Deep Dive Into HERMES Ransomware

Quick Overview:

HERMES is a Ransomware which spreads by spear-phising emails. It was first detected on October 2017. Its attributed to the Lazurus APT group it has high connections to Ryuk Ransomware and its believed that they are written by the same author. Among most Ransomwares, it's common that it encrypts the files using AES and Encrypts the AES Random Key using RSA , in the upcoming parts we will include some more insights into it.

In Depth-Reversing:

. HERMES Drops A Copy From its Self under Name "svchosta.exe" in the Temp Folder

And it executes using this command

Inhibit System Recovery:

. Similarly like most ransomwares it deletes shadow copies to acheive this it drops a batch file similar to the Ryuk one , which strengthens it's similarity to Ryuk

And it executes using this command

Unpacking and API Resolving:

HERMES allocates a section in memory for the unpacked PE file , this technique can be defined as Self Injection . This image explains it very well & quick , credits goes to OALabs for the fantastic explanation

What we need to do is to fire up the debugger and put 2 break points on:

[+] VirtualAlloc

[+] VirtualProtect

While setting a breakpoint on VirtualAlloc() , make sure to press execute till return , the return value of VirtualAlloc() is stored in EAX so Right click on it and follow in dump

Now Press F9 Again

Yay! A Nice PE File. Now Just follow in memory map and dump the file :)

While opening the file in PE Studio on imports , but sadly there are just 5 imports :( , so there must be a function that should resolve those imports.

Now let's Fire Up IDA. Go to the imports Click "X" on LoadLibraryA to see where its called.

Go for the First One..

And Bingo We Found it :)

So It looks like its passing the API to a decryption or deobfsucation function. Now Just take this Address and and set a Break Point on it. when u break on it click execute till return. U may found sth! ECX holds our API.

So Now Right Click on ECX and Follow in Dump U must find all the APIs

Now we have 3 choices first one is to dump the file using scylla, second is to rename the imports manually and third is to write a script. will leave it as an excercise for u ;)

Mutex Creation:

HERMES Creates a Mutex with the name "tech". As U Can See the APIs related to mutex's are dynamiclly resolved.

U may ask what is a mutex and why does the malware uses it ?. So let me explain. First What is a Mutex is an object that allows mutliple threads to share the same resource but in order. as shown in the figure:

complicated right ? so let me explain why we need mutexes, when u have two threads sharing the same resource say if the Thread "A" Reads From this Resource and Thread "B" Writes to this resource this resource maybe anything like a file for example. This Behavior is Called "Race Condition" this must not happens because if Thread "B" Writes to the File for ex Thread "A" will get corrupted data. So we need a Mechanism to scheduale this behavior and that's what a mutex is a mutex aquires a lock for the Thread this says oh ok now Thread "A" for ex u have the ability to read or write to the file or any other operation and Thread "B" Cannot Do any operation on that file before Thread "A" Releases This Lock or Mutex and It will be given to Thread "B". ok but u may also ask so also how all of this story relates to malware. ok malware uses mutexes for mutiple things one of them is not infecting the host twice.

Language Checks:

HERMES Checks for the System language. Every language on this planet has a code this code is just a number for example 0409 is the code for english. The code of the system language can be found under the a registry key:

[+] Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language

As u can see the third value is the system language code. now lets see how it utlizes this feature.

It opens the Registry key I mentioned above and then it queries the value of InstallLanguage and Compares it with three values:

  [+] 0419 --> Russian
  [+] 0422 --> Ukrainian
  [+] 0423 --> Belarusian

And if it matches it exits the process (malware) using ExitProcess.

U may ask why this is important well this might be important in targetted attacks so it looks like it didn't want to target those countries. so luckily these three countires won't get infected ;). Read this for more info Malware Trying to Avoid Some Contries

Percistance:

HERMES Achieves Percistance by Dropping the "start.bat" batchfile in the startup folder to start the malware every time the computer starts why ?? doesn't it encrypt the files and everything is fine ? ok but what if it missed a file or if u have new files

It Drops this batch file in the StartUp Folder. The StartUp Folder in it the programs that are executed automaticly every time the user logs in or when the computer starts.

And U Simply Can Disable this File or simply delete it from the start folder.

If U tried restarting the VM u will see the command being executed but it didn't 

Encryption:

HERMES Encrypts The Files using AES-256 Algorithm and Encrypts the AES Random Key with RSA, And It utlizes the Windows CryptAPI.

It uses:

[+] CryptEncrypt 
[+] CryptGenKey 
[+] CryptExportKey 
[+] CryptImportKey
[+] CryptAcquireContextW

. It Drops two Files used for Encryption "PUBLIC" and "UNIQUE_ID_DONT_REMOVE".

The First one is a Public RSA Blob. These Blobs are used to store RSA Public Keys.

And the second one is the private key which means its for the attacker only and its encrypted. Take alook at the first 8 bytes from offset 0 to 7 actually these bytes has great meaning the 0x7 means that its a private key blob, 0x2 is the blob version and 0xA400 is the algorithm so this will tell that its RSA or any other algorithm for our case its RSA.

HERMES Uses "HERMES" Marker at the end of the file to identify if the file is encrypted or not

by CodeAnalysis it uses ReadFile and Checks for the marker as shown here

It Generates a AES-256 Key

HERMES Encrypts the File in chunks it reads the files and Encrypts it 1000000 bytes each

HERMES Does Some Drive Checking using GetLogicalDrives() and GetDriveType()

It First Gets the Drives on the Systems and Then Calls to GetDriveType If Return value of it is 5 means its (CD-ROM) it skips it.

It Also Skips Some Folders

IOC's:

Hashes:

  [+] MD5:254caeddba73aa4d1bb425c5274176d2 (Packed) 

  [+] SHA1:728711076a9e04b5e1e0010045e477d3515356b5
  
  [+] SHA256:a5a0964b1308fdb0aeb8bd5b2a0f306c99997c7c076d66eb3ebcdd68405b1da2
   
  [+] MD5:4f99ef502992d9ef9be6dc4ff27b1e95 (Unpacked)

Dropped Files:

  [+] svchosta.exe (main payload) 
  
  [+] UNIQUE_ID_DONT_REMOVE (Private RSA Key) 
  
  [+] PUBLIC (Public RSA Key)
  
  [+] windows.bat (deletes shadow copies)
  
  [+] start.bat (starts the malware everytime the computer starts)
  
  [+] DECRYPT_INFORMATION.html (Ransomware Note) 

TTP's:

[+] Command-Line Interface T1059

[+] Registry Run Keys / Startup Folder T1060

[+] Data Encrypted for Impact T1486

[+] Execution through API T1106

[+] Modify Registry T1112

[+] File Permissions Modification T1222

[+] Inhibit System Recovery T1490

[+] Query Registry T1012

Emails:

  [+] primary email: pretty040782@gmail.com
  [+] reserve email: pretty040782@keemail.me

Skipped Folders:

[+] Windows
[+] AhnLab
[+] Chrome
[+] Microsoft
[+] Mozilla
[+] $Recycle.Bin
[+] WINDOWS 

Ransomware Note:

References:

https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/

https://app.any.run/tasks/29fd99e4-7087-45bc-8105-2746d44a46d9

https://analyze.intezer.com/analyses/4c6a208b-d5b6-4954-b144-9254d7dfc5ac

https://www.youtube.com/watch?v=WthvahlAYFY&t=225s

https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/

https://www.autoitscript.com/autoit3/docs/appendix/OSLangCodes.htm

https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/

GoodBye!

So That's It Hope u Enjoy and Thanks for AXIAL For Letting me in the team we will be making more inshallah don't forget to follow me astro and @AXI4L