Weekly Executive Summary Week Ending June, 02 2017

By Joseph Lorenz on June 1, 2017

What is it? Crypto-Ransomware | Trojan

What has it been dubbed? Uiwix

What does it do?

A ransomware variant of the infamous wannacry malware. Exploits the same vulnerability in SMBv1 and SMBv2 that was used in WannaCry ransomware(Microsoft MS17-010). This particular variant of malware does not contain a hardcoded killswitch domain like WannaCry had. Is not known to have the same ‘worm-like’ effects. There are code strings found in UIWIX that can allow it to capture credentials from an infected systems browser login, FTP(File Transfer Protocol), email, and messengers(also has the ability to steal stored certificates).

The Trojan will steal credentials from the following applications:

  • Firefox
  • Chrome
  • Safari
  • Edge
  • Internet Explorer
  • Comodo
  • Yandex
  • Opera
  • Miranda
  • MSN
  • Pidgin
  • Thunderbird
  • Outlook
  • SmartFTP
  • FileZilla
  • Far

Source: Symantec Corp

 

How does it do it?

Key differences in WannaCry vs. UIWIX.

Wannacry table

Source: TrendMicro

According to TrendMicro, the malware is fileless and is executed in memory after exploiting ‘ExternalBlue’. Fileless injections don’t require writing actual files to the computers disks and greatly reduce the footprint of malicious software and make detection more difficult.

UIWIX will terminate itself when detecting that it is running in a VM or a sandboxed environment. The malware will also terminate itself if it is running in certain locations (e.g., Russia, Kazakhstan, and Belarus). When encryption starts UIWIX will add the ‘.uiwix’ extension to all the infected files. It will then drop a text file called “_DECODE_FILES.txt” that contains the ransom note containing the requirements for decryption.

system enternals programs

Ransom note with directions for its victims

Source: TrendMicro

UIWIX uses a different Bitcoin address for each victim that is infected. If a victim accesses the URL’s in the ransom note, it will ask for a ‘personal code’, which is also given in the ransom note. One part of the malware’s attack chain is to load the ransomware directly into memory through a shellcode loader. Since this technique makes it fileless, it does not create physical copies of UIWIX’s binary in the affected system.

The malware uses two algorithms to encrypt victims files. It first uses AES-256 in Cipher Block Chaining (CBC) mode to encrypt files on the infected machine, the key used for encryption is then sent to the UIWIX’s Command & Control server. The encryption key and infection information will be encrypted using RC4 encryption algorithm, with the hardcoded key ‘3kjl5h34kj5h34po io34saz5x3cb‘. Though the malware overwrites the file with encrypted code, it does not encrypt all of its data. It uses the MoveFile API(Application Program Interface) to rename the file and to append UIWIX extensions to all encrypted files.

v31 encryption code

Source: TrendMicro

Conclusion:

There has been heavy debate on the severity of this particular variant. Initial analysis from certain security professionals said that UIWIX had the same propagation techniques as WannaCry(which were later found to be untrue). Others have said that only one sample of the malware has been caught in the wild, and the impact is insignificant.

It is important to acknowledge that various ‘copycats’ or variants will continue to use exploits like ‘EternalBlue’ as long as systems remain unpatched and vulnerable. This newly found Trojan has used techniques to become more stealthy and coupled with other malicious activity can be quite dangerous. These new copycats should be analyzed and inspected very carefully, to prevent future infections. Companies should take this time to look at their infrastructure and determine if they’re willing to accept the risk of using outdated OS’s/machines.

Sources:

http://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/ (TrendMicro)

https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/ (Heimdal Security)

https://www.theregister.co.uk/2017/05/17/uiwix_ransomware_damp_squib/ (The Regeister)

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-051811-1414-99 (Symantec)

https://threatpost.com/available-tools-making-dent-in-wannacry-encryption/125806/ (Threatpost)

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G (ICS-CERT)

Tags: , ,

Related Posts