Threat Research

New Go-Based JKwerlo Ransomware Poses A Risk To French And Spanish Users  – Cyble

Securonix

Cyble researchers track a Go-based JKwerlo Ransomware campaign targeting French and Spanish speakers, delivered via language-specific HTML files that embed zip archives. The operation relies heavily on PowerShell for its execution flow, with multi-stage payloads delivered through Dropbox links and a Telegram channel used for actor communications. #JKwerloRansomware #GoBased #Dropbox #PowerShell #Telegram #CRIL

Keypoints

  • campaigns use language-specific HTML files to tailor infection and lure victims in French and Spanish.
  • HTML files embed zip archives; the Spanish HTML payload is directly inside the zip, while the French path initiates a PowerShell-based chain to deploy JKwerlo ransomware.
  • PowerShell scripts are central to the campaign, acting as the primary delivery and execution mechanism.
  • JKwerlo deletes Taskmgr.exe and Resmon.exe to hinder monitoring and uses PsExec and Rubeus for lateral movement and privilege escalation.
  • The campaign includes extensive commands: log clearing, boot configuration changes, process termination, network enumeration, and encryption of user files.
  • Dropped payloads leverage legitimate services (Dropbox) for payload delivery and rely on multi-stage loading from remote sources.

MITRE Techniques

  • [T1566.001] Phishing – Malicious HTML is potentially dropped using Email. “Malicious HTML is possibly dropped using Email.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Malicious activities are performed using PowerShell. “Malicious activities are performed using PowerShell.”
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Initial PowerShell script is stored in a hidden folder. “Initial PowerShell script is stored in a hidden folder.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Ransomware disables Windows Defender. “Ransomware disables Windows Defender.”
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – Ransomware disables the Windows firewall. “Ransomware disables the Windows firewall.”
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Ransomware clears Windows event logs from the system. “Ransomware clears Windows event logs from the system.”
  • [T1070.004] Indicator Removal: File Deletion – Ransomware deletes the dropped files from the system. “Ransomware deletes the dropped files from the system.”
  • [T1083] File and Directory Discovery – Ransomware enumerates folders for file encryption and file deletion. “Ransomware enumerates folders for file encryption and file deletion.”
  • [T1046] Network Service Discovery – Ransomware searches for Ips in the system to infect other systems. “Ransomware searches for Ips in the system to infect other systems.”
  • [T1486] Data Encrypted for Impact – Ransomware encrypts the data for extortion. “Ransomware encrypts the data for extortion.”
  • [T1021.001] Lateral Movement: Remote Services (PsExec) – PsExec is used to facilitate remote execution on other systems. “PsExec, developed by Microsoft, is a command-line utility that empowers users to remotely execute processes on other systems.”
  • [T1550.003] Forge Kerberos Tickets (Rubeus) – Rubeus requests Kerberos tickets for privileged users to enable elevated access. “Using Rubeus, the ransomware requests Ticket Granting Tickets (TGTs) for privileged users such as “Administrator”…”
  • [T1027] Obfuscated/Compressed Files or Information – The main_dct routine decodes/decrypts hardcoded hex strings to obtain strings used during execution. “main_dct() decodes/decryptthese hex strings and retrieve the actual strings.”

Indicators of Compromise

  • [MD5/SHA1/SHA256] French HTML – 19088d2799ba035319fba3666a1f0dac, 9e1491669e493d2823a06e79091aa7ce539ccc0e, 831cfc6e0d289364d1b2c9875a85bf76a536611b7308f14c3391b5a22e99f8bd
  • [MD5/SHA1/SHA256] Demande légale.zip – 3bc2635ed259d5e18e675eab17611cd0, 92bb57e09c87eba40c2ca43b1e2777b001832dd4, c50b9ce8a3e2ce4c39ba8f7b881312303ead9daccab538cc2ad7aed10931e6f6
  • [URL] c[k]k.dll and doc.exe dropbox links – hxxps://www.dropbox[.]com/scl/fi/1xbmupdty6feo9n7bjo7d/ck.dll?rlkey=bl89gwnq1awej5csej3v0ng4z&dl=1, hxxps://www.dropbox[.]com/scl/fi/tee2a4qgy85wjca62ga56/doc.exe?rlkey=eowry4l7it8ie00ufzccl9r53&dl=1
  • [URL] GitHub dropper – hxxps://github[.]com/onkasdni/wertm/releases/download/asd/mmm.txt
  • [Filename] Demanda légale.zip, Demande légale.lnk, Doc.exe, ck.dll, njkasd.ps1, a.ps1, ps.exe, rbs.exe
  • [Filename] Documento legal.lnk – (French HTML path indicator)

Read more: https://cyble.com/blog/new-go-based-jkwerlo-ransomware-poses-a-risk-to-french-and-spanish-users/