Ransomware Attack Targeting China – Security Advisory 

1. Ransomware through Supply Chain Attack:

  • A new ransomware strain spreading as a result of supply chain attack targeting Chinese users starting from December 1 and infected more than 100,000 computers.
  • The ransomware not only encrypting the system files, but it is also capable of stealing login credentials of popular Chinese online services such as Taobao, Baidu Cloud, NetEase 163, Tencent QQ, Jingdong, and Alipay.
  • Velvet security researchers who analyzed the ransomware variant found that the attackers added malicious code to “Easy language” programming software and the malicious code will be injected to various other software compiled with it.
  • In total more than 50 software poisoned with the malicious code, and the ransomware operators using Chinese social networking Douban for C&C communication. The Ransomware also tracks the details of the software installed on the victim’s computer.
  • It encrypts data using a less secure XOR cipher and stores a copy of the decryption key locally on the victim’s system itself in a folder at following location: %user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Executable files modified through Supply Chain Ransomware Attack

Fig: Executable files modified through Supply Chain Attack

 

2. Targeted User Information:

  • System version information, current system login username, system login time
  • CPU model.
  • Screen resolution.
  • IP and broadband provider name.
  • Software installation information.
  • Security software process information.
  • Online shopping account login information, email login information, QQ number login information, network disk login information, etc.

 

3. PoC Of Virus module names:
List of Virus Module

 

4. Ransomware Entry point:

  • Phishing Email – A user will receive an Email with malicious Link in the body
  • Email Attachments – A user will receive an Email with an Attached Innocent
  • Embedded Hyperlink – A Malicious Document Contains Embedded Hyperlink
  • Websites & Downloads – A Users Browser the infected site and Compromised website and download a software.
  • Drive by Infection – A User Browser with old Browser, Malicious plug-in, an unpatched third-party application.

 

5. Preparation and Mitigation:

  • Take regular backups of your data.
  • Don’t download the software called “EasyLanguage”.
  • Enable Windows 10 Ransomware Protection/ Controlled Folder Access.
  • One of the main infection vectors is Microsoft office document so make sure your Microsoft office Macros are disabled by
  • Keep the Firewall up to date to block suspicious
  • Scan all your emails for malicious links, content, and
  • Make sure that Sophos anti-virus protection is up to date and enabled in all the
  • Don’t Provide local administrator rights by default, also avoid high privilege by
  • Enforce access control permission for the concerned user and allow them to access the files which they actually needed to access for their work.
  • Provide proper training for your employees about ransomware attack. Educate the users to not open suspicious links.
  • Block the Ads and unnecessary web content using Ad-Blocker and Proxy/Firewall
  • Always download the software’s from trusted websites.
  • As mentioned, it encrypts data using a less secure XOR cipher. So, In case of attack, Velvet security team created and released a free ransomware decryption tool that can easily unlock encrypted files for victims without requiring them to pay any ransom. URL: https://www.huorong.cn/download/tools/HRDecrypter.exe

 

Author,

Goutham Korepu

SOC Team

Varutra Consulting Pvt. Ltd.