First, it retrieves IP addresses in the victim’s network using the PowerShell Get-NetNeighbor cmdlet and Get-NetworkRange() function. The desktop wallpaper seen in this sample is shown in Figure 6.įigure 6: Desktop wallpaper and ransom noteīlackSun has network propagation functionality which allows it to infect other machines in local network.
After decoding, this wallpaper is created at c:\users\public\pictures\blacksun.jpg. BlackSun will also change the desktop wallpaper of infected systems to an embedded image encoded as Base64 data. After encryption a ransom note is written in each folder as BlackSun_README.txt. The list of such folders/files is present in code, shown in Figure 5.Įncrypted files will have a. Some folder and files are excluded from encryption. The table below notes the file extensions used in the code. The malware keeps list of file extension to encrypt hardcoded in an array. The count of jobs is calculated by the number of total files, referenced in Figure 4 as $intTotalCount, and the number of CPU cores, referenced as $intCoresCount.įigure 4: Code to divide encryption activity into multiple jobs The AES key is encrypted with X.509 public key certificate, hardcoded in code as shown in Figure 3.īlackSun splits task into multiple background jobs to speed-up encryption process.
It checks for presence of PowerShell process with its own script name as command line argument using the code shown in Figure 2.įigure 2: Code to check if script is already runningīlackSun encrypts files using AES256 algorithm. It will use additional execution of PowerShell for running internal capabilities, as well as the use of net.exe to map network drives.įigure 1: Process chain showing the execution history of BlackSunīefore starting any activity BlackSun checks if another instance is already running. The execution of BlackSun, shown in Figure 1, shows very limited subprocesses. Split encryption activity into multiple background jobs to speed-up encryption.Self-propagation within a local network.Ability to destroy local and network backups.Looking at the simplicity of code it is unclear if it is used for limited attacks or a proof-of-concept purpose, but it has effective methods that are potentially being used by ransomware. Unlike most other PowerShell-based ransomware it doesn’t download a payload or reflectively load a DLL or EXE into memory. Recently, the VMware Threat Analysis Unit analyzed BlackSun ransomware, a PowerShell-based ransomware. This article was authored by Pavankumar Chaudhari (TAU)
0 kommentar(er)
