Dark Power Ransomware Abusing Vulnerable Dynamic-Link Libraries in Resolved API Flow – Source: heimdalsecurity.com

July 28, 2023
Post Author / Publisher: HeimdalSecurity.com

CISO2CISO post categories: 0 - CT, 0 - CT - SOC - CSIRT Operations - Malware & Ransomware, Cyber Security News, Forensics and threat hunting, heimdalsecurity, heimdalsecurity, rss-feed-post-generator-echo

Rate this post

Source: heimdalsecurity.com – Author: Vladimir Unterfingher

In a previously-published material, Heimdal® has analyzed the emergent Dark Power malware – a ransomware strain written in the NIM programming and capable leveraging advanced encryption techniques such as CTR for a better stranglehold on the victim’s device and, implicitly, the hosted data. Open-source threat intelligence feeds shed very little insight on the preferred vector of infiltration (i.e., functional assumption is based on the fact that, statistically speaking, most ransomware is transmitted via email) and vulnerability discovery & abuse (i.e., insufficient data on brutalized coding vulnerabilities). Heimdal®’s research in vulnerability D&A associated with the Dark Power strain has revealed that the ransomware abuses kernel-related APIs at IPC level, thus managing to move faster across the cyber-kill chain. In this article, we will take a closer look at the vulnerabilities and map out connections to know CVEs.

Drill-down APIs workflow resolved by the Dark Power ransomware

Our investigation begins with a CapeSandbox resolved APIs dump. To summarize, the Dark Power ransomware interacts with the following DLLs; commands have also been included for each step.

kernel32.dll

Description: a 32-bit dynamic link library (DLL) found in the Microsoft Windows OS kernel. Its purpose is to handles memory management, input/output (i.e., I/O) operations, and interrupts. Upon successful boot, kernel32.dll is loaded into a protected memory space so other applications cannot interfere with it. When it occurs, it will return the “invalid page fault” error.

Association to documented CVEs and/or similar malware family

CVE-2007-4528 – The FFI extension found in PHP 5.0.5 does not permit safe_mode restriction. This threat-actors to execute arbitrary code by loading an arbitrary Dynamic-Link Library and calling a function, such as kernel32.dll or the WinExec function.
CVE-2007-5145 – “Multiple buffer overflows in system DLL files in Microsoft Windows XP, as used by Microsoft Windows Explorer (explorer.exe) 6.00.2900.2180, Notepad++, unspecified Adobe Macromedia applications, and other programs, allow user-assisted remote attackers to cause a denial of service (application crash) via long strings in the author, title, subject, and comment fields of a file, possibly involving improper handling of extended file attributes by the:

NtQueryInformationFile,
NtQueryDirectoryFile,
NtSetInformationFile,
FileAllInformation,
FileNameInformation, and other FILE_INFORMATION_CLASS functions in ntdll.dll
GetFileAttributesExW
GetFileAttributesW functions in kernel32.dll.”

CVE description courtesy of NIST

CVE-2007-1347 – A bug in Windows Explorer (i.e., versions Windows 2000 SP4 FR and XP SP2 FR), allows remote threat actors to trigger a denial of service via a crafted Office file.
TR-23 – NetWiredRC Malware. A feature-rich RAT (i.e., Remote Access Tool) with the following import table: kernel32.dll, user32.dll, gdi32.dll, advapi.dll, shell32.dll, comctl32.dll, shlwapi.dll, ole32.dll, oleaut32.dll, and version32.dll. Observed Command & Control traffic associated to TR-23 employed AES-256-OFB proprietary protocol for malicious actions on object.

bcrypt.dll

Description: also known as the Windows Cryptographic Primitives Library, this DLL provides cryptographic functions (i.e., deriving hashes or encrypting/decrypting information).