blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
Submitted URL: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/#:~:text=Money%20Message%20is%20a%20newly
Effective URL: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/
Submission: On May 30 via api from DE — Scanned from DE
Effective URL: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/
Submission: On May 30 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
DEMYSTIFYING MONEY MESSAGE RANSOMWARE
* April 6, 2023
MONEY MESSAGE RANSOMWARE SUSPECTED TO BE LEVERAGING STEALER LOGS
Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group
named Money Message. Money Message can encrypt network shares and targets both
Windows and Linux operating systems. Upon analyzing Money Message binaries, we
noticed a similarity: they contained admin credentials in the configuration,
which were then used to target network resources. Based on this, we suspect the
threat actors (TA)s might be leveraging stealer logs in their operation.
The group utilizes a double extortion technique to target its victims, which
involves exfiltrating the victim’s data before encrypting it. The group uploads
the data on their leak site if the ransom is unpaid.
Money Message was first observed in March 2023 and has already affected more
than five publicly disclosed victims, with the majority of them being from the
United States. The victims belong to different industries, including BFSI,
Transportation and Logistics, and Professional Services.
Figure 1 – Money Message Victim’s Distribution
Among the victims of Money Message are also a few companies worth billions of
dollars. The leak site of Money Message ransomware is displayed in the figure
below.
Figure 2 – Leak Site
TECHNICAL ANALYSIS
The Money Message ransomware binary (SHA256:
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac) is a 32-bit
executable compiled in c/c++.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
The figure below shows the file details.
Figure 3 – File Details
CONFIG EXTRACTION
Upon execution, the ransomware retrieves its configuration settings from the
overlay of the ransomware binary. The configuration details are appended to the
end of the file at the offset 0XBF000. The configuration contains various
parameters, including a ransom note encoded in Base64 format and other settings
that determine the ransomware’s behavior during the execution. The following
parameters are present in the configuration:
* info_text_message
* mutex_name
* extensions
* skip_directories
* network_public_key
* network_private_key
* processes_to_kill
* logging
* domain_login
* domain_password
* crypt_only_these_directories
* temporary_extension
The below figure shows the configuration Details of the ransomware.
Figure 4 – Configuration Details
INFECTION
Afterward, the ransomware creates a mutex using the CreateMutexA() method, with
the name “12345-12345-12235-12354”, which it retrieves from the configuration.
The figure below illustrates the process of mutex creation by ransomware.
Figure 5 – Creates Mutex
Now it stops the services present in the configuration file. It first opens the
Service Control Manager (SCM) by calling OpenSCManagerW() function. It then
calls EnumServicesStatusExW() function to enumerate all the services and their
status. If any of the services present in the configuration are found to be
running, the ransomware stops them using CloseServiceHandle() function.
The ransomware binary stops the following services:
vss memtas Veeam sql mepocs Backup svc$ Sophos Vmms
The figure below shows the function responsible for killing services.
Figure 6 – Kills Services
Next, the ransomware captures a list of the actively running processes on the
victim’s machine by utilizing the CreateToolhelp32Snapshot() function, and then
iterates through each process using the Process32FirstW() and Process32NextW()
functions. The ransomware then compares the name of each process with the
process list specified in its configuration file. If a match is found, the
ransomware terminates the process using the TerminateProcess() function. This
ransomware terminates the following process.
sql.exe sqbcoreservice.exe mydesktopservice.exe steam.exe oracle.exe excel.exe ocautoupds.exe thebat.exe ocssd.exe infopath.exe encsvc.exe thunderbird.exe dbsnmp.exe msaccess.exe firefox.exe visio.exe synctime.exe mspub.exe tbirdconfig.exe winword.exe agntsvc.exe onenote.exe mdesktopqos.exe wordpad.exe isqlplussvc.exe outlook.exe ocomm.exe vmms.exe xfssvccon.exe powerpnt.exe dbeng50.exe vmwp.exe
The figure below shows the functions used to identify and terminate processes.
Figure 7 – Terminates Process
Now this ransomware uses ShellExecuteW() function to execute the “vssadmin.exe
delete shadows /all /quiet” command, which deletes all Volume Shadow Copy
Service (VSS) snapshots on the system without prompting for confirmation.
The figure below shows the command used by ransomware to delete the shadow
copies.
Figure 8 – Deletes Shadow Copies
Afterward, the ransomware scans all the available drive letters on the system,
starting from A to Z. It uses the GetDriveTypeW() function to identify the type
of drive connected to each letter, including fixed, removable, or network
drives.
The figure below shows the part of the ransomware code responsible for
identifying the drives on the victim’s machines.
Figure 9 – Identifies Drive
Now it fetches the list of file extensions to exclude from the encryption
process. The configuration in this ransomware binary has no values for the
extension parameter, indicating that the ransomware will encrypt all the
files.
It also fetches the following list of directories from the configuration, which
will be excluded from the encryption process.
C:\\msocache C:\\program files (x86) C:\\$windows.~ws C:\\program
files C:\\system volume
information C:\\$windows.~bt C:\\perflogs C:\\windows C:\\programdata C:\\windows.old C:\\boot
The Money message ransomware initiates its encryption process now. It uses the
Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher
algorithm to encrypt data on a victim’s system and demand a ransom for its
release.
The figure below shows the cryptographic algorithms present in the binary.
Figure 10 – Encryption Algorithm
Like other ransomware groups, this ransomware does not rename the file after
encryption. The figure below shows the encrypted file.
Figure 11 – Encrypted File
This ransomware fetches the base64 encoded ransom note from the configuration
and then decodes it. It creates a file named money_message.log for writing the
ransom note. This note contains the instructions given by the TA.
Figure 12 – Ransom Note
LATERAL MOVEMENT
The Money Message ransomware tries to access administrative network shares by
calling WNetAddConnection2W() with admin authentication credentials present in
the configuration. Once it has gained access to the network using these
credentials, the ransomware begins encrypting files in the network shares.
The figure below shows the process used by ransomware to encrypt the network
shares.
Figure 13 – Lateral Movement
CONCLUSION
Money Message is a newly discovered ransomware strain that has victims
worldwide. In a specific instance, the group demanded a ransom of USD 500,000,
which may vary depending on the targeted organization’s revenue. Additionally,
Money Message is capable of encrypting network shares, and its approach to
target network shares resembles that of the Maze and Petya ransomware. The fact
that the group has already targeted several high-profile organizations,
including billion-dollar companies, further highlights the impact of this
ransomware. As such, organizations must remain vigilant and take necessary
precautions to prevent falling victim to such attacks.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
SAFETY MEASURES NEEDED TO PREVENT RANSOMWARE ATTACKS
* Conduct regular backup practices and keep those backups offline or in a
separate network.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
USERS SHOULD TAKE THE FOLLOWING STEPS AFTER THE RANSOMWARE ATTACK
* Detach infected devices on the same network.
* Disconnect external storage devices if connected.
* Inspect system logs for suspicious events.
IMPACT AND CRUCIALITY OF RANSOMWARE
* Loss of valuable data.
* Loss of the organization’s reputation and integrity.
* Loss of the organization’s sensitive business information.
* Disruption in organization operation.
* Monetary loss.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Execution T1204 User
Execution Defense Evasion T1140
T1562 Deobfuscate/Decode Files or Information
Impair Defences Discovery T1007
T1083
T1135 System Service Discovery
File and Directory Discovery
Network Share Discovery Lateral Movement T1021 Remote Services Impact T1486
T1490 Data Encrypted for Impact
Inhibit System Recovery
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator Type Description 400fa5d02c1ac704cd290d959b725e67
456e5cb1739cb5f29020d1a692289a5af07ce90d
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac MD5
SHA1
SHA256 Money Message Windows Executable abe3c3cc45dec9c01762ba3e534564ed
3b4ecff980285461642cc4aef60d4a1b9708453e
4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904 MD5
SHA1
SHA256 Money Message Linux Executable 163e651162f292028ca9a8d7f1ed7340
a85ff9091f298ea2d6823a7b0053daa08b237423
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b MD5
SHA1
SHA256 Money Message Windows Executable
YARA RULES
rule Win32_Rasomoney_message
{
meta:
description = “this rule detects money message windows executable”
strings:
$a= “TW9uZXkgbWVzc2FnZQ”
$b= “network_public_key”
$c= “network_private_key”
$e=
“YmxvZ3ZsN3RqeWp2c2Z0aG9idHR6ZTUydzM2d3dpejM0aHJmY21vcmd2ZHpiNmhpa3VjYjdhcWQub25pb24”
condition:
uint16(0) == 0x5A4D and
($a and $e and $b and $c)
}
RECENT BLOGS
BL00DY RANSOMWARE TARGETS INDIAN UNIVERSITY: ACTIVELY EXPLOITING PAPERCUT
VULNERABILITY
May 30, 2023
PIXBANKBOT: NEW ATS-BASED MALWARE POSES THREAT TO THE BRAZILIAN BANKING SECTOR
May 30, 2023
INVICTA STEALER SPREADING THROUGH PHONY GODADDY REFUND INVOICES
May 25, 2023
PrevPreviousCl0p Ransomware: Active Threat Plaguing Businesses Worldwide
NextNew Cylance Ransomware with Power-Packed CommandLine OptionsNext
May 30, 2023
CRIL analyzes Bl00dy Ransomware’s recent targeting of an Indian University via
exploitation of the PaperCut vulnerability.
Read More »
May 30, 2023
Cyble analyzes PixBankBot, a new ATS-based malware that targets Brazilian banks
through the popular Pix instant payment platform.
Read More »
May 25, 2023
Cyble Research & Intelligence Labs analyzes Invicta, a new stealer that spreads
via fake GoDaddy Refund invoices to infect users.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences