{"id":124778,"date":"2021-07-16T09:49:41","date_gmt":"2021-07-16T16:49:41","guid":{"rendered":"\/blogs\/?p=124778"},"modified":"2024-06-25T22:43:08","modified_gmt":"2024-06-26T05:43:08","slug":"revil-ransomware-uses-dll-sideloading","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/revil-ransomware-uses-dll-sideloading\/","title":{"rendered":"REvil Ransomware Uses DLL Sideloading"},"content":{"rendered":"

This blog was written byVaradharajan Krishnasamy, Karthickkumar, Sakshi Jaiswal<\/p>\n

Introduction<\/h2>\n

Ransomware attacks are one of the most common cyber-attacks among organizations; due to an increase in Ransomware-as-a-service (RaaS)<\/strong> on the black market. RaaS provides readily available ransomware to cyber criminals and is an effective way for attackers to deploy a variety of ransomware in a short period of time.<\/p>\n

Usually, RaaS<\/strong> model developers sell or rent their sophisticated ransomware framework on the black market. After purchasing the license from the ransomware developer, attackers spread the ransomware to other users, infect them, encrypt files, and demand a huge ransom payment in Bitcoin. \u00a0Also, there are discounts available on the black market for ransomware frameworks in which the ransom money paid is shared between developers and the buyer for every successful extortion of ransom from the victims. These frameworks reduce the time and effort of creating a new ransomware from scratch using latest and advanced programming languages.<\/p>\n

REvil<\/strong> is one of the most famous ransomware-as-a-service (RaaS)<\/strong> providers. The group released the Sodinokibi ransomware<\/a> in 2019, and McAfee has since observed REvil using a DLL side loading technique to execute ransomware code. The actual ransomware is a dropper that contains two embedded PE files in the resource section.\u00a0 After successful execution, it drops two additional files named MsMpEng.exe and MpSvc.dll in the temp folder. The file MsMpEng.exe is a Microsoft digitally signed file having a timestamp of March 2014 (Figure 1).<\/p>\n

DLL SIDE LOADING<\/u><\/em><\/h2>\n

The malware uses DLL side loading to execute the ransomware code. This technique allows the attacker to execute malicious DLLs that spoof legitimate ones. This technique has been used in many APTs to avoid detection. In this attack, MsMpEng.exe loads the functions of MpSvc.dll during the time of execution. However, the attacker has replaced the clean MpSvc.dll with the ransomware binary of the same name. The malicious DLL file has an export function named ServiceCrtMain<\/strong>, which is further called and executed by the Microsoft Defender file. This is a clever technique used by the attacker to execute malicious file using the Microsoft digitally signed binary.<\/p>\n

PAYLOAD ANALYSIS<\/u><\/em><\/h2>\n

The ransomware uses the RC4 algorithm to decrypt the config file which has all the information that supports the encryption process.<\/p>\n

Then it performs a UI language check using GetSystemDefaultUILanguage\/GetUserDefaultUILanguage<\/strong> functions and compares it with a hardcoded list which contains the language ID of several countries as shown in below image.<\/p>\n

Countries excluded from this ransomware attack are mentioned below:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
GetUserDefaultUILanguage <\/strong><\/td>\nCountry name<\/strong><\/td>\n<\/tr>\n
0x419<\/td>\nRussian<\/td>\n<\/tr>\n
0x422<\/td>\nUkranian<\/td>\n<\/tr>\n
0x423<\/td>\nBelarusian<\/td>\n<\/tr>\n
0x428<\/td>\nTajik (Cyrilic from Tajikistan)<\/td>\n<\/tr>\n
0x42B<\/td>\nArmenian<\/td>\n<\/tr>\n
0x42C<\/td>\nAzerbaijani (Latin from Azerbaijan)<\/td>\n<\/tr>\n
0x437<\/td>\nGeorgian<\/td>\n<\/tr>\n
0x43F<\/td>\nKazakh from Kazakhastan<\/td>\n<\/tr>\n
0x440<\/td>\nKyrgyzstan<\/td>\n<\/tr>\n
0x442<\/td>\nTurkmenistan<\/td>\n<\/tr>\n
0x443<\/td>\nLatin from Uzbekistan<\/td>\n<\/tr>\n
0x444<\/td>\nTatar from Russia Federation<\/td>\n<\/tr>\n
0x818<\/td>\nRomanian from Moldova<\/td>\n<\/tr>\n
0x819<\/td>\nRussian from Moldova<\/td>\n<\/tr>\n
0x82C<\/td>\nCyrilic from Azerbaijan<\/td>\n<\/tr>\n
0x843<\/td>\nCyrilic from Uzbekistan<\/td>\n<\/tr>\n
0x45A<\/td>\nSyriac<\/td>\n<\/tr>\n
0x281A<\/td>\nCyrilic from Serbia<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Additionally, the ransomware checks the users keyboardlayout<\/strong> and it skips the ransomware infection in the machine\u2019s which are present in the country list above.<\/p>\n

Ransomware creates a Global mutex in the infected machine to mark its presence.<\/p>\n

After creating the mutex, the ransomware deletes the files in the recycle bin using the SHEmptyRecycleBinW <\/strong>function to make sure that no files are restored post encryption.<\/p>\n

Then it enumerates all the active services with the help of the EnumServicesStatusExW <\/strong>function and deletes services if the service name matches the list present in the config file. The image below shows the list of services checked by the ransomware.<\/p>\n

It calls the CreateToolhelp32Snapshot<\/strong>, Process32FirstW <\/strong>and Process32NextW <\/strong>functions to enumerate running processes and terminates those matching the list present in the config file.\u00a0 The following processes will be terminated.<\/p>\n