Cyble – Threat Actor Targets Russian Gaming Community With WannaCry-Imitator

Phishing Gaming Site Opens the Door to Ransomware Infection

Gaming has gained immense popularity, attracting millions of players globally, primarily due to the wide range of game options available, strong community engagement, and its entertainment value. Unfortunately, this widespread appeal has also attracted the attention of Threat Actors (TAs), who seek to exploit gamers by targeting games with large user bases to maximize their potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring phishing campaigns that utilize gaming sites as a distribution channel for various malware families. Recently, CRIL uncovered a phishing campaign targeting Russian-speaking gamers intending to distribute ransomware. The TAs behind these malicious campaigns have employed phishing pages designed to closely resemble the legitimate Enlisted Game website.

Enlisted, a squad-based multiplayer tactical first-person shooter game was developed by Darkflow Software and published by Gaijin Entertainment. This free-to-play game takes place in the backdrop of World War II and focuses on the significant battles fought on all fronts of the war.

The figure below shows the Fake Russian Language game “Enlisted” ‘s website.

Figure 1 Phishing page downloading malicious Enlisted Game Installer
Figure 1 – Phishing page downloading malicious Enlisted Game Installer

The fake website hosts an installer file that contains a legitimate game installer and ransomware. The ransomware has adopted the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a genuine variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python. The Crypter code is hosted on a GitHub repository created by a user named ‘@sithis993’.

The figure below shows the GitHub Repository of Crypter Ransomware Builder.

Figure 2 GitHub Repository of Open Source Crypter Ransomware Builder
Figure 2 – GitHub Repository of Open Source Crypter Ransomware Builder

Technical details

In this technical analysis, we analyzed an installer sample named “enlisted_beta-v1.0.3.115.exe” with SHA265 as “c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2”, downloaded from a phishing site “hxxp://testsite-beta-ne[.]1gb[.]ru/”.

The figure below shows the installer file details.

Figure 3 File Details of the Installer File
Figure 3 – File Details of the Installer File

When a user runs the “enlisted_beta-v1.0.3.115.exe” file, it shows an installation wizard to install the game, as shown in the figure below.

Figure 4 Enlisted Game Installer Window
Figure 4 – Enlisted Game Installer Window

The “enlisted_beta-v1.0.3.115.exe” installer file contains two executable files,  one is “ENLIST~1.EXE”, which is a legitimate Enlisted Game installer, and the ransomware executable “enlisted.exe”. In the background, the installer drops both files in the “C:Users<user>AppDataLocalTempIXP000.TMP”.

The figure below shows the files dropped by the installer.

Figure 5 The Files Dropped by the Installer
Figure 5 – The Files Dropped by the Installer

WannaCry 3.0 Crypter

The WannaCry 3.0 Crypter is a 64-bit PyInstaller executable with SHA256 as “c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce”.

The figure below shows the details of the ransomware executable.

Figure 6 WannaCry 3.0 Ransomware File Details
Figure 6 – WannaCry 3.0 Ransomware File Details

Upon execution of “enlisted.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.

Figure 7 Extracted Files of PyInstaller
Figure 7 – Extracted Files of PyInstaller Executable

The “Main.py” file is the entry point for the ransomware. This file has two functions, one to create a mutex or check for an existing one and the other to initiate further ransomware activities.

The figure below shows the code to check mutex and start ransomware activities.

Figure 8 Ransomware Entry Point
Figure 8 – Ransomware Entry Point

When executing the ransomware, it tries to create a mutex with the name “mutex_rr_windows” in the system. The ransomware uses the win32event.CreateMutex() function to create the mutex. If the Mutex already exists, the function returns the error ‘ERROR_ALREADY_EXISTS’, and an exception is raised using MutexAlreadyAcquired(). If no mutex exists, then the win32event.CreateMutex() function creates the mutex and returns the mutex object.

The figure below shows the code to create and check the mutex.

Figure 9 Ransomware Code To Create
Figure 9 – Ransomware Code To Create Mutex

Once the mutex is checked, the ransomware retrieves its configuration settings from a file “runtime.cfg”, which is a JSON file.

The figure below shows the code to load the ransomware config file.

Figure 10 Ransomware Code to Load Configuration File
Figure 10 – Ransomware Code to Load Configuration File

The “runtime.cfg” file contains various parameters, including a ransom note and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration:

  • maj_version
  • min_version
  • gui_title
  • encrypt_attached_drives
  • encrypt_user_home
  • encrypted_file_extension
  • disable_task_manager
  • open_gui_on_login
  • time_delay
  • wallet_address
  • bitcoin_fee
  • key_destruction_time
  • max_file_size_to_encrypt
  • filetypes_to_encrypt
  • ransom_message
  • make_gui_resizeable
  • always_on_top
  • background_colour
  • heading_font_colour
  • primary_font_colour
  • secondary_font_colour
  • delete_shadow_copies

The figure below shows the configuration details of the ransomware.

Figure 11 Ransomware Configuration File
Figure 11 – Ransomware Configuration File

Additional to loading the configuration file, the ransomware adds 2 files in the C:Users<user>AppDataRoaming folder, “enc_test.txt” and “encrypted_files.txt”. As the name suggests, the “enc_test.txt” file is a text file to test if the data is getting encrypted, and the “encrypted_files.txt” contains the list of files encrypted by the ransomware.

The figure below shows the dropped files.

Figure 12 Test File Created by Ransomware
Figure 12 – Test File Created by Ransomware

Next, the ransomware checks the “encrypted_file_list.txt”. If the file is empty, the ransomware sleeps for the time mentioned in the config file. In this config file, the delay is 0; hence the ransomware will not delay the operation.

Subsequently, the ransomware conducts checks to determine whether the task manager should be disabled and whether the ransomware needs to be added to the startup programs. In the case of the WannaCry 3.0 ransomware, both of these settings are disabled.

The figure below shows the code to sleep, check for disabling task manager, and startup entry.

Figure 13 Ransomware Checking Various Operaion
Figure 13 – Ransomware Checking Various Operations

Now ransomware initializes the encryption keys to encrypt the files in the system. First, ransomware checks for the “key.txt” file present in the working directory. If the key file is present, then it uses the key. If the key file is absent, the ransomware generates the keys and stores them in the current working directory in the new “key.txt” file.

The figure below shows the key loading and key generation code.

Figure 14 Ransomware Initializing Encryption Keys
Figure 14 – Ransomware Initializing Encryption Keys

Afterward, the ransomware creates a list of files to be encrypted by the malware. For this reason, the ransomware checks the system to find files to encrypt and create a list of files with full path names. The ransomware has whitelisted files to ignore from encryption and a list of extensions to be targeted for encryption, presented in the configuration file. The ransomware ignores three files from encryption WNCRY_PUBLIC_KEY_1.txt, WNCRY_PUBLIC_KEY_2.txt, and WNCRY_README.txt present at the “C:UsersPublic” location.

The figure below shows the file enumeration for encryption.

Figure 15 Ransomware Listing Files to be Encrypted
Figure 15 – Ransomware Listing Files to be Encrypted

The ransomware proceeds to encrypt the files from the generated list, utilizing the AES encryption algorithm. Once the files are encrypted, the ransomware adds a “wncry” extension at the end of the encrypted filename.

The figure below shows the code to encrypt the files.

Figure 16 Ransomware Code to Encrypt Files
Figure 16 – Ransomware Code to Encrypt Files

Unlike other ransomware variants, WannaCry 3.0 ransomware does not terminate processes or stop services. This ransomware only deletes shadow copies from the system using the task scheduler.

The ransomware creates a task scheduler entry named “updater47” and adds the command vssadmin Delete Shadows /All /Quiet to the task. The task is executed just after the creation to delete the shadowcopies.

The figure below shows the task created by the ransomware.

Figure 17 Ransomware Deleting ShadowCopies
Figure 17 – Ransomware Deleting ShadowCopies

Once the shadowcopy files are deleted, the ransomware starts a cleanup procedure in the system where it deletes the encrypted file list, deletes registry entries (if created), and re-enables the task manager(if disabled).

The figure below shows the code for cleaning up the files and registry.

Figure 18 Ransomware Cleaningup The System After Encryption
Figure 18 – Ransomware Cleaningup The System After Encryption

Next, the ransomware shows the ransom note in the form of a Graphical User Interface (GUI) application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate with the TAs. Additionally, the ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.

The figure below shows the GUI applications executed by ransomware after encryption.

Figure 19 Ransomware Executing GUI Based Ransom Note
Figure 19 – Ransomware Executing GUI-Based Ransom Note

Finally, the ransomware changes the desktop background image to show additional information, as shown in the figure below.

Figure 20 Desktop Background Changed by Ransomware
Figure 20 – Desktop Background Changed by Ransomware

Conclusion

WannaCry 3.0 Ransomware is a modified version of an open-source Python-based Crypter ransomware that targets Russian-speaking gamers. The ransomware operation is simple and does not have any leak site or dedicated chat link, but it utilizes a Telegram bot for ransom-related communication.

Given the targeted user base, there is speculation that the motivation behind its creation could be influenced by the ongoing Russia-Ukraine conflict.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network
  • Disconnect external storage devices if connected
  • Inspect system logs for suspicious events

Impact of Ransomware

  • Loss of valuable data
  • Loss of the organization’s reputation and integrity
  • Loss of the organization’s sensitive business information
  • Disruption in organization operation
  • Financial loss

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1566 Phishing
Execution T1204 User Execution
Discovery T1083 File and Directory Discovery
Defense Evasion T1070
T1562
Indicator Removal
Impair Defenses
Impact T1486
T1490
Data encrypted for impact
Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators  Indicator  
Type 
Description 
65fdd5e706d45e8bb83bc13311fb4da4
6515911679fdb3d6267ab44b67415dc32e587440
c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2
MD5
SHA1
SHA256
enlisted_beta-v1.0.3.115.exe
77873f29f166fd64350be2a1391ce9f9
dfaab002eca691708228846e0d16905290031d48
c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce
MD5
SHA1
SHA256
enlisted.exe
a6c971ab47c13b513af07d6dc3b06e8e
aa86ba02efd41f624b51956311b8759711a207ab
3741580d662ba528004695bf6441fc03e6e195c8d599ea7cbb8a8c4ec59efef4
MD5
SHA1
SHA256
enlisted.exe
55fac3a480c154fd5f2344992db4c5b0
31278826e062d0a8b4ffe52caf1aa5c2804f3441
444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790
MD5
SHA1
SHA256
enlisted.exe
84c613a151449be56b5afb0291fc0cca
9b43fdfd6ddb70a7418158c33d4c9a41f341a4e2
51aeac86371a1dafe7601b40a1b897f1c5c62ed6aa6fcdb3fe39e6ebf480763f
MD5
SHA1
SHA256
enlisted.exe
66742054e5ba484ef06d7cc2b52bd6c3
0dc36a78cb251f6272991d541b7dffb438e2eb36
dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005
MD5
SHA1
SHA256
enlisted.exe
hxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exe URL Download URL
hxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exe URL Download URL

Source: https://blog.cyble.com/2023/06/13/threat-actor-targets-russian-gaming-community-with-wannacry-imitator/