to…’”
  • [T1105] Ingress Tool Transfer – The batch script downloads additional payloads from a typosquatted domain hosted on GitHub pages. “‘downloads additional payloads from a typosquatted domain hosted on GitHub pages’.”

Indicators of Compromise

  • [URL] Phishing Site – www.bit.ly/secure-net, https://alpaca_jade_265.pineapplebuilder.com/index
  • [IP] Malicious IP – 185.199.110.153 (associated with Chai Urgent Care phishing campaign and TORZON marketplace)
  • [MD5/SHA256] NoCry Ransomware – f82762214b095a7508be150c6de5579c, 3f55428bcd35e4d58dd2458b8cae6029b158b460, 521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a
  • [MD5/SHA256] Dropper – 885cf6387de64ff8ad43af4604a19efd, b38943f777ec2cb42abe5ef35b5d2933ce65e3aa3915d7d62bc1cd75c7586886
  • [MD5/SHA256] Gwpuae.bat / Vippqmccfq‎.exe / Pwdsueslxagy.exe – 586… (example for Dropper/Downloader family variants)

Read more: https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint