I Reverse Engineered a Dangerous Virus and Found Something WEIRD (ESXiargs ransomware deep dive)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this malware is crazy it's called esxi args and it's encrypted the VMS maliciously of 500 hosts in France Germany the UK and the US in this video we're doing a malware Deep dive we're gonna kind of walk through here what's going on I'm seeing that they're doing something with the config file they're editing the config to change the vmdk file to a vmdk.swap so nothing really crazy going on here they're killing the vmx process you kill vmx your VMS die so that means you're turning off the VMS before they encrypt ah and here is the meat and potatoes of this malware so essentially what it's doing is it looks like it's going through every volume in the vmfs volumes directory it's trying to see if those volumes have any known file extension for a file they'd want to encrypt so vmdk vmx vmxf swap files vmem and vram Etc and then okay here's where the evil begins it's running start encrypt with the size step and all this good stuff using this encrypt binary the reason why I'm looking for this encrypt binary is because I saw this encrypt binary on malware Bazaar associated with esxi RX I was trying to figure out how did it get invoked what do the malware author do to run this script so we're going to take a look today at the encrypt binary and see what it's doing on the inside so let's look at the command line here running the encrypt binary with a public key okay so it's probably some kind of SSH generated public key on the file so the file is coming from our for Loop here for every file in the volumes and then we're getting some kind of size of the file and then the size of the file in looks like pages so 1024 bytes okay and we pump all that out to death null and suppress the output to the command line okay so let's let's open up the encrypt binary and see what encrypt is doing so when I start any project where I'm doing malware analysis I kind of do some very basic uh triage of the file to see what's going on to get to get me an idea of how much work I have to do or what I'm in for uh so we have two files here one is encrypt and one is decrypt so on malware Bazaar there are actually two copies of the encrypt file but one of them did an encryption one of them did a decryption essentially What's Happening Here is the malware author will leave you the decrypt binary which depends on a private key that you have to buy from them right they say give me 20 Bitcoin or I won't give you the file to decrypt your stuff so they leave you with this but no key so the file we're actually interested in is the encrypt file this is the ransomware itself that gets ran by the Run sh script so we're gonna do file on this and see what's going on here so we have a 64-bit elf that makes sense esxi is typically ran on 64-bit Intel processors nothing going on that's crazy there dynamically linked meaning it was Ram with standard GCC no crazy Flags uh for Linux 268 that's a very old version of Linux compile too um with the debug info not stripped okay so typically if you were a malware author you don't want people to reverse engineer your malware probably the authors of esxi args are mad that I'm doing this but what you would do is you would strip the binary so that there was no information about what the binary did so that a reverse engineer like me couldn't figure out what your binary does not only did they not strip the binary they left it with debug info which means that all of the functions still have symbols and there's still information from GCC about how this program got compiled so Jesus Christ we're gonna run strings on this is like the next step of our triage to see what we got ourselves into by looking at the functions here and the strings list we can kind of see get an idea for what the binary does just from Reading off some strings right so we have Malik mem copy I'm looking for things that are more related to encryption decryption so here we have symbols that come in from openssl so it's going to read some file as a public key some file as a private key it's going to use some kind of pseudo RNG probably to generate key information for the later encryption and then we have public encrypt or private decrypt so that's if you don't know the difference between asymmetric and symmetric key encryption we'll talk about that here in a minute um but essentially looks like we encrypt the thing using the private key let's dump this binary into our disassembler our analyzer and see what trouble we can get into okay I want to say an important caveat real quick normally ghidra does not look this cursed okay but I made the font size like 64 for my mobile users so if you're a mobile user early anybody just type uh thank you Triple L in the comments just just go do it it's fine don't worry about it like it's okay you're welcome okay so uh we have the binary open here in ghidra guidra put us into the main function and again the only reason I know it's the main function is because the malware author left their symbols and their debug information in the binary so cool we're at Main let's figure out what's going on here uh we got a pretty robust usage screens if we were to run this program but not give it three arguments uh we would have the prompt to put in a public key and the path to a file to encrypt let's go ahead and rename this bad boy name this rxc because that's what it is and we can also rename this parameter it's going to be renamed arc V and we're going to retype it we're going to retype it to be a care star star and then guidra will make the the code look really pretty uh we give it the path to the binary to run a public key and then the file to encrypt and then it does something with that so let's walk through and see what it's doing okay cool so we get some very robust information here again guidra is cool but leaving debug symbols in your binary is cooler so we run through these functions here and this is kind of the order of operations for what this ransomware does and again we're in the encrypt part of the ransomware so we do init lib SSL let's see what that bad boy does um let's see here we use DL open which uses the Linker to open an elf so if it's opening libssl.so and then it looks like if that fails okay so it's it's trying to find some version of webssl be it a DOT so1 a DOT so6 whatever it's just looking for any version and then once it gets through and it eventually finds a valid of SSL it's using Dil Sim to run time linking it's looking for these symbols in a library and then it's putting them into some Global structure to call them later again this would be kind of complicated to debug if they didn't leave their symbols in the binary but they did so that's fine and even then even if they hadn't we have the strings right here that it's looking for so we could have easily just renamed this pointer this name and then there you go so it's populating this table of function pointers to call later for the binary and again kind of like the strings call did before this gives us a good idea of what the binary is going to do so it's looking for some function to read in an RSA public key some function to read in an RSA private key it's going to use an RNG to generate bytes and move my fat head out of the way all right cool and then uh it's going to do a public encrypt or a private decrypt so that's that's all we're looking for here so we're gonna go back and see now that we've loaded all these functions into the into the binary what do we do with them so we get PK data I'm assuming that means we're getting the public key data because again we're in the encrypt function and if you're maliciously encrypting you encrypt with your public key so what do we do here we open a file to read we seek to the end to make sure that the file length is not zero okay and again it would throw an error if your file key is zero pretty sweet um we Malik that many bytes plus one we read from that file into this buffer and then we return so essentially all we're doing here is we're reading a public key into this buffer so we can rename this PK buff there we go so then now we're creating an RSA object using PK buff and something else so it's probably take Text data in from PK buff and then output a pointer to an RSA object so we're going to go ahead and read this real quick um yep so it creates a new basic in and out memory buffer which is an open SSL concept and then we read from that basic in and out buffer which is the data from our file our key file and we create a public key object and then we output that to param two and then there we go okay awesome so now we have our key object our key information to do some kind of RSA encryption so we're going to say RSA key object and then we're kind of getting close to the end here so now all we have to do is do encrypt file and I'm assuming that yep so again Arc V2 contains the file we're going to encrypt we have our RSA key object and then some other variables we're not sure what they do yet so let's go ahead and open up the encrypt file function so we open a file to read write this is our Target file it's the file we want to encrypt the thing maliciously we're holding for ransom and then we get generate a stream key interesting so this is probably our um symmetric key buffer foreign now we're going to RSA encrypt RSA object so essentially what it looks like we're doing is we are creating a symmetric key because again if you're seeing this hex 20 any multiple of 16 or 128 bits is going to be a symmetric uh stream key so we are encrypting that symmetric key and then we're using it to encrypt the file okay so essentially What's Happening Here is we are generating a stream key to use for symmetric encryption we are going to encrypt that symmetric key with an asymmetric Keys that's our RSA public key and then we're going to encrypt that vmdk which is the thing we're holding Ransom and then it looks like we are slapping that encrypted key onto the end of the file and then that's it that's all the ransomware does so it takes random well actually let's generate let's see how it generates a stream key it uses lran pseudobites so there could have been a vulnerability in this ransomware where maybe they don't use random information for the keys or maybe they you know they don't see to their RNG properly maybe they seat it with a static number but the fact that they're using the open SSL pseudo RNG means it's likely cryptographically secure right so I guess to confirm our assumptions about how this thing is working let's go through to the the decrypt malware or the decrypt piece again that is the binary that the victim is given and see what it does in theory it should do this in the exact opposite order right you should give it a private key as input it should pull the encrypted stream key off the end and then use that stream key to decrypt your files let's go ahead and import that to guidra and see if we are correct guys I'm gonna freak out I can't look at this [ __ ] all right okay so after fighting with 64 Point font ghidra uh we are in the main function of the decrypt binary so again this is a binary that the victim is likely given to decrypt their malware or to decrypt their files um yeah so you are you instead of giving it a public key you give it now the private key that you bought from the ransomware author and you point it at the file you would like to decrypt something something something so get PK data this should now be open up a well first we're just going to open the file but then we're going to create an RSA object with RSA private key yeah yes exactly so RSA you have a key pair and the one that you want to sell or you're for a ransomware author you want to give to your victim is the private key it's the one that you only have one copy of you don't distribute that freely because it's private all right so we read in that private key we create the object and now this is the part where we actually decrypt our files so again what it should do is it should extract the encryption key right which is done right so it takes the RSA object as input and then what this function does is it says what is the size of a thing encrypted by this key right what that's going to do is it's going to look at the end of the file and probably extract the encrypted key blob and then yes you RSA decrypt that key blob and then you cut that key off the end of the file you truncate it and then you encrypt and again it's symmetric symmetric key so it could just be it's the same algorithm you just use the same key that you've now decrypted and you close it and then you have your file back ta-da so there we go um pretty simple malware honestly the fact that they did a good job of like not compromising their encryption scheme with like a decent cryptography but like left their binaries with [ __ ] symbols is insane to me um but so be it anyway guys I do these videos all the time I'm getting more into cyber security this channel goes on so if you like this video do me a favor hit like hit subscribe and then go watch this video right here about a thing I did with the thing it's really cool go keep go go click it

Info

Channel: Low Level Learning

Views: 768,992

Rating: undefined out of 5

Keywords: esxiargs, esxi args, malware analysis, ransomware, cybersecurity, hackers

Id: DdVC1eVfZUI

Channel Id: undefined

Length: 12min 41sec (761 seconds)

Published: Sat Feb 18 2023