Threat Research

Cyble – CrossLock Ransomware Emerges: New GoLang-Based Malware On The Horizon

Securonix

CrossLock is a Go-based ransomware that encrypts victims’ data and exfiltrates it for double-extortion. It uses ETW event tracing bypass, extensive cleanup of backups and logs, and service disruption to hinder recovery and pressure victims to pay. #CrossLock #GoLang

Keypoints

  • CrossLock is implemented in Go, leveraging Go’s cross-platform capabilities.
  • It uses a double-extortion approach: data encryption plus exfiltration with a leak/site for victims to see the stolen data.
  • It bypasses detection by tampering with Event Tracing for Windows (ETW) and patches ETW functions.
  • The malware accepts command line parameters to specify targets and network access (e.g., host, domain, user, password).
  • Extensive system cleanup occurs after ETW patching, including deletion of shadow copies, logs, and backup catalogs, and disabling startup repair.
  • Encryption uses Curve25519 and ChaCha20, renaming files with a .crlk extension, and it stops numerous services prior to encryption.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The ransomware can accept various command line parameters to execute encryption operations, e.g. “rware.exe –host dcServer –domain icme[.]com –user administrator -p 123456@passwd -P C$”.
  • [T1564] Hide Artifacts – Event Tracing for Windows (ETW) bypass by patching ETW functions, e.g., “substituting the initial bytes of these functions with the bytes ‘48 33 C0 C3’ to bypass event tracing.”
  • [T1083] File and Directory Discovery – Uses FindFirstFileW() and FindNextFileW() to enumerate files and directories and search for encryption targets.
  • [T1486] Data encrypted for impact – Encrypts files using Curve25519 and ChaCha20 and replaces originals via MoveFileExW() to a .crlk extension.
  • [T1490] Inhibit System Recovery – Deletes backups and shadow copies, disables startup repair, clears system/backup logs, and related recovery mechanisms during cleaning.
  • [T1070] Indicator Removal on Host – Clears Windows event logs (e.g., wevtutil cl application/system) as part of cleanup to hinder detection.
  • [T1497] Virtualization/Sandbox Evasion – Detects virtualization/sandbox environments (e.g., WINE) to avoid analysis by checking for wine_get_version via GetProcAddress().

Indicators of Compromise

  • [MD5] CrossLock ransomware executable – 9756b1c7d0001100fdde3efefb7e086f
  • [SHA1] CrossLock ransomware executable – 55de88118fe8abefb29dec765df7f78785908621
  • [SHA256] CrossLock ransomware executable – 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72

Read more: https://blog.cyble.com/2023/04/18/crosslock-ransomware-emerges-new-golang-based-malware-on-the-horizon/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint