Security News GandCrab analysis: clicked away 99 times and still installed malware

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
The authors of the GandCrab ransomware try to install their malware with the least possible development effort. To do this, they confront users with, among other things, 100 dialogs for clicking away and do without a permanent installation in the system, as our analysis shows.
G_DATA_Blog_GandCrab_DeepAnalysis_Preview_cdf4e4de0a.jpg
G DATA analysts analyzed the GandCrab malware in detail
Even malware authors try to make their own malicious code as efficient as possible. In this way they do without unnecessary functions and minimize the effort needed to obtain the necessary authorizations, as a detailed analysis by G DATA analyst Robert Michel shows. He took a closer look at the randomware GandCrab in version 4.3 and published his detailed findings on the blog of our subsidiary G DATA Advanced Analytics . Already in September, we reported on a professional campaign against human resources departments using the corresponding GandCrab version.
One of his key findings: The GandCrab authors often do without complicated solutions, but instead try to convince users to grant them the necessary rights. Based on the services running on the system, however, the malware first tries to determine whether the operating system is Windows Vista or a more recent version. In older versions, the malware has a lighter weight and does not have to bother with system permissions.
Malware does not want admin rights
To be able to run on the system, the malware needs some rights. Achieving this is more complicated with more recent versions of Windows than it was a few years ago, because Microsoft has implemented some protection mechanisms, such as user account control. For example, normal user accounts should not be given administrator privileges to prevent infections. If a non-administrator wants to install software (including malware), the user must confirm that this is actually what they want. GandCrab, on the other hand, does not even try to gain admin rights. Instead, the malware attempts to harness the user to extend their rights from Low to Medium. For this purpose, the user is prompted 100 times via the user account control to grant the necessary rights.
Elsewhere, the malware authors have obviously tried to save development time. Because the software does not try to gain permanent presence on the system. This is usually not necessary. This property, called "persistence" by experts , would ensure that the malware is still active after the system is rebooted. GandCrab has done its job after encrypting the files. In this particular case, it would actually help to turn off the computer quickly when files are encrypted.
In a further development of GandCrab (Version 5) this is no longer the case. Here, encryption would simply resume after a reboot. The malware authors also ensure that the system can still be booted up after the encryption - otherwise the users could no longer pay the encryption sum.
Another feature made our analyst frown. For allegedly contained in the GandCrab Ransomware a kernel exploit for a driver of the South Korean security software manufacturer Ahnlab. If true, the malware could access the innermost layers of system functionality. G DATA analyst Robert Michel, however, gives the all-clear :. "I consider this statement to be pure marketing of the malware authors. Contrary to what the developers claim, it is not easily possible to extend their own privileges on the system with a single exploit. "
The analysis thus shows that even ransomware authors operate marketing in their own right and advertise with supposedly very good features. In many places, but also the criminals save unnecessary effort to act cost-effectively.
 

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
Defender... Where are my files?
View attachment 202080
In the Cloud..we have been exploring new ways to protect our customers from advanced attacks so we introduce Cloud based ML/AI, ATP. For these to work initially we want attacks to be successful so we can include those patterns in our learning systems. Trust Microsoft you will never luk into other AV - CEO
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top