The eCh0raix Ransomware

Introduction

Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below.

All your data has been locked(crypted).
​How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to

Do NOT remove this file and NOT remove last line in this file!
[base64 encoded encrypted data]

Note that there is a typo in the ransom note which may indicate that the actors behind this campaign are not native-English speakers.

QNAP Technical Breakdown

The malware is written and compiled in the Go programming language. The ransomware is very simple with its source code being fewer than 400 lines. A reconstruction of the source code tree is shown below. The functionality is standard for a ransomware: check if already encrypted, walk the file system for files to encrypt, encrypt the files, and produce the ransom note.

Package main: /home/user/go/src/qnap_crypt_worker
File: main.go
        getInfo Lines: 61 to 123 (62)
        checkReadmeExists Lines: 123 to 132 (9)
        (init)0 Lines: 132 to 161 (29)
        main Lines: 161 to 213 (52)
        (main)func1 Lines: 185 to 191 (6)
        randSeq Lines: 213 to 222 (9)
        in Lines: 222 to 231 (9)
        writemessage Lines: 231 to 238 (7)
        chDir Lines: 238 to 269 (31)
        encrypt Lines: 269 to 349 (80)
        makesecret Lines: 349 to 358 (9)    

Upon execution, the malware reaches out to the URL http://192.99.206[.]61/d.php?s=started and notifies the Command and Control (C2) that the encryption process has begun, as shown in Figure 1.


Figure 1 - Checks if the instance is already running by reaching out to a C2 IP. If it is, exit process.

Establishing C2 connection

The malware communicates to the C2 sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000, as seen in Figures 2 and 3. Based on the analysis it is clear that the proxy has been set up by the malware author to provide Tor network access to the malware without including Tor functionality in the malware.


Figure 2 - Port scan results on Proxy IP.


Figure 3 - Connects via SOCKS5 proxy

The malware retrieves the RSA public key and the ‘readme’ text content from the C2 server. One of the samples analyzed used the URL “http://sg3dwqfpnr4sl5hh[.]onion/api/GetAvailKeysByCampId/10”, that possibly suggests this was the 10th campaign run by the threat actor. The data returned by the C2 server is encoded in JSON and the malware unserializes the data into the following Go data struct:

type main.Info struct {
        RsaPublicKey string
        Readme string
​}

Encryption Module

The module generates a 32 character random string from the array “[email protected]#$%^&*()_+” to create an AES-256 key. By using this fixed set of characters, the effective key space is 192-bit. As can be seen in Figure 4, the malware initializes the math random page with the seed of the current time. Since it is using the math’s package to generate the secret key, it is not cryptographically random and it is likely possible to write a decryptor.


Figure 4 - Set the math random seed with the current time.

The generated AES key is then encrypted with a public key which was either embedded in the malware sample or retrieved from the C2 server, depending on the version of the malware. The resulted string is then encoded with base64 and added to the README_FOR_DECRYPT.txt file.

Before the malware encrypts any files, it proceeds to kill the below list of processes. The processes are stopped on the infected NAS by issuing the commands “service stop %s” or “systemctl stop %s”.

  • apache2
  • httpd
  • nginx
  • mysqld
  • mysql
  • php-fpm
  • php5-fpm
  • postgresql

File Encryption

The files are encrypted with AES in Cipher Feedback Mode (CFB) with the secret key that was generated. When selecting files to encrypt, the ransomware skips any files where the absolute path for the file contain any of the strings listed below.

  • /proc
  • /boot/
  • /sys/
  • /run/
  • /dev/
  • /etc/
  • /home/httpd
  • /mnt/ext/opt
  • .system/thumbnail
  • .system/opt
  • .config
  • .qpkg

If the path does not contain any of the strings, it checks the file extension for the file. If the file extension is one of the extensions shown below, the ransomware encrypts the file. The encrypted data is written to a new file with the original name and file extension but the file extensions “.encrypt” is appended to the end. Once the file has been written, the original file is removed.

.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm.ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx.ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl.lzh.m3u.m4a.map.max.mdb.mdf.mef.mht.mjs.mlx.mov.moz.mp3.mpd.mpp.mvc.mvr.myo.nba.nbf.ncf.ngc.nod.nrw.nsf.ntl.nv2.nxg.nzb.oam.odb.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p12.p7b.p7c.pac.pak.pdb.pdd.pdf.pef.pem.pfx.pgp.php.png.pot.ppj.pps.ppt.prf.pro.psd.psk.psp.pst.psw.ptw.ptx.pub.qba.qbb.qbo.qbw.qbx.qdf.qfx

Once the entire encryption process is completed the malware reaches out to the URL http://192.99.206.61/d[.]php?s=done and sends the command “done” to notify the completion of encryption, Figure 5.


Figure 5 - Send “done” to C2

C2 Analysis

The analyzed C2 URL (http://sg3dwqfpnr4sl5hh[.]onion) has partial directory listing enabled, and after browsing through the directories, Anomali researchers were able to find a sample named “linux_crypter”. The sample was packed by UPX. Analysis of the unpacked sample confirmed that it is written in Go and had some modifications to the previously analysed sample. The sample found on C2, checks the locale of the infected NAS for Belarus, Ukraine, or Russia and exits without doing anything if a match is found. This technique is common amongst threat actors, particularly when they do not wish to infect users in their home country.

Analysis

The eCh0raix ransomware, named after a string found in the malware, is a ransomware used in targeted attacks. It appears to not be designed for mass distribution. The samples with a hardcoded public key appear to be compiled for the target with a unique key for each target. Otherwise the decryptor sold by the threat actor could be used for all victims. The samples that fetch the public key and ransom note from the C2 server, also send a request when it starts and when it is done. This is probably used to provide the threat actor with live feedback. The request does not include any identifiable information for the threat actor to discern multiple targets.

The threat actor targets QNAP NAS devices that are used for file storage and backups. It is not common for these devices to run antivirus products and currently the samples are only detected by 2-3 products on VirusTotal, Figure 6, which allows the ransomware to run uninhibited. It is not known how these devices are infected. According to a post on Bleeping Computer’s forum, some infected systems were not fully patched and others reported detections of failed login attempts.


Figure 6 - Low detection rate on VirusTotal

“During my research, the nas pops me severals time with the message "HTTP Login Failed", like every second.”
- zerocool64

“Seems all of us are using QNAP NAS, which version of QTS where you using at the time of the attack? Mine was 4.1.3”
- eggxpert

“I've found a lot of .encrypt files on my RAID 6 in my QNAP TS-459 Pro II with 4.2.6 firmware”
- alew1s3

“I've activated system registry and suddenly there are a lot of attempts to login via HTTP in my myqnapcloud by strange usernames and IPs so i totally disabled it”
- alew1s3

“Same as someone already explained: lot of login failed that day.”
- lucagiroletti

Figure 7 - Content from BleepingComputer forum post

Recommendations

Restrict external access to the QNAP NAS device. Ensure it is up to date with security patches and that strong credentials are employed.

Affected QTS versions according to BleepingComputer forum users:

  • 4.1.3
  • 4.2.6
  • QNAP TS-459 Pro II with 4.2.6 firmware
  • QNAP TS-251+ (4.3.1.0695 Build 20180830)

Yara rule

rule eCh0raix {
    meta:
        author = "Anomali"
        tlp = "GREEN"
        description = "Rule to detect eCh0raix ransomware"
        version = "1.0"
    strings:
        $magic = "eCh0raix"
        $s0 = "go.buildid"
        $s1 = "main.main"
        $s2 = "makesecret"
        $s3 = "chDir"
        $s4 = "writemessage"
        $s5 = "randSeq"
        $s6 = "encrypt"
    condition:
        uint16(0) == 0x457f and $magic and all of ($s*)
​}

Bitcoin addresses

18C28bVEctVtVbwNytt4Uy6k7wxpysdDLH

1Fx7jev3dvHobdK8m3Jk6cA8SrfzjjLqvM

Samples

154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357 (DE)

3d7ebe73319a3435293838296fbb86c2e920fd0ccc9169285cc2c4d7fa3f120d (TW)

95d8d99c935895b665d7da2f3409b88f ( linux_cryptor)

URLs

http://sg3dwqfpnr4sl5hh[.]onion/api/GetAvailKeysByCampId/13

http://sg3dwqfpnr4sl5hh[.]onion/order/1LWqmP4oTjWS3ShfHWm1UjnvaLxfMr2kjm

http://sg3dwqfpnr4sl5hh[.]onion/static/

IP

192.99.206.61:65000

MITRE ATT&CK TTPs:


This is a companion discussion topic for the original entry at https://www.anomali.com/blog/the-ech0raix-ransomware