Threat Research

SarinLocker Ransomware – CYFIRMA

Securonix

CYFIRMA details FusionCore, a European Malware-as-a-Service and hacker-for-hire group, and analyzes SarinLocker ransomware linked to NecroSys and an affiliate program. The report notes SarinLocker v1.0 is still under development, targets specific file types, exfiltrates data to Telegram, and uses a low-cost RaaS model to recruit affiliates. hashtags: #FusionCore #SarinLocker #NecroSys #AnthraXXXLocker #LindesbergMunicipality #TyphonStealer #Telegram

Keypoints

  • FusionCore is a European MaaS and hacker-for-hire group that launched an affiliate program offering ransomware and management tools (AnthraXXXLocker).
  • SarinLocker is a newly analyzed ransomware written by NecroSys; v1.0 appears under development with a future, more capable version anticipated.
  • SarinLocker checks file extensions and only encrypts targeted files, uses AES-256-CBC for encryption, and appends the SARIN.XXX extension to encrypted files.
  • The malware exfiltrates victim data to Telegram and uploads a desktop screenshot to anonfiles to provide a download link via Telegram.
  • The campaign markets ransomware-as-a-service at a low price (~$100) and promotes customizable features to attract affiliates and customers.
  • Victims include Lindesberg Municipality (Sweden) and an Asia-Pacific infosec company; Typhon Stealer was used in a phishing attempt against the latter.
  • Two ransom notes exist: a TXT note claiming $50 ETH demand and an HTML note claiming $200 in Monero, illustrating inconsistent pay demands across versions.

MITRE Techniques

  • [T1204.002] Malicious File – The main function of the binary calling other functions like “SatrtEncryption”, “Telegram” etc. is for executing specific tasks. ‘the main function of the binary calling other functions like “SatrtEncryption”, “Telegram” etc. is for executing specific tasks.’
  • [T1112] Modify Registry – The SetWallpaper function opens the registry key, “HKEY_CURRENT_USERControl PanelDesktop” in write mode. ‘The SetWallpaper function is responsible for setting the wallpaper on a Windows desktop. The function opens the registry key, “HKEY_CURRENT_USERControl PanelDesktop” in write mode.’
  • [T1012] Query Registry – T1012: Query Registry
  • [T1082] System Information Discovery – T1082: System Information Discovery
  • [T1113] Screen Capture – The Telegram function retrieves the current username and machine name, takes a screenshot of the desktop and saves it to a specified location on the local machine. ‘The ransomware first collects the information of user like username, constructs a path to the user’s directory, and subsequently calls the “EncryptDirectory” method to encrypt the files in the user’s directory, using the encryption password calculated at runtime.’
  • [T1071] Application Layer Protocol – The Telegram communication uses an API call to notify a Telegram chat about infection. ‘It first sets the security protocol to Tls12… and then sends a request to the specified URL… with the message string as a parameter.’
  • [T1048] Exfiltration Over Alternative Protocol – Exfiltration of victim information to Telegram. ‘the ransomware also exfiltrates victim’s information to Telegram.’
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files using AES-256-CBC and renames them with a SARIN.XXX extension. ‘Finally, the ransomware renames the encrypted file with an additional extension “SARIN.XXX”.’

Indicators of Compromise

  • [MD5 Hash] 4cdd313daa831401382beac13bea4f00 – SarinLocker Ransomware
  • [SHA1 Hash] 856707241a7624681d6a46b2fa279bd56aa6438a – SarinLocker Ransomware
  • [SHA256 Hash] 1a0211f6bc0aab4889364024bd2ec9a3baa56e654d07586bb9c06b0c86f68eaf – SarinLocker Ransomware
  • [MD5 Hash] 65595f4249baa1f453934096551a1146 – SarinDesktop.JPG (Downloaded Desktop Wallpaper)
  • [SHA1 Hash] 5542bcffd50834389eda22700693c2cf909028dc – SarinDesktop.JPG (Downloaded Desktop Wallpaper)
  • [SHA256 Hash] 2f27d0a79065bd5a60ace7eccaba4e67fbb60578f77288e8adb6a464e1490739 – SarinDesktop.JPG (Downloaded Desktop Wallpaper)
  • [URL] https[:]//api.telegram[.]org/bot5589520987[:]AAEf0S128_2nbg3Rp6-EjdpqFmJfTkHjjHs/sendMessage?chat_id=1924412993 – Telegram notification API
  • [Email] crypsis@mailfence[.]com – Contact for ransom payment
  • [Wallet Address] 0x4509C125Ed6753177579bd6cE9463907B662dDd7 – Crypto wallet used for payment
  • [FileName] Sarin.exe – Original file name mentioned in metadata
  • [FileName] SarinDesktop.JPG – Desktop wallpaper file referenced in the notes

Read more: https://www.cyfirma.com/outofband/sarinlocker-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint