What Is It?
Attribution of malicious code, that is, attempting to identify which group, individual or nation state is behind a given sample is a controversial and often divisive issue. This is due to the fact that attribution is very difficult to prove conclusively and relatively easy for a threat actor to obfuscate the true author. Sometimes the issue at hand is simply, what is primary purpose of a piece of malware?
Such is the case with a piece of malware recently described by BleepingComputer. The malware, which they have named AVCrypt based on the file name of av2018.exe, exhibits some behaviors consistent with a potentially incomplete piece ransomware and some related to destructive wiper malware.
The AVCrypt malware attempts to specifically uninstall and remove both Windows Defender and Malwarebytes by issuing commands to stop and delete the relevant Windows Services. There have reports that AVCrypt queries Windows Security Center and tries to remove the registered anti-virus product. The keyword here is “tries” as AVCrypt issues a WMIC (Windows Management Instrumentation Command-line) command to attempt to uninstall the product. This is highly unlikely to be successful with the vast majority of AV products which contain countermeasures against unauthorized removal.
Lending credence to the hypothesis that AVCrypt is a sample of in-development ransomware is the fact that when it encrypts files and creates the +HOW_TO_UNLOCK.txt file, this file only contains the string “lol n.” Additionally the sample contains numerous uses of the Windows API call OutputDebugString. Also, when AVCrypt uses its included TOR client to send the encryption key to a hardcoded command and control server address it appears to append invalid data to the key. The sample itself and the strings within it are not packed or obfuscated in any way, as is common place with most malware in the wild.
The sample also makes a number of changes to the Windows registry aimed at reducing the overall security posture of the system. Once it has completed encrypting files it then deletes the TOR client files it dropped, clears the Windows event logs and terminates its own process. These steps are in addition to a number of Windows Services it attempts to delete at startup. Taken together, these actions could be considered quite destructive – if successful.
On balance, the above would suggest this malware is ransomware in development. However, the original BleepingComputer article has a very interesting comment added by user “hitler67”. The comment, which appears not to be written by a native English speaker states they are the author of the sample, which was intended to be used for a presentation at an unnamed security conference and they are unaware how the sample became public. They also state they are concerned the sample and the analysis in the article could be used by “bad actors.”
How Does It Propagate?
The malware does not contain the necessary code to self propagate.
The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.
When/How Did BluVector Detect It?
Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 5 months prior to their release.
About Threat Report
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.