StopCrypt Ransomware Utilizing Multi-Stage Shellcodes To Attack Windows

A new variant of StopCrypt ransomware has been discovered. It executes multi-stage shellcodes before launching a final payload containing the file encryption code.

This malware uses several techniques, such as detection evasion, a time-delaying loop of 600 million iterations, and several other mechanisms.

Moreover, the ransomware also uses scheduled tasks for its payload execution with command-line arguments, which are executed every five minutes. 

Technical Analysis

According to the reports shared with Cyber Security News, the malware infection cycle begins with creating a string of msim32.dll, but it is not even used in the ransomware execution process. 

Millions of iterations have been set up for a time-delay loop in which the same data is copied to a location with an incremental iteration value.

Similar techniques have been analyzed to be used throughout the malware execution to evade detection.

The evasion is due to the artificial extension time of the malicious code.

Incremental Iteration code (Source: SonicWall)

After this, the code allocates memory, using the LocalAlloc API and VirtualProtect to change the permissions of the memory block to READ, WRITE, and EXECUTE.

First Stage Payload

This stage resolves the required API using the Kernel_GetProcAddress API.

The ransomware creates API function calls by creating the function names or strings that contain the API names directly on the stack.

This is done as a replacement for using straightforward API calls that are easily detected and identified.

The addresses resolved by the malware are for the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle

CreateToolhelp32Snapshot is used in the malware code along with all of its modules to take a snapshot of the current process.

Moreover, the information about the first module of the process is extracted using Module32First API.

Snapshot code with all its modules (Source: SonicWall)

Second Stage Payload

The second stage of the malware performs the primary task of the shellcode, which is process hollowing.

The API functions created in this phase are resolved to the following addresses:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The ransomware also checks the FileAttributes of a non-existent file for unknown purposes, which is speculated to be used to identify specific systems where the file might be present.

After certain operations, the ransomware calls the VirtualAlloc API to allocate memory with READ and WRITE permissions and store the path returned by the GetModuleFileNameA API.

Following this, the kernel32.GetStartupInfoA API is called for extracting startup information.

Final Payload

During the final process, the ransomware launches a resumed process with the parameter “Admin IsNotAutoStart IsNotTask” after which the ransomware creates a new directory in the C:\\Users\<user_name>\AppData\Local and copies the current malware image into it.

Further, it launches the icacls.exe process, the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command used for executing icacls.exe denies the group permission to delete the specified file for “Everyone,” which prevents the ability to delete the malware.

Scheduled task (Source: SonicWall)

Additionally, the malware creates a scheduled task to execute a copy of the final payload with a command line argument -Task—every 5 minutes.

The ransomware encrypts the files and adds the .msjd extension to them, while putting a ransomware note under the name _readme.txt on every encrypted folder.

Ransom note (Source: SonicWall)

Indicators Of Compromise

  • GAV: StopCrypt.RSM (Trojan)

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Ex-CIA Analyst Pleaded Guilty For Leaking Top Secret National Defense Information

A former CIA analyst, Asif William Rahman, has pleaded guilty to charges of retaining and…

2 hours ago

Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet

 The Mirai botnet unleashed a record-breaking Distributed Denial of Service (DDoS) attack on October 29,…

3 hours ago

Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for Education

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a global…

4 hours ago

SQL Injection Vulnerability in Microsoft’s DevBlogs Lets Hackers Injecting Malicious SQL

In a recent discovery, a security researcher uncovered a critical SQL injection vulnerability on Microsoft’s…

4 hours ago

Three New ICS Advisories Released by CISA Detailing Vulnerabilities & Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) announced three new Industrial Control Systems (ICS) advisories.…

5 hours ago

Security Researchers Discover Critical RCE Vulnerability, Earned $40,000 Bounty

Cybersecurity researchers Abdullah Nawaf and Orwa Atyat, successfully escalated a limited path traversal vulnerability into…

6 hours ago