News

MATRIX RANSOMWARE SPREADS TO OTHER PCS USING MALICIOUS SHORTCUTS

April 11,2017

Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.


hta ransom note                                                                             Matrix Ransomware HTA Ransom Note

Now that it is being distributed via a large campaign and an exploit kit, it was time to take a deeper dive into this ransomware to see what features it has.  What was found is interesting as Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts and uploads stats about the types of files that are encrypted.

MATRIX DISTRIBUTED USING EXPLOIT KITS

When the Matrix Ransomware was first spotted around December 2016 it did not have a wide distribution compared to ransomware infections like Cerber or Spora Ransomware. Now that Matrix is being distributed using the RIG exploit via the EITest campaign it can become a real game changer.

According to Brad Duncan, Matrix is distributed via hacked sites that have the EITest scripts injected into them. When a visitor goes to one of these hacked sites, depending on various criteria, Brad has seen EITest injecting either the “The “HoeflerText” font wasn’t found” attack, which is distributing the Spora Ransomware, or the RIG exploit kit, which is now distributing Matrix.

You can see the source code of a hacked site with the injected RIG iframe below.

rig injection                                                                           RIG Being Injected into a Hacked Site
                                      Source: http://www.malware-traffic-analysis.net/2017/04/06/index2.html

 Once the RIG iframe is loaded, the exploit kill will attempt to exploit vulnerable programs on the computer in order to install the Matrix ransomware.

MATRIX RANSOMWARE USES MALICIOUS SHORTCUTS TO SPREAD TO OTHER COMPUTERS

Some variants of the Matrix Ransomware also include a worm feature that allows to to spread and infect other machines through folder shortcuts. First spotted by MalwareHunterTeam, when we both analyzed Matrix we saw that while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original, but now hidden, folder.

Below you can see an example of a user’s profile folder after Matrix converted some of the folders to shortcuts.

folder with shortcuts                                                                       Folder with Infected Shortcuts

Notice how the Documents and Downloads folder now show a shortcut symbol. If you go into the properties of this shortcut, you will see that it attempts to launch a program.
shortcut                                                                                                Infected Shortcut

The full command of this infected shortcut is:
sample1Using the above example, when a user tries to open the Documents folder, the following steps will be executed:

  1. Use explorer.exe to launch the hidden Documents folder so that the user can see their files as normal and everything appears to be working correctly.
  2. Copy the Documents folder’s desktop.ini file, which is actually the ransomware executable, to %Temp%\OSw4Ptym.exe.
  3. Execute the %Temp%\OSw4Ptym.exe file.
  4. Matrix will now infect the new computer, or if its running on an already infected computer, check for new files to encrypt.

This method allows Matrix to spread to new computers via both network shares and removable drives.

MATRIX RANSOMWARE BEING UPDATED FREQUENTLY

We are also seeing that the Matrix Ransomware is being updated frequently. The first version was discovered in the middle of March, followed by a new version of April 3rd, and then April 6th. Each of these version have different characteristics, encrypted file extensions, email addresses, and ransom note filenames.

The table below shows the various versions and their characteristics:
sample2Due to its wider distribution, we can expect Matrix to continue to change often.

ADDITIONAL BEHAVIOR AND DECRYPTION

While Matrix is running, it is very chatty with the Command & Control servers. In each stage of the encryption process, Matrix connects back to the C2 server and issues an update as to how far along in the process it is. Like Spora, Matrix will also upload a list of file extension and amount of files per extension that were encrypted. It is not known if Matrix also changes its ransom demand based on the types of files uploaded.

Last but not least, Matrix performs the follow behavior on the infected computer:

  • Deletes Shadow Volume Copies so that the victim’s cannot use them to recover files.
  • Executes bcdedit.exe /set {default} recoveryenabled no in order to prevent the victim from going into recovery mode.
  • Executes bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures to further prevent access to recovery options.
  • Utilizes a RTF ransom note and a HTA file ransom note. The RTF version for the latest variant can be seen below.

rtf ransom note                                                                                              RTF Ransom Note

FILES ASSOCIATED WITH THE MATRIX RANSOMWARE:
sample3

HASHES:
sample4

NETWORK COMMUNICATION:
sample5HTA RANSOM NOTE TEXT:
sample6

RTF RANSOM NOTE TEXT:
sample7

News Courtesy : http://www.securitynewspaper.com/2017/04/08/matrix-ransomware-spreads-pcs-using-malicious-shortcuts/?utm_content=buffer3cd39&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer