In my previous blog, Why Malware Installers Use TMP files and the Temp folder, I discussed the advantages malware can have by using atomic writes instead of simply copying the malware to the intended location. In this blog, I discuss how ransomware uses the same technique for its purpose and how it is different from the common ways other malware classes do it.
As with most attacks, a deployment technology is often used to deliver the malware to the target system. The most common deployment technology is email. When email was first used as a deployment technology, the malware itself was attached to the email message. This worked successfully because of its novelty, but the evolution of security solutions and the ease of grabbing the malware samples from the email vector for analysis made this technique undesirable for attackers.
This does not mean they have abandoned the use of email as an infection vector altogether. Instead, they use it as a first stage of infection. Emails now contain links to drive-by download sites or files, not usually associated with malware, which points to or downloads the malware to the target system. One such type of file often used for this purpose is an HTML Application (HTA) file. An HTA file is an HTML executable file introduced in 1999 by Microsoft along with Internet Explorer 5. It is executed via MSHTA.EXE by instantiating the Internet Explorer rendering engine (MSHTML) as well as any required language engines the file needs. Recently, ransomware email vectors have been using HTA files to download and install malware onto a target system. As with most attackers that don't want a corrupted version of their malware, ransomware installation also utilizes TMP files and the Temp folder, but with a twist.
To better illustrate this, let's take the email vector (Figure 1) used in a Locky ransomware attack.
Figure 1: Ransomware Email Vector
This email vector contains a ZIP attachment. Decompressing the attachment reveals an HTA file named 22FrDra16.HTA (Figure 2).
Figure 2: HTA attachment file
This HTA file is responsible for downloading the ransomware sample from the attacker-controlled malware serving domain(s). However, instead of downloading the ransomware straight into its intended location, the HTA file downloads it into the Temp folder as a TMP file. From the TMP folder the ransomware is copied into its intended location and then the ransomware TMP files are deleted. Ransomware installation is done, but if you look closely, the ransomware TMP files are completely different from the final ransomware binary copied to its final destination. The other TMP files, except the last one produced, are not even executable files. This is unlike most malware infection utilizing TMP files and the TMP folder.
Why? The answer is simple. This is because the first few TMP files are encrypted versions of the ransomware. Instead of a straight atomic write to the intended location, the ransomware TMP file is decoded via an XOR key and the resulting series of bytes are then copied to the intended location, resulting in the decoded or decrypted ransomware.
The key to decrypt the TMP file is actually found in the HTA file. If you look closely in Figure 2, a highlighted value can be seen that is declared as a variable. That is the XOR key. Take note that most HTA files used by ransomware as the infection vector have fixed variable names at the end. No matter how long the variable name is, the last four characters will always be "xKey," which stands for XOR key. There is evidence that newer HTA files used in similar attack campaigns had dropped the "xKey" marker. A typical arms-race when it comes to infection vectors.
The XOR key "b6vYxEjsTYwJ7mIrZz4WFSGHeaddkwbq" is in ASCII. The equivalent hex values is "62 36 76 59 78 45 6a 73 54 59 77 4a 37 6d 49 72 5a 7a 34 57 46 53 47 48 65 61 64 64 6b 77 62 71."
Figure 3 shows an illustration of a TMP (Input 2) file and its corresponding ransomware sample (Input 1). The output is a result of an XOR operation.
Figure 3: Ransomware and its TMP file
Looking closely at the output, if you divide it into 32 bytes each you will notice that it is a repeating pattern of the XOR key from the HTA file.
So the twist, when it comes to the use of TMP files and the Temp folder by ransomware, is decryption.
This offers another advantage for the attackers. In case the malware serving domain is discovered and the samples it is hosting are collected, the files will be in encrypted form, thus making it very challenging for researchers to analyze the content or the files hosted in those malware serving domains.
Take note that this technique is not limited to ransomware and can be easily applied to any class of malware.
In summary, we see the Temp folder and TMP files as being important for malware authors for multiple reasons. In the case of the Locky ransomware distribution campaign, the attackers used encoded TMP files dropped into Temp folder to obfuscate (via encryption) the malicious nature of the files written to the disk of a target system.