PureLocker Ransomware that capable of encrypting files in Windows, Linux, and macOS. The ransomware used by threat actors to perform a targeted attack against production servers of the enterprise networks.

Code reuse analysis against Purelocker reveals that the ransomware related to the “more_eggs”, a backdoor malware often used by Cobalt Gang, FIN6 threat actors and is sold in the dark web.

First, it very easy to port PureBasic code between Windows, OSX (MacOS) and Linux, which enables attackers to more easily target different platforms.

Second, security firms face difficulty in generating trustworthy detection signatures for PureBasic binaries, helping the malware to evade detection by antivirus security software.

Analysis of PureLocker’s code revealed that attackers carefully designed it to evade tracking, hide dubious behaviour in sandbox environments, and masquerade as a Crypto++ cryptographic library. It also uses functions that are usually seen in libraries for music playback.The research team conducted a more detailed analysis after a search on VirusTotal revealed that nothing had been reported about the sample for several weeks.

This effort uncovered that the sample lacked a code connection to Crypto++. Even more importantly, the researchers found that sample both reused code from the “more_eggs” backdoor as well as used new code that translated into unusual techniques for a family of crypto-ransomware.

All these features enable the ransomware to remain undetected by VirusTotal antivirus engines for several weeks.As far as file encryption is concerned, PureLocker is not different from other ransomware. It uses AES and RSA algorithms and leaves no recovery option by deleting the shadow copies.The malware does not lock all files on a compromised system, avoiding executables. Encrypted items are easy to recognize by the .CR1 extension that is appended after the process.

READ  Tim Thumb Attack

A ransom note is left on the system desktop in a text file called “YOUR_FILES.” No amount is given in the ransom; instead, victims need to contact the cybercriminals at a Proton email address, a different one for each compromise.The researchers noticed that the “CR1” string is present not only in the extension of the encrypted files but also in the ransom note and the email addresses.

A theory is that the string is specific to the affiliate spreading these specific samples since PureLocker is a ransomware-as-a-service business.The researcher found that they both have COM Server DLL components written in PureBasic, and they also use similar evasion and string encoding/decoding techniques.

For more cyber security Information contact us at help@theweborion.com.