by RSS Tien Phan and Roland Dela Paz  |  Apr 01, 2016  |  Filed in: Security Research

A new ransomware targeting Magento Websites was recently discovered by the Malware Hunter Team and Lawrence Abrams. This post intends to share additional findings of the FortiGuard Lion Team, specifically on three areas: 1) KimcilWare’s backdoor capabilities; 2) how can we decrypt files encrypted by KimcilWare and 3) the hacker group who may be behind it.

KimcilWare Backdoor

Aside from encrypting files, KimcilWare is capable of opening backdoor as well as uploading files to affected sites. The following KimcilWare code snippet shows that:

Therefore, KimcilWare allows a remote user to have full control over an affected website.

Understanding KimcilWare’s Encryption Routine

When the encryption function of KimciWare starts, it initially calls the function ExecuteEncrypter with the webserver document root as the argument:

The ExecuteEncrypter function then starts to recursively encrypt every file it finds in the document root:

We took a look at the EncryptData function to see how this malware perform its encryption and see if we can decrypt the files without paying ransom. The EncryptData function looks like this:

We can see above two more functions, namely EvilEncrypt and GenerateKey function. Let’s see how evil it is…

Not so evil, in fact. The EvilEncrypt function use RIJNDAEL 256, a symmetric encryption. That means the same key used to encrypt can be used to decrypt affected files.

Now let’s take one more step and look at the GenerateKey function. This function generates the key based on victim server data which can be easily obtained in order to replicate the key for decrypting files.

The challenge here is how we can know the time? The obvious approach is to brute force that value. It will take a little time but it’s better than paying the ransom, right.

However upon looking again into the ransomware code, we noticed one thing in the EncryptData function:

While writing the encrypted data into the original file, it changes the last modified timestamp of that file. As it turns out, we don't need to brute force the date value in GenerateKey function anymore. Instead, we can simply get the data from the modified timestamp of an encrypted file which will ultimately allow us to recover encrypted files.

Who is Behind KimcilWare?

We start our attribution by first looking at the obvious elements of this malware. The associated email address for this ransomware is “tuyuljahat@hotmail.com”, which can be broken down into “Tuyul Jahat” - an Indonesian name.

Meanwhile, online search for the word “Kimcil” suggests that it is of Indonesian origin as well. These might be faked artifacts, however. So we moved on to the next possible intelligence source:  the MireWare ransomware.

MireWare is a ransomware based on the Hidden Tear code. While it was not properly working when it was released to the wild, a static analysis shows that it also points would-be victims to the same email address - tuyuljahat@hotmail.com – to get recovery instructions.

MireWare ransomware was discovered only a few days ago; however VirusTotal shows that the first upload date of this ransomware was from December 28, 2015 from an Indonesian web user:

Looking at the embedded C&C in the MireWare binary, we obtained yet another clue:

“sarkem” originates from Javanese, an Indonesian language of central Java.

Furthermore, the above C&C is now suspended. Interestingly, however, it pointed us to some malicious PHP scripts that utilized the exact same website to host some malicious content. Below is a code snippet from one of the PHP scripts we collected:

Opening the PHP script itself shows a web shell interface. More importantly, it included: 1) the author’s details including his handle and 2) credits to his colleagues and team under the “Tanks to:” section.

At this point, it is not surprising that the author’s description is written in Indonesian. After some poking with the information we gathered, we were able to identify and confirm the specific Indonesian black hat community where the KimcilWare ransomware is coming from.

Historically, the group has been involved in mass website defacing and PayPal account hacking. It seems that this time around, they are using their web hacking skills to get into the ransomware business.

Conclusion

Taken together, KimcilWare ransomware is an example of how the ransomware business is attracting threat actors from different parts of the world. It is also interesting how new ransomware are implemented based on the skillset of cybercriminals, which in the case of KimcilWare is web server hijacking.

We expect to see more ransomware variations with diverse implementations moving forward. If we look closer, however, we can find possible flaws from new ransomware variants’ encryption algorithm and therefore reverse the damage, such as in KimcilWare’s case.

We will continue to monitor developments in the ransomware scene and post information as necessary.

-= FortiGuard Lion Team =-

Related files:
c242f9e1892c340c58f716424716eeab – detected as PHP/KimcilWare.A!tr (renamed from W32/KimcilWare.A!tr)
22f97851c085d143bf24311214f77990 - detected as MSIL/MireWare.A!tr (renamed from W32/MireWare.A!tr)

by RSS Tien Phan and Roland Dela Paz  |  Apr 01, 2016  |  Filed in: Security Research