TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang

Analysts, first, focused on the binary for the “Go build id” string to identify the Golang build used for compiling it.
In recent campaigns of Go-written malware, especially in ransomware cases, attackers patch the binary to remove this string, making it difficult for researchers to use string-based signatures to detect the binary as Go.

Going through the two samples –

460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984 (Windows)

5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e (Linux)

– analysts noticed that more than 85% of code in the Windows and Linux versions are almost the same
Analysts notice in this case that the malware authors have left only one main function and changed the other functions to random names.
The sample checks the existence of the files “showkey.txt” and “public.txt” with the help of OS.Getenv, using “ALLUSERSPROFILE” and “HOMEDRIVE” as keys in Windows and Home and /tmp/ in Linux. If it is present, it means encryption occurred, and it exists using runtime_gopanic; otherwise, it creates them.

For Windows, the return is “C:\ProgramData” and /root/ directory in Linux. Using path.join to join “showkey.txt” and “public.txt” with the directories results in:
Windows:
“C:\ProgramData/showkey.txt”

“C:\ProgramData/public.txt”

Linux:
“/root/showkey.txt”

“/root/public.txt”

The sample uses the Golang Crypto Packages for RSA key – some of them are crypto_x509_MarshalPKCS1PublicKey, crypto_x509_MarshalPKCS1PrivateKey, encoding_pem_EncodeToMemory and crypto_rsa_GenerateMultiPrimeKey.
crypto_x509_ MarshalPKCS1PrivateKey converts the RSA private key to PKCS #1, ASN.1 DER form.
Then, the encoding_pem_EncodeToMemory returns the PEM (Privacy Enhanced Mail) encoding, and after that, runtime_slicebytetostring converts bytes to string, resulting in the conversion of bytes to string.txt”

TellYouThePass ransomware tries to kill some tasks and services before initiating the encryption routine, as shown in Table 2 below. However, in Linux, it requires root privilege to do that. Targeted applications include various email clients, database applications, web servers and document editors.

It runs various commands using cmd.exe to kill tasks in Windows, and in Linux, it takes the os_exec_command Go package to execute different commands using /bin/bash/:

Windows:

“taskkill /f /im msftesql.exe ”

“schtasks /delete /tn WM /F ”

“taskkill /f /im sqlagent.exe ”

“taskkill /f /im sqlbrowser.exe ”

“taskkill /f /im sqlservr.exe ”

“taskkill /f /im sqlwriter.exe ”

“taskkill /f /im oracle.exe ”

“taskkill /f /im ocssd.exe ”

“taskkill /f /im dbsnmp.exe ”

“taskkill /f /im synctime.exe ”

“taskkill /f /im mydesktopqos.exe ”

“taskkill /f /im agntsvc.exeisqlplussvc.”

“taskkill /f /im xfssvccon.exe ”

“taskkill /f /im mydesktopservice.exe ”

“taskkill /f /im ocautoupds.exe ”

“taskkill /f /im agntsvc.exeagntsvc.exe ”

“taskkill /f /im agntsvc.exeencsvc.exe ”

“taskkill /f /im firefoxconfig.exe ”

“taskkill /f /im tbirdconfig.exe ”

“taskkill /f /im ocomm.exe ”

“taskkill /f /im mysqld.exe ”

“taskkill /f /im mysqld-nt.exe ”

“taskkill /f /im mysqld-opt.exe ”

“taskkill /f /im dbeng50.exe ”

“taskkill /f /im sqbcoreservice.exe ”

“taskkill /f /im excel.exe ”

“taskkill /f /im infopath.exe ”

“taskkill /f /im msaccess.exe ”

“taskkill /f /im mspub.exe ”

“taskkill /f /im onenote.exe ”

“taskkill /f /im outlook.exe ”

“taskkill /f /im powerpnt.exe ”

“taskkill /f /im steam.exe ”

“taskkill /f /im sqlservr.exe ”

“taskkill /f /im thebat.exe ”

“taskkill /f /im thebat64.exe ”

“taskkill /f /im thunderbird.exe ”

“taskkill /f /im visio.exe ”

“taskkill /f /im winword.exe ”

“taskkill /f /im wordpad.exe”

“taskkill /f /im tnslsnr.exe”

Linux:

“service mysql stop”

“/etc/init.d/mysqld stop”

“service oracle stop”

“systemctl disable “postgresql*””

“systemctl disable “mysql*””

“systemctl disable “oracle*””

Both the Windows and the Linux versions have a list of directory exclusions for encryption

Windows:

EFI.Boot

EFI.Microsoft

Windows

Program Files

All Users

Boot

IEidcache

ProgramData

desktop.ini

autorun.inf

netuser.dat

iconcache.db

thumbs.db

Local Settings

bootfont.bin

System Volume Information

AppData

Recycle.Bin

Recovery

Linux:

/bin

/boot

/sbin

/tmp

/etc

/lib

/proc

/dev

/sys

/usr/include

/usr/java

The TellYouThePass ransomware focuses on encrypting popular media and file extensions, saving their paths in the “encfile.txt” text file, located in the same folder as “public.txt” and “showkey.txt”.

Below is the full list of targeted extensions for encryption:

1cd, 3dm, 3ds, 3fr, 3g2, 3gp, 3pr, 602, 7z, ps1, 7zip, aac, ab4, accdb, accde, accdr, accdt, ach, acr, act, adb, adp, ads, aes, agdl, ai, aiff, ait, al, aoi, apj, arc, arw, asc, asf, asm, asp, aspx, asx, avi, awg, back, backup, backupdb, bak, bank, bat, bay, bdb, bgt, bik, bin, bkp, blend, bmp, bpw, brd, c, cdf, cdr, cdr3, cdr4, cdr5, cdr6, cdrw, cdx, ce1, ce2, cer, cfg, cgm, cib, class, cls, cmd, cmt, conf, config, contact, cpi, cpp, cr2, craw, crt, crw, cs, csh, csl, csr, css, csv, dac, dat, db, db3, db_journal, dbf, dbx, dc2, dch, dcr, dcs, ddd, ddoc, ddrw, dds, der, des, design, dgc, dif, dip, dit, djv, djvu, dng, doc, docb, docm, docx, dot, dotm, dotx, drf, drw, dtd, dwg, dxb, dxf, dxg, edb, eml, eps, erbsql, erf, exf, fdb, ffd, fff, fh, fhd, fla, flac, flf, flv, flvv, fpx, frm, fxg, gif, gpg, gray, grey, groups, gry, gz, h, hbk, hdd, hpp, html, hwp, ibank, ibd, ibz, idx, iif, iiq, incpas, indd, jar, java, jnt, jpe, jpeg, jpg, jsp, jspx, ashx, js, kc2, kdbx, kdc, key, kpdx, kwm, laccdb, lay, lay6, ldf, lit, log, lua, m, m2ts, m3u, m4p, m4u, m4v, mapimail, max, mbx, md, mdb, mdc, mdf, mef, mfw, mid, mkv, mlb, mml, mmw, mny, moneywell, mos, mov, mp3, mp4, mpeg, mpg, mrw, ms11, msg, myd, myi, nd, ndd, ndf, nef, nk2, nop, nrw, ns2, ns3, ns4, nsd, nsf, nsg, nsh, nvram, nwb, nx2, nxl, nyf, oab, obj, odb, odc, odf, odg, odm, odp, ods, odt, ogg, oil, orf, ost, otg, oth, otp, ots, ott, p12, p7b, p7c, pab, pages, paq, pas, pat, pcd, pct, pdb, pdd, pdf, pef, pem, pfx, php, pif, pl, plc, plus_muhd, png, pot, potm, potx, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, prf, ps, psafe3, psd, pspimage, pst, ptx, pwm, py, qba, qbb, qbm, qbr, qbw, qbx, qby, qcow, qcow2, qed, r3d, raf, rar, rat, raw, rb, rdb, rm, rtf, rvt, rw2, rwl, rwz, s3db, safe, sas7bdat, sav, save, say, sch, sd0, sda, sdf, sh, sldm, sldx, slk, sql, sqlite, sqlite3, sqlitedb, sr2, srf, srt, srw, st4, st5, st6, st7, so, st8, stc, std, sti, stm, stw, stx, svg, swf, sxc, sxd, sxg, sxi, sxm, sxw, tar, tar.bz2, tbk, tex, tga, tgz, thm, tif, tiff, tlg, txt, uop, uot, vb, vbox, vbs, vdi, vhd, vhdx, vmdk, vmsd, vmx, vmxf, vob, wab, wad, wallet, war, wav, wb2, wk1, wks, wma, wmv, wpd, wps, x11, x3f, xis, xla, xlam, xlc, xlk, xlm, xlr, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xlw, xml, ycbcra, yuv, zip.

Finally, the ransom note contains information about the encryption algorithm used to encrypt the files, specifically RSA-1024 and AES-256.
It also includes the personid, used for identifying the victim. Following 0.05 bitcoin transfer into a designated and hardcoded wallet, attackers promise to provide victims with the decryption key to recover all files.

Sign Up For Threat Alerts

Loading...
Threats Icon

Mar 21, 2023

Dotrunpex – Demystifying new virtualized .net injector...

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...

Threats Icon

Mar 21, 2023

GlobeImposter Ransomware With MedusaLocker Spreading Via RDP

A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...

Threats Icon

Mar 20, 2023

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...

Threats Icon

Mar 20, 2023

Sirattacker And ALC Ransomware Analysis

The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....

Threats Icon

Mar 19, 2023

Google Advertising Used To Distribute RedLine Stealer

A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...

Threats Icon

Mar 16, 2023

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 15, 2023

US Cert Alert – Threat Actors Exploit...

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully...

Threats Icon

Mar 15, 2023

Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...

Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...

Threats Icon

Mar 13, 2023

Exposing The Lazarus Arsenal WinorDLL64 Backdoor

In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...

Threats Icon

Mar 12, 2023

Clasiopa New Group Targets Materials Research

A campaign targeting the materials research sector with custom and commodity utilities and malware is...

Threats Icon

Mar 09, 2023

New Emotet campaign

Emotet is a type of malware that is designed to steal sensitive information from infected...

Threats Icon

Mar 09, 2023

How sys01 stealer will get your sensitive...

Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...

Threats Icon

Mar 09, 2023

How sys01 stealer will get your sensitive...

Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...