Threat Research

BleachGap Revamped – K7 Labs

Securonix

BleachGap is a single-executable ransomware variant analyzed by K7 Labs that functions as a stealer and encryptor, using in-memory encoding to evade detection and exfiltrates data to a Discord webhook. The campaign includes disabling security tools, enumerating user folders, and AES-based encryption with ransom notes, while some executables remain untouched.
Read more: https://labs.k7computing.com/index.php/bleachgap-revamped/

Keypoints

  • BleachGap is described as a ransomware variant that runs as a single executable to aid evasion compared to earlier variants.
  • It generates a unique UID and a 32-byte password for each victim using an internal function.
  • It obtains the current username via environment variables and decodes strings in memory to assemble payload data.
  • The malware decodes encoded strings at runtime instead of hardcoding them to evade detection.
  • It sends a large decoded string to a Discord webhook via an HTTP POST request.
  • It disables security tools (CMD, Task Manager, Registry Editor) by decoding and writing registry keys.
  • It encrypts files using AES with a randomly generated key, renames encrypted files to PAY2DECRYPT+UID, and drops about 100 ransom notes on the Desktop.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – In-memory decoding of encoded strings to evade detection. Quote: ‘Instead of hardcoding the useful strings into executables directly, so as to evade detection, this ransomware has used a similar method of moving encoded strings into memory and then decoding them at runtime for different purposes.’
  • [T1567.002] Exfiltration to Web Service – Data exfiltration to a Discord webhook via a Post request. Quote: ‘this ransomware sends the large decoded string shown in Figure 3 as a Post request to the Discord Webhook API which has been highlighted in Figure 4 and 5.’
  • [T1112] Modify Registry – Disabling tools by creating/altering registry keys. Quote: ‘the ransomware tries to disable tools like command prompt (CMD), Task Manager and Registry Editor… Disabling the mentioned tools happens with the help of the registry.’
  • [T1083] File and Directory Discovery – Enumerating folders with FindFirstFileExW and FindNextFileW to locate targets/files. Quote: ‘the ransomware starts to enumerate them using FindFirstFileExW and FindNextFileW—and then uses ReadFile to read the existing file into a buffer for encryption.’
  • [T1005] Data from Local System – Reading files into memory for encryption using ReadFile. Quote: ‘ReadFile to read the existing file into a buffer for encryption.’
  • [T1486] Data Encrypted for Impact – Encrypting files with AES using a generated key (password) and a S-Box/key expansion step; files renamed after encryption. Quote: ‘the AES algorithm to encrypt the files using the password (key) that was randomly generated and sent to discord webhook… S-Block used in the AES Algorithm during the Key Expansion phase.’
  • [T1036] Masquerading – Renaming encrypted files to PAY2DECRYPT+UID to mislead victims. Quote: ‘renames the file with the extension PAY2DECRYPT+UID.’

Indicators of Compromise

  • [File Name] context – ransomito.exe, ApkStudio.exe.lnk
  • [Hash] context – bfe289c6f91ffcda97c207f3c1c525a9

Read more: https://labs.k7computing.com/index.php/bleachgap-revamped/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint