Maktub Locker – Beautiful And Dangerous

Maktub Locker – Beautiful And Dangerous

Posted March 24, 2016 by

Maktub Locker is another ransomware that comes with a beautifully designed GUI and few interesting features. Its name originates from the Arabic word maktub which means “this is written” or “this is fate”. The authors were probably trying to make a joke by referencing the act of getting infected with ransomware, hinting that it is uninvited and unavoidable, just like fate.

Analyzed samples

Special thanks to MalwareHunterTeam and Yonathan Klijnsma for sharing the samples.

Behavioral analysis

This ransomware comes in a spam campaign, pretending to be a document with a Terms-Of-Service update. This time full packing have a consistent theme: name of the attachment is made to resemble a document (examples: “TOS-update-[…].scr”, “20160321_tos.scr”), also it has a a document-like icon:

tos_update_icons
An interesting trick used by this ransomware to spoof legitimate behavior is that it really displays a document! Specifically, a fake TOS update in .rtf format:

update_privacyWhile the user is busy reading the document, the malicious program runs in the background and encrypts his/her files.

Encryption process

Maktub Locker does not need to download a key from the CnC server – data can be encrypted offline as well. Extensions given to the encrypted files are random, generated at runtime – their pattern is: [a-z]{4,6}

The new and surprising thing is that encrypted files are much smaller than the original ones. It seems this ransomware not only encrypts but also compresses files.

Original files and their sizes:

original

The same files after encryption:

encrypted1

See below a visualization of bytes.

square.bmp : left – original, right encrypted with Maktub Locker:

enc_square1 enc_square1_bmp^– the bitmap is compressed very well, so the encrypted file is tiny

A possible reason of compressing files first is to speed up the encryption process.

Encrypted content is different on each run of the sample. However, in a single run, files with the same content will give the same output. We can conclude that the random key is generated only once – at program’s start. After that, every file is encrypted using the same key.

After the encryption is finished, the following GUI pops up:

maktub_gui

It provides a victim a custom-formatted key: 82 chunks, each 5 character long (chunk format: [A-Z0-9]{5}). Each time the sample runs, this key is newly generated.

The same information (and layout) can be found in an HTML file ( _DECRYPT_INFO_[$EXTENSION].html), dropped in each encrypted directory.

Website for the victim

These days, it’s a common feature of ransomware to provide a TOR-accessed website for the victim and Maktub Locker is no different. Similar to the ransom note, the website is only available in English. In order to access the individual page, the victim is supposed to paste his/her key (the one supplied in the ransom note) into the input box provided on the website.

enter_key

It then redirects to the main website. In comparison to other ransomware families, Maktub Locker actually has a very nicely designed website, including clean and polite language used.

website1

It comes with a demo, allowing the decryption of 2 selected files:

decrypt_files

The price of decrypting files starts with 1.4 BTC and increases with time. The distributors warn that the website can be taken down and then it would not be possible to recover encrypted files:

increment

Inside

Maktub Locker comes packed in a well-written crypter/FUD, so the code is not readable at first. Also, due to the FUD’s functions, detection is problematic and samples have a low detection ratio in the first hours/days after the campaign starts.

Unpacking

Execution starts in the FUD’s code. At first we can see many harmless-looking (and completely useless) API calls and random strings.

radom_strings

This code is executed first, to deceive tools used to detect malicious behavior. Then it is completely overwritten by new code. However, this is also not the malware code, but just another layer of deception techniques. Below, you can see a fragment of the code responsible for unpacking and executing the bogus TOS update (it is first unpacked from the resources and dropped into the %TEMP% folder as a cabinet file):

displaying_ToS

The real malicious code starts in another module that is unpacked into dynamically allocated memory.

threads_list

You can see above 2 threads with entry: 0x10001230. They belong to this malicious module. If we try to dump this memory area, we obtain a new PE file:

new_pe

This PE file is loaded in a continuous area of dynamically allocated memory and used as a new virtual section.

Unfortunately this time, dumping it will not give us the independent payload – unpacked content has invalid headers, i.e:

dumped

This trick is used by the crypter in order to protect the payload from automated dumping tools. However, if we capture the unpacking at the right moment, before the headers are overwritten, we still can recover the original payload. It turns out to be a DLL (packed with UPX):

original_dll

The code responsible for encrypting files is located in the function “one”.

The DLL is packed with genuine version of UPX, so we can easily unpack it, getting an deobfuscated DLL as result with the following sections layout (unpacked C.dll : 38eff2f7c6c8810a055ca14628a378e7 ):

c_dll

However, we will still not see valid strings. Imports also seems irrelevant to the functionality (we will not find there, for example, any reference to the windows Crypto API). It is due to the fact that real imports are resolved dynamically. At the beginning of execution, the function “one” loads them on it’s own – first,decrypting their names:

resolve_imports

Then, they are accessed via dynamically loaded handles.

Execution flow

This malware first makes a list of all the files, and then processes them one by one. It also unpacks a built-in configuration with list of restricted paths and attacked executables. Each processed path is first checked against this list.

Below you can see a fragment of code opening file that is chosen to be encrypted. Call to the function CreateFileA is performed via handle and dynamically loaded into the EAX register:

create_file

Then, a new file is created – with an extension added:

create_encrypted_file

At first both files coexist in the system – the newly created file has 0 size. After it is filled by the encrypted content, the original file gets deleted.

new_file_created

After the process of encryption finished, the malware creates and pops up the dialog box.

Below – code responsible for popping up the GUI with a ransom note:

dialog_box_popup

What is attacked?

It is common practice to exclude some chosen countries from the attack. In this case, before deploying the malicious actions, the application fetches the keyboard locale list. If it finds Russian (value 0x419 = 1049) among them, the malware exits without infecting files:

blacklisted_country

Excluded from the attack are also some predefined folders:

"\\internet explorer\\;\\history\\;\\mozilla\\;\\chrome\\;\\temp\\;\\program files\\;\\program files (x86)\\;\\microsoft\\;\\chache\\;\\chaches\\;\\appdata\\;"

The built-in configuration also specifies what are the extensions to attack:

extension

Like other ransomware families, it attacks not only the local disk but also network shares and disks mounted by virtual environments, including external hard drives.

How does the encryption work?

Maktub Locker uses Window Crypto API. But, as we concluded from the analysis, it uses only one key for all files (does not generate a random key per file). Let’s see what technique it uses to obtain keys…

In this run, the key supplied to a user was:

X25HE-J53ZU-QERDZ-ZNUJ3-SERJ6-J617E-UUASZ-AFG2G-83B08-2SHC1-AUYFZ-GJHF2-W7321-144TM
VKFKR-6TKRV-STG4B-CE5MZ-TAH4W-MP541-GD3SB-HE43J-ZF4TK-ZNZTG-R7ZBZ-AKM2U-T6TYN-53J7H
MU6J6-BTSJC-FQVQR-EH755-C1WCJ-7SNPT-MHFBS-Q638V-MASEB-R16HW-P84P2-7EEX8-KXAHB-D10F7
GF071-U37K3-GJ5Q5-WD0PD-2EG16-KMC5R-RPCBX-R8EV3-ZPXQV-TDVXM-SEEFX-XK23J-FCH4Z-RNBPN
XE6X5-4W8CT-WJQJU-071T5-DSUZW-JGSZA-KFKZ6-4DU0S-80H1H-CEP2J-PDSKA-UXBR8-8C1BB-SDQNC
1C8F7-HPZ2G-Q5JVN-F6WXH-PMUSR-8G4HT-RNYVW-DZNQ3-Y8KZJ-NYC1G-SPR3T-U5GD5

Let’s investigate what is the relationship between this key and the key used to encrypt files. So far we know that it must be generated locally.

First it initialized two crypto contexts – both with the same settings, using provider type: PROV_DH_SCHANNEL

create_context_dh

Gets 32 random bytes, using function CryptGenRandom

crypt_random32

Creates MD5 sum of this random data (using: CryptCreateHash, CryptHashData)

hash_dataThen, using function CryptDeriveKey it converts the MD5 hash into a 256 bit AES key (AlgID = 0x6610 -> CALG_AES_256).

derive_keyIt also imports RSA public key (2048 bit). This key is hardcoded in the binary.

import_rsa_key

The random 32 bytes (base of the AES key), along with the random extension, are concatenated together. Then, the prepared buffer is RSA encrypted:

encrypt_rsa

Output is converted using the predefined charset and given to a victim as the individual ID:

converted

That’s why, when the user submit his/her individual ID, the attackers, having the appropriate private key, can decrypt the original data and easily recover the random AES key.

After this operation, the previously generated AES key is used to encrypt files.

First, file content is compressed by a dedicated function (BZip2):

process_read_data

Then, the buffer containing compressed data is AES encrypted – using CryptEncrypt

encrypting_compressed

The encrypted data is saved to the file with the generated extension added.

Conclusion

Maktub Locker has clearly been developed by professionals. The full product’s complexity suggests that it is the work of a team of people with different areas of expertise. From the packing operations to the website, everything is well-polished. We are not sure if the crypter/FUD is designed by the same team – it could also be a commercial solution available on the black market. However, it is not the only level of defense – the core DLL is also obfuscated and for sure prepared by someone with experience in writing malware.

Malwarebytes Anti-Malware detects this threat as: Ransom.Maktub.

Appendix

http://www.bleepingcomputer.com/news/security/the-art-of-the-maktub-locker-ransomware/ – “The Art of the Maktub Locker Ransomware” (detailed description of the graphical design)


COMMENTS

  • Brenden

    Wow that is all SO CRAZY AND CREEPY!

  • george miller

    very nasty .question ? if my machine gets infected but i have a recent external hard drive back up that is not connected . can i first run format my hard drive and then attach my external hard drive to run restore and bring my system back to life although it will be slightly out of date yet should be free of this ransomware ?

  • flow ir in

    would it be possible to protect a drive by having a number of files with specifically designed contents that reveal the encryption key? 1024 1024 bit files, each with a different bit set, say?

  • W. Bean

    If a user does not have local admin permissions can this malware still install/run?

  • antivirustaneja

    Compression used in Maktub locker is BZip2 ….

    1000516E FFD0 CALL EAX ——————————–> kernel32.ReadFile
    10005170 85C0 TEST EAX,EAX
    10005172 75 08 JNZ SHORT 1000517C
    10005174 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
    10005177 E9 A9000000 JMP 10005225
    1000517C 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
    1000517F C745 EC 00000000 MOV DWORD PTR SS:[EBP-14],0
    10005186 50 PUSH EAX
    10005187 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
    1000518A C745 D4 00000000 MOV DWORD PTR SS:[EBP-2C],0
    10005191 50 PUSH EAX
    10005192 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
    10005195 C745 E8 00000000 MOV DWORD PTR SS:[EBP-18],0
    1000519C 50 PUSH EAX
    1000519D FF75 E0 PUSH DWORD PTR SS:[EBP-20]
    100051A0 FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
    100051A3 E8 B8040000 CALL 10005660 ————————> BZCompression_proc

  • Brian Lofgren

    Yes, local and network files that the user has R/W permissions on would be encrypted. Note that using a network undelete utility (one that tracks deleted files such as Condusiv’s UnDelete) would be useful to restore files, or backups.

  • Brian Lofgren

    Backups are typically the best option to recover your files. Paying the ransom should only happen if absolutely necessary. Paying only sends the message that ransomware is a profitable business.

  • Brian Lofgren

    Ransomware typically targets particular file extensions, such as .pdf .doc. xls. .jpg etc. Regardless of file size.

  • W. Bean

    Thanks for the reply, Brian, but I was thinking more in terms of whether the program could even install itself if the user were not an admin. Or, since it’s just running in memory does it not truly “install”?

  • Hasherezade

    This could help if the content would be encoded by some simple algorithm. But in this case It will not help. Cerber (like most of the ransomware) uses strong cryptography – so there is no possibility to uncover the key just by analyzing changes made in the content.

  • Hasherezade

    Yes. If you format your hard disk, Cerber will be completely removed from the system. Make sure that other computers in your LAN are not infected – if they are, format them also (or detach from LAN). Then you can connect your backup and restore the data.

  • Hasherezade

    You are right, thanks for adding this.

  • Hasherezade

    Yes, it can run. But if it run without admin permissions, it will encrypt only the files to which the current user have access.

  • Brian Lofgren

    Depends on the malware. Most use a “dropper” into a directory, such as tmp, that the user can execute. Think like how Google Chrome can be installed by any user regardless of permissions.

  • Paul Murton

    Does it make any attempt to delete volume shadow copies? I’ve seen this in Cryptolocker infections, but it needs admin rights to succeed?

  • shvanski

    If I add Russian to my keyboard locale list will that prevent the execution so a scan can then be done to remove it?

  • purplemtn

    Will Malwarebytes Anti-Ransomware stop this from infecting a PC ?

  • Barry Charnay

    Nothing necessarily stops anything except; not opening the infected file (.pdf .png .jpg big all time winners), not opening the e-mail, not going to the link and NOT GOING TO W A R E Z. EVER EVER EVER. I use that classical site as an example. Basically, be paranoid and then be aware you’ll get had anyway. Your best hope is (1) OFFLINE records [with printed records often being an actual necessity, in another protected location], (2) avoiding use of always-on comms, (3) being paranoid and not visiting suspicious sites [but then all sites are suspicious; the NSA web site was hacked and then a danger to visitors until the hack (redirect) was fixed. Luck.

  • Barry Charnay

    Maybe.

  • Barry Charnay

    Best trick is to use periodic complete rather than progressive copies and disconnect the external drive–don’t use network storage.

  • Barry Charnay

    Also among the commonest of tricks is dropping something on the desktop that will execute on next boot (may/may not be rootkit).

  • Barry Charnay

    YES.

  • Barry Charnay

    Also always-on is a bad option. A powered-down network is much harder to attack, which is why I screamed at the very notion of always-on. (Yes, I’ve been using PCs [and was a mainframe op, back in those days] that long.)

  • Barry Charnay

    Ever seen a ship in drydock? You’re merely seeing the part of it that’s above the waterline.

  • shvanski

    So might as well do it cause as my grandmother use to say “it wouldn’t hurt”.

  • Brian Lofgren

    I’m not familiar with dropped files on the desktop, more familiar with .exes in appdata, temp, system32 and root of c. But I guess everywhere is susceptible.

  • Paul Naylor

    i suggest you backup all your important files even mp3 files do not store anything on your main drive ie a cv which contains details of who you are and where you live telephone number etc use an external and disconnect it when you arent using it do not use online backups such as cloud google drive etc if you have to back up to cd/dvd/bluray data then do so

  • Paul Naylor

    there is no concrete gaurantee as its still in beta mode

  • purplemtn

    Paul Naylor”there is no concrete gaurantee as its still in beta mode”

    Thanks for that information

    I always back up per Paul Naylor other post using
    Macrium Reflect Free.

  • flow ir in

    really? so even with, say, 1024 files each with a different bit set, you couldn’t reverse engineer the algorithm of a 1024 bit cypher? Seems like something that should be simple.

  • Dogman

    Macrium Reflect is a great backup tool. I have it installed on all my PCs and use it religiously. Once the backup(s) are done, I copy the Reflect disk file to a 2 TB external portable drive, which is then disconnected from the PC. This 2 TB portable drive is only used to save these Reflect backup files.

    This is my line of defense for ransomware!

  • Юрий

    People! Don’t be foolish,- store your important files in cloud storage. It costs a little money. And never pay the scammers. Still code decryption you no one will, only lose money.

  • Юрий

    I think not. To have a good antivirus and be attentive to the unknown links in email and not work with suspicious sites. Especially a lot of nasty things on social networks.

  • purplemtn

    Юрий”I think not”= Well we can only hope that someday programs like Malwarebytes Anti-Ransomware will be effective against all types of Ransomware.

    I agree with the rest of your post.

  • purplemtn

    Dogman
    “Macrium Reflect is a great backup tool”= Yes it is. I also back up similar to what you do ..

  • joedaddy

    It is safe to backup to a NAS drive as long as you password protect the access and don’t map that drive to your computer. Set windows backup (or the backup software of your choice) to point the the network path (with the password) of the NAS. This will allow for regular automated backups without having to manually disconnect the drive each time.

  • joedaddy

    Just make sure your cloud storage includes version history. Otherwise once your files are changed on your PC, those same changes will happen on the cloud and they will be useless.

  • Moohamed

    lol worst idea ever, cloud = stupid! if it is important data 2 redundant physical and hard ie mem stick, hd that is in front of you for media.

    online any number of things can leave you bent over the barrel, not to mention your spreading your proverbial legs for the planet by putting it online in such a way.

  • tim_lester

    Hi Joe, I have been trying to do this with Windows Backup and a external USB drive but having no luck. Is there a guide I can follow as I guess most people won’t have a NAS?

  • joedaddy

    The method I described only works with network drives. A USB drive will always mount itself to your computer and be viable to locker viruses. So your choices are to always lave it plugged in for better automation. Or, always leave it unplugged for better protection and just remember to manually plug it in to make backups regularly.

  • General Foch

    So,
    if I am using a browser in a sandbox ( COMODO ) i’d think it may encrypt the sandbox but I can reset that so i don’t care. It would not be able to get out of the sandbox to real disk correct ?

  • WeHoldTheseTruths2

    Dear Mr. Charnay, I keep my data files on a USB FlashDrive/ThumbDrive, and keep it always plugged into my desktop. ¿Is this enough and is this ok? Any comments welcome. Thank you. tonyd.

  • GoodCleanLogic

    Not Mr. Charnay, No if the drive is still in the USB slot it is active, not ejected then you are unprotected. You can use a utility from BackupAssist called freeeject.exe that can “eject” a usb drive, it will still be connected but not readable unless the computer is restarted added to startup will alwas assure that it is diconnected. It allows to just remove the USB cable without any user interaction so as to not harm the drive. when you attach the next BU drive then it will be active.

  • Frank

    Is “Anti-Ransomware” the same product as “Anti-Exploit” on the malwarebytes website?

  • purplemtn

    Frank “Is “Anti-Ransomware” the same product as “Anti-Exploit” on the malwarebytes website?” = No

  • WeHoldTheseTruths2

    Dear GoodCleanLogic, thank you so much for the informative reply to my question. Thank you very much. (A knowledgeable person is a great resource). Thank you so much. God Bless. tonyd/.

  • tim_lester

    Thanks for the reply. In a home environment I think most backup drives will be accessible and therefore open to malware. I created a share for the USB drive then I created a new Windows user then in the security setting of the usb drive made that user the only one with control. You never login under this new user so the malware can’t access this drive. I then tried to use this new user under Windows backup but it didn’t connect. Maybe if I setup a task to run Windows backup only under the new user it may work but way too complex for the average users. If you have any other suggestions I would love to hear it as it needs to be solved 🙂

  • disqus_D9dP66bbdX

    I do like this new information blog from Malwarebytes.

  • Brian Lofgren

    If you have shares mounted to the sandbox with modify privileges, yes.

  • General Foch

    I have shares mounted to my host but the sandbox does not see them. Leaving me with the impression this would prevent an “infection” of this type. The downside being anything I download in the virtual sandbox has to be moved to the single folder shared between the sandbox and the host ( so anything in that folder could be trashed ). There are more than one AV suits that provides a sandbox feature so moving to one of them and using it is the way to go i’d think.

  • Barry Charnay

    Dear XXXX if you shower in the street naked, it’s fine with me, or do a flower child during a war. You mistook me for someone who cares.


Select your language