StopCrypt Ransomware Utilizing Multi-Stage Shellcodes To Attack Windows

A new variant of StopCrypt ransomware has been discovered. It executes multi-stage shellcodes before launching a final payload containing the file encryption code.

This malware uses several techniques, such as detection evasion, a time-delaying loop of 600 million iterations, and several other mechanisms.

Moreover, the ransomware also uses scheduled tasks for its payload execution with command-line arguments, which are executed every five minutes. 

Technical Analysis

According to the reports shared with Cyber Security News, the malware infection cycle begins with creating a string of msim32.dll, but it is not even used in the ransomware execution process. 

Millions of iterations have been set up for a time-delay loop in which the same data is copied to a location with an incremental iteration value.

Similar techniques have been analyzed to be used throughout the malware execution to evade detection.

The evasion is due to the artificial extension time of the malicious code.

Incremental Iteration code (Source: SonicWall)

After this, the code allocates memory, using the LocalAlloc API and VirtualProtect to change the permissions of the memory block to READ, WRITE, and EXECUTE.

First Stage Payload

This stage resolves the required API using the Kernel_GetProcAddress API.

The ransomware creates API function calls by creating the function names or strings that contain the API names directly on the stack.

This is done as a replacement for using straightforward API calls that are easily detected and identified.

The addresses resolved by the malware are for the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle

CreateToolhelp32Snapshot is used in the malware code along with all of its modules to take a snapshot of the current process.

Moreover, the information about the first module of the process is extracted using Module32First API.

Snapshot code with all its modules (Source: SonicWall)

Second Stage Payload

The second stage of the malware performs the primary task of the shellcode, which is process hollowing.

The API functions created in this phase are resolved to the following addresses:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The ransomware also checks the FileAttributes of a non-existent file for unknown purposes, which is speculated to be used to identify specific systems where the file might be present.

After certain operations, the ransomware calls the VirtualAlloc API to allocate memory with READ and WRITE permissions and store the path returned by the GetModuleFileNameA API.

Following this, the kernel32.GetStartupInfoA API is called for extracting startup information.

Final Payload

During the final process, the ransomware launches a resumed process with the parameter “Admin IsNotAutoStart IsNotTask” after which the ransomware creates a new directory in the C:\\Users\<user_name>\AppData\Local and copies the current malware image into it.

Further, it launches the icacls.exe process, the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command used for executing icacls.exe denies the group permission to delete the specified file for “Everyone,” which prevents the ability to delete the malware.

Scheduled task (Source: SonicWall)

Additionally, the malware creates a scheduled task to execute a copy of the final payload with a command line argument -Task—every 5 minutes.

The ransomware encrypts the files and adds the .msjd extension to them, while putting a ransomware note under the name _readme.txt on every encrypted folder.

Ransom note (Source: SonicWall)

Indicators Of Compromise

  • GAV: StopCrypt.RSM (Trojan)

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files to…

2 hours ago

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences Center…

3 hours ago

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a typically…

5 hours ago

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer. A…

7 hours ago

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data breach…

7 hours ago

Kali Linux 2024.4 Released – What’s New!

Kali Linux has unveiled its final release for 2024, version Kali Linux 2024.4, packed with…

8 hours ago