Context
On June 28, 2022, ReversingLABS researchers reported a phishing campaign using malicious Microsoft Office files to distribute the new 2.0 version of the AstraLocker ransomware. Researchers assess that the threat actors behind the campaign likely obtained the AstraLocker 2.0 code from the Babuk leak in September of 2021, based on shared code and campaign markers. The cryptocurrency wallet addresses used in the campaign are associated with the Chaos ransomware gang.
Technical Details
AstraLocker is a fork of the Babuk ransomware and first appeared in 2021. Version 2.0 first appeared in March of 2022. The ransomware is delivered in phishing emails via malicious Microsoft Word documents. The payload is stored in an object linking and embedding (.OLE) object that is only activated when the victim double-clicks on the executable icon inside the malicious documents.
The new version of AstraLocker uses the outdated SafeEngine Shielden v2.4.0.0 protector, which complicates reverse engineering efforts. The new version also uses sophisticated tactics such as:
- Checking if the host is a virtual machine (VM)
- Checking running processes to determine if the environment is an analysis sandbox
- Checking names of open windows to determine if malware analysis tools are running
- Hiding threads from debugging tools by using the argument HideFromDebugger
- Stopping multiple backup and anti-malware services
- Killing multiple processes that could interfere with encryption
- Deleting volume shadow copies
- Emptying the recycle bin
- Enumerating and mounting all drives and network shares
- Encrypting files using Curve25519, one of the fastest elliptic curve cryptography (ECC) curves
Impact Analysis
Researchers assessed that while the ransomware tool itself was relatively sophisticated, the campaign is not technically sophisticated. The campaign delivered the ransomware immediately whenever victims clicked the attachment. In most sophisticated ransomware campaigns, attackers wait until later in the compromise chain to deliver the payload to allow time for deeper penetration into networks and reconnaissance into targeted networks. Executing the ransomware payload also took multiple manual clicks by the victim. Requiring so much manual activity from the victim creates numerous opportunities for the infection process to be interrupted or second-guessed by victims.
IOCs
ReversingLabs researchers provided the following indicators of compromise (IOCs) for the campaign:
| Indicator | Type | Notes |
| [.]babyk | File Extension | AstraLocker 2.0 File Extension After Encryption |
| 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes
4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS |
Cryptocurrency Wallet Address | Chaos Ransomware Gang-Associated Monero Wallet |
| bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus. | Cryptocurrency Wallet Address | Chaos Ransomware Gang-Associated Bitcoin Wallet |
| cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3 | SHA256 | AstraLocker 2.0 Ransomware |
| b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9 | SHA256 | AstraLocker 2.0 Ransomware |
| 17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565 | SHA256 | AstraLocker 2.0 Ransomware |
| 08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6 | SHA256 | AstraLocker 2.0 Ransomware |
| 5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821 | SHA256 | AstraLocker 2.0 Ransomware |
| 60167b6a14b7da2257cb6cbdc7f1ebcb4bdfa16c76cc9a7539c9b8d36478d127 | SHA256 | Malicious Word Document |
| 71ba916a7f35fe661cb6affc183f1ce83ee068dbc9a123663f93acf7b5a4263e | SHA256 | Malicious Word Document |
