Home » Security Bloggers Network » Buran Ransomware Targets German Organisations through Malicious Spam Campaign

Buran Ransomware Targets German Organisations through Malicious Spam Campaign

by Alex Holland on October 21, 2019

Introduction

As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually high volume, sent to many employees in an organisation; second, they are indiscriminate, relying on opportunistic infections to make money from ransom payments; and third, the distributed malware is designed to suit a wide range of environments and infection vectors, rather than being tailored to a specific network. Any targeting tends to focus on regions that share a common language and the popular online services used there, instead of identifying a small number of lucrative targets. In this post, we examine a malicious spam (malspam) campaign targeting German organisations in early October 2019 that delivered Buran.

Buran

Buran is a family of commodity ransomware, compiled with Borland Delphi. It was analysed by ESET researchers in April 2019, who call it Win32/Filecoder.Buhtrap.[1] In May 2019, Buran was discovered being sold in Russian-speaking underground forums.[2] Buran’s developers market the malware to potential operators as a ransomware-as-a-service (RaaS) scheme, taking a 25% cut of any ransom payments in exchange for a “decoder” used to decrypt victims’ files (figure 1). The affiliate scheme has been advertised on several forums by a user called buransupport, most recently on 4 September 2019 (figure 2).

Sponsorships Available

Figure 1 – Translated advert from May 2019 for Buran’s affiliate scheme.

Figure 2 – Translated forum post from 4 September 2019 promoting the affiliate scheme.

Commodity Malware

Based on the behavior of the malware and how it is sold, it’s clear that Buran is a family of commodity malware that has been developed with no specific target in mind. Buran’s developers say that the malware will not run in any countries of the former Commonwealth of Independent States (CIS), possibly a measure to protect its developers from the ire of local law enforcement. The use of geo-fencing suggests that the malware was developed with the intention of following a RaaS model, relying on potentially less trusted affiliates to distribute the ransomware.

Buran performs several anti-forensic measures such as clearing Windows Event logs and disabling the Windows Event Log service. These are designed to make any post-infection investigation more difficult. However, these actions are noisy and easily detectable by network defenders, so each measure should be weighed up for its benefit of deleting evidence against the cost of early detection. Since commodity malware must support different infection vectors and environments, they often contain a range of anti-forensic measures, not all of which will be relevant to an environment where the malware is deployed. For instance, Buran also deletes Remote Desktop Protocol (RDP) connection logs from the victim’s system. In the context of this campaign, this measure is unnecessary because the initial access vector was by phishing, not RDP.

Malspam Campaign

Public reporting suggests that Buran malspam campaigns began on 13 September 2019.[3] This is corroborated by metadata found in the emails and Microsoft Word documents. Previously in June 2019, Buran was observed being distributed through the Rig exploit kit.[4] The campaign on 1 October 2019 spoofed the eFax brand, a legitimate online fax service. German organisations were targeted using an eFax lure consisting of an email and Word document that were translated into German. The ransom note was also translated into German and the email addresses used to contact the attacker contained the German word for data (“daten”).

Figure 3 – Buran’s German ransom note.

Spam Email

The emails contain hyperlinks to a PHP page that serves Word documents used to download the Buran payload. Using hyperlinks instead of attachments means that the emails are less likely to be blocked by malware scanners at the email gateway. The domains used in the October campaign were registered on 27 September 2019, meaning that the websites were not associated with any prior malicious activity that would cause web proxies to block access to them. The domains were typosquats of the legitimate eFax website using the .site top-level domain (TLD), however, Buran malspam activity from September 2019 also shows that the .xyz TLD has been used (figure 4).

Figure 4 – Phishing email spoofing the eFax brand from September 2019.

Examining the Start of Authority (SOA) DNS records identified a common email address (gladkoff1991@yandex[.]ru) associated with the domains. Pivoting off the email address revealed additional typosquatted eFax domains associated with the account. These are listed in the Indicators of Compromise section.

The emails contained a tracking pixel, implemented as a 1×1 pixel image.[5] If external content in the email is allowed, an HTTP GET request containing a 128-character Base64 query string is sent to the s.php page hosted on a web server controlled by the attacker. Since the query string changes between emails, it’s possible that it functions as a unique identifier to allow the threat actor to track users who have opened the email.

Figure 5 – Tracking pixel in eFax spam.

Word Downloader

The Word downloader is interesting because the document was modified so that the Visual Basic for Applications (VBA) AutoOpen macro cannot be viewed using the Visual Basic IDE. Philippe Lagade’s olevba.py tool successfully extracts the VBA code.[6]

Figure 6 – Extract of VBA macro from the documents.

Examining the macros found that all the documents download a Buran executable from a URL using the URLDownloadToFileA function imported from urlmon.dll:

http://54.39.233[.]175/wupd19823.tmp

Figure 7 – Word document containing a VBA macro that downloads Buran.

Each document contains four eXtensible Markup Language (XML) files filled with junk data. The character set used to generate the junk data is [a-zA-Z0-9]. The date modified timestamps of the junk files are later than the modification timestamps of the rest of the document. Since the data is not used, the likely purpose of this junk data is to vary the file size and hash of the document to evade detection using these properties. The XML files are named according to the regular expression:

[a-zA-Z0-9]{13,37}\d{10}\.xml

The last 10 digits are UNIX timestamps of when the document was created, likely by the PHP script since they match the time when the document was downloaded.

Figure 8 – Junk data to vary the file size and checksums of the Word documents.

Time Zone and Locale Artefacts

The documents contain artefacts that suggest the Word document was created on a Russian locale Windows computer from a UTC+3 time zone. Microsoft Word generates default theme and template field names based on the locale of the operating system.

Metadata Field	Value	Note
Document Body PR Drawing Inline Doc Pr Descr	efaxjpg	Name of embedded JPEG image
Theme Theme Elements Font Scheme Name	Стандартная	“Standard” (Russian)
Document Body PR Drawing Inline Doc Pr Name	Рисунок 3	“Figure 3” (Russian)
Properties Heading Pairs Vector Variant Lpstr	Название	“Title” (Russian)
Styles Doc Defaults R Pr Default R Pr Lang Val	ru-RU	ISO language code for Russia
Styles Doc Defaults R Pr Default R Pr Lang East Asia	ru-RU	ISO language code for Russia

Extensible Metadata Platform (XMP) metadata was present in two JPEG images in the phishing email template and the Word document.[7] The metadata indicates that the images were created at the following times using Adobe Photoshop CS6 on Windows:

Type	Time Created
Email banner JPEG	10/09/2019 19:36 UTC+3
Word banner JPEG	11/09/2019 14:35 UTC+3

Figure 9 – XMP metadata in eFax banner image in Word document.

All the Word documents contain the same embedded image called “efaxjpg”. The document template was originally created by a user named “home” and later modified by “Admin”. It’s probable that the document and email templates are part of a phishing kit that has been altered by this Buran affiliate.

Network Traffic

Buran determines the geo-location of the victim system by sending a HTTP GET request to hxxp://geoiptool[.]com. This is likely a geo-fencing measure because Buran’s developer stated that the malware will not run in former CIS countries.

Figure 10 – HTTP GET request to geoiptool[.]com.

After Buran is run, it makes a HTTP GET request to a custom IP Logger URL, a free website visitor tracking service. Buran’s operators likely use the service to track the systems that have been infected. Other ransomware families have used the service to track victims.[8]

Figure 11 – HTTP GET request to iplogger[.]ru.

The User-Agent string for the second request is “BURAN” and the referrer string is a unique identifier assigned to the victim. The identifier consists of uppercase alpha-numeric characters using the naming convention:

[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}

Execution

Buran exhibits similar behaviour to previously documented campaigns.[9] The macro saves the Buran executable upd198367.tmp to C:\Windows\Temp and then runs it. Following execution, the malware copies itself to a new directory where the executable is renamed to lsass.exe, an attempt to disguise itself as the Local Security Authority Subsystem Service:

C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\lsass.exe

Persistence

The malware makes little use of Windows APIs before it starts encrypting files. Instead it relies on Command shell (cmd.exe) commands to establish persistence and delete backups. Buran modifies the Run key in the Windows Registry, causing lsass.exe to run each time the user logs into Windows:

“C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\lsass.exe” -start

The name of the Run key value is “Local Security Authority Subsystem Service”. The malware then deletes the upd198367.tmp from C:\Windows\Temp.

Preparation Before Encryption

The malware disables Windows Error Recovery and Automatic Startup Repair on system start up by running BCDEdit commands:

“C:\Windows\system32\cmd.exe” /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
“C:\Windows\system32\cmd.exe” /C bcdedit /set {default} recoveryenabled no

The malware deletes Volume Shadow Copy Service (VSS) backups using different methods:

“C:\Windows\system32\cmd.exe” /C wbadmin delete catalog -quiet
“C:\Windows\system32\cmd.exe” /C wbadmin delete systemstatebackup
“C:\Windows\system32\cmd.exe” /C wbadmin delete systemstatebackup -keepversions:0
“C:\Windows\system32\cmd.exe” /C wbadmin delete backup
“C:\Windows\system32\cmd.exe” /C wmic shadowcopy delete
wmic shadowcopy delete
“C:\Windows\system32\cmd.exe” /C vssadmin delete shadows /all /quiet
vssadmin delete shadows /all /quiet

Anti-forensic Measures

The malware deletes RDP connection history and clears Application, Security and System event logs. Using the SC.exe utility, the malware also disables the Windows Event Log service (eventlog).

“C:\Windows\system32\cmd.exe” /C reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
“C:\Windows\system32\cmd.exe” /C reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
“C:\Windows\system32\cmd.exe” /C reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”

Configuration in Registry

Buran saves its configuration to the Registry, storing information including the Machine ID, Public Key and default file paths the encryption agent should encrypt.

Path	Name	Value
HKEY_CURRENT_USER\Software\Buran V	Knock	0x0000029a (666)
HKEY_CURRENT_USER\Software\Buran V\Service	Machine ID	Base64 encoded 1300 byte ID
HKEY_CURRENT_USER\Software\Buran V\Service	Public Key	Base64 encoded 303 byte key
HKEY_CURRENT_USER\Software\Buran V\Service\Paths	0	\\[HOSTNAME]
HKEY_CURRENT_USER\Software\Buran V\Service\Paths	1	\\[HOSTNAME]\Users
HKEY_CURRENT_USER\Software\Buran V\Service\Paths	2	C:\

Buran Version 5

Strings found in the executable suggest that Buran’s developers refer to the version of malware distributed in this campaign as “Generation V”. Moreover, Buran saves its configuration in a Registry key called “Buran V”, supporting this finding. The previous version of Buran was announced by buransupport in a forum post on 7 August 2019.

Figure 12 – Buran version 5.

Encryption

Buran encrypts files according to their file extension. All files are encrypted unless the file name, extension or directory has been excluded. The ransomware excludes the following file extensions:

.bat
.buran
.cmd
.com
.cpl
.dll
.exe
.lnk
.log
.msc
.msp
.pif
.scr
.sys

Buran does not encrypt files with the following names:

ctfmon.exe
master.exe
master.dat
ntldr
ntuser.dat
ntuser.ini
thumb.db

Buran also excludes directories that contain important operating system and web browser files. The list of directories matches an older Buran variant that was analysed by Acronis researchers in August 2019.[9]

:\$RECYCLE.BIN\
:\$Windows.~bt\
:\inetpub\logs\
:\intel\
:\nvidia\
:\RECYCLER
:\System Volume Information\
:\Windows.old\
:\Windows\
\All Users\
\AppData\
\Apple Computer\Safari\
\Application Data\
\Boot\
\Common Files\
\Embedded Lockdown Manager\
\Google\
\Google\Chrome\
\Internet Explorer\
\Microsoft Help\
\Microsoft\
\Mozilla Firefox\
\Mozilla\
\MSBuild\
\Opera Software\
\Opera\
\Package Cache\
\Reference Assemblies\
\Tor Browser\
\Windows Defender Advanced Threat Protection\
\Windows Defender\
\Windows Journal\
\Windows Mail\
\Windows Media Player\
\Windows Multimedia Platform\
\Windows NT\
\Windows Photo Viewer\
\Windows Photo Viewer\
\Windows Portable Devices\
\Windows Security\
\Windows Sidebar\
\WindowsPowerShell\

After it has finished encrypting files, Buran leaves a ransom note named “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT”. The encrypted files have a 5-byte magic number (0x425552414E) corresponding to the ASCII string “BURAN” (figure 13). The victim identifier is appended to the name of the encrypted files using the naming convention:

\.\[[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\]

Figure 13 – Magic bytes of a file encrypted with Buran ransomware.

Figure 14 – Process interaction graph of Buran.

Indicators of Compromise

YARA

rule doc_efax_buran {
	meta:
		author = "Alex Holland (@cryptogramfan)"
		date = "2019-10-10"
		sample_1 = "7DD46D28AAEC9F5B6C5F7C907BA73EA012CDE5B5DC2A45CDA80F28F7D630F1B0"
		sample_2 = "856D0C14850BE7D45FA6EE58425881E5F7702FBFBAD987122BB4FF59C72507E2"
		sample_3 = "33C8E805D8D8A37A93D681268ACCA252314FF02CF9488B6B2F7A27DD07A1E33A"
		
	strings:
		$vba = "vbaProject.bin" ascii nocase
		$image = "image1.jpeg" ascii nocase
		$padding_xml = /[a-zA-Z0-9]{5,40}\d{10}\.xml/ ascii
		
	condition:
		all of them and filesize < 800KB
}

SHA256 Hashes

DC276B7CA4A980CF487B73B4EF9C40FB93F1B00B5C757A726057AB21A0372ECF wupd19823.tmp lsass.exe
8887797CA52A846D342CB95A0816CF95A615B54C763570218BA6E20B75AB44D1 eFax JPEG Word banner (efaxjpg)
21660B6E5C22F2BCAE7679C9DD5E82B994862A090B7CF0CC2E843FBD05901525 JPEG email banner

IMPHASH

C90B5FC557C898D093FC784752CF9A3C lsass.exe

File Paths

C:\Windows\Temp\upd198367.tmp
C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\lsass.exe

Registry Paths

HKEY_CURRENT_USER\Software\Buran V
HKEY_CURRENT_USER\Software\Buran V\Service
HKEY_CURRENT_USER\Software\Buran V\Service\Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service

URLs