blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/06/13/threat-actor-targets-russian-gaming-community-with-wannacry-imitator/
Submission: On June 14 via manual from ES — Scanned from ES
Submission: On June 14 via manual from ES — Scanned from ES
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
THREAT ACTOR TARGETS RUSSIAN GAMING COMMUNITY WITH WANNACRY-IMITATOR
* June 13, 2023
PHISHING GAMING SITE OPENS THE DOOR TO RANSOMWARE INFECTION
Gaming has gained immense popularity, attracting millions of players globally,
primarily due to the wide range of game options available, strong community
engagement, and its entertainment value. Unfortunately, this widespread appeal
has also attracted the attention of Threat Actors (TAs), who seek to exploit
gamers by targeting games with large user bases to maximize their potential
victims. While searching for free or pirated games, some gamers disregard
security measures and unknowingly download malicious software onto their
systems.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring
phishing campaigns that utilize gaming sites as a distribution channel for
various malware families. Recently, CRIL uncovered a phishing campaign targeting
Russian-speaking gamers intending to distribute ransomware. The TAs behind these
malicious campaigns have employed phishing pages designed to closely resemble
the legitimate Enlisted Game website.
Enlisted, a squad-based multiplayer tactical first-person shooter game was
developed by Darkflow Software and published by Gaijin Entertainment. This
free-to-play game takes place in the backdrop of World War II and focuses on the
significant battles fought on all fronts of the war.
The figure below shows the Fake Russian Language game “Enlisted” ‘s website.
Figure 1 – Phishing page downloading malicious Enlisted Game Installer
The fake website hosts an installer file that contains a legitimate game
installer and ransomware. The ransomware has adopted the name “WannaCry 3.0” and
utilizes the “wncry” file extension for encrypting files, although it is not a
genuine variant of the WannaCry ransomware. This ransomware is a modified
version of an open-source Ransomware “Crypter”, developed for Windows and
written purely in Python. The Crypter code is hosted on a GitHub repository
created by a user named ‘@sithis993’.
The figure below shows the GitHub Repository of Crypter Ransomware Builder.
Figure 2 – GitHub Repository of Open Source Crypter Ransomware Builder
TECHNICAL DETAILS
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
In this technical analysis, we analyzed an installer sample named
“enlisted_beta-v1.0.3.115.exe” with SHA265 as
“c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2”, downloaded
from a phishing site “hxxp://testsite-beta-ne[.]1gb[.]ru/”.
The figure below shows the installer file details.
Figure 3 – File Details of the Installer File
When a user runs the “enlisted_beta-v1.0.3.115.exe” file, it shows an
installation wizard to install the game, as shown in the figure below.
Figure 4 – Enlisted Game Installer Window
The “enlisted_beta-v1.0.3.115.exe” installer file contains two executable
files, one is “ENLIST~1.EXE”, which is a legitimate Enlisted Game installer,
and the ransomware executable “enlisted.exe”. In the background, the installer
drops both files in the “C:\Users\<user>\AppData\Local\Temp\IXP000.TMP”.
The figure below shows the files dropped by the installer.
Figure 5 – The Files Dropped by the Installer
WANNACRY 3.0 CRYPTER
The WannaCry 3.0 Crypter is a 64-bit PyInstaller executable with SHA256 as
“c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce”.
The figure below shows the details of the ransomware executable.
Figure 6 – WannaCry 3.0 Ransomware File Details
Upon execution of “enlisted.exe”, it drops multiple Python-supporting files into
the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll”
files extracted from the PyInstaller executable.
Figure 7 – Extracted Files of PyInstaller Executable
The “Main.py” file is the entry point for the ransomware. This file has two
functions, one to create a mutex or check for an existing one and the other to
initiate further ransomware activities.
The figure below shows the code to check mutex and start ransomware activities.
Figure 8 – Ransomware Entry Point
When executing the ransomware, it tries to create a mutex with the name
“mutex_rr_windows” in the system. The ransomware uses the
win32event.CreateMutex() function to create the mutex. If the Mutex already
exists, the function returns the error ‘ERROR_ALREADY_EXISTS’, and an exception
is raised using MutexAlreadyAcquired(). If no mutex exists, then the
win32event.CreateMutex() function creates the mutex and returns the mutex
object.
The figure below shows the code to create and check the mutex.
Figure 9 – Ransomware Code To Create Mutex
Once the mutex is checked, the ransomware retrieves its configuration settings
from a file “runtime.cfg”, which is a JSON file.
The figure below shows the code to load the ransomware config file.
Figure 10 – Ransomware Code to Load Configuration File
The “runtime.cfg” file contains various parameters, including a ransom note and
other settings that determine the ransomware’s behavior during the execution.
The following parameters are present in the configuration:
* maj_version
* min_version
* gui_title
* encrypt_attached_drives
* encrypt_user_home
* encrypted_file_extension
* disable_task_manager
* open_gui_on_login
* time_delay
* wallet_address
* bitcoin_fee
* key_destruction_time
* max_file_size_to_encrypt
* filetypes_to_encrypt
* ransom_message
* make_gui_resizeable
* always_on_top
* background_colour
* heading_font_colour
* primary_font_colour
* secondary_font_colour
* delete_shadow_copies
The figure below shows the configuration details of the ransomware.
Figure 11 – Ransomware Configuration File
Additional to loading the configuration file, the ransomware adds 2 files in the
C:\Users\<user>\AppData\Roaming folder, “enc_test.txt” and
“encrypted_files.txt”. As the name suggests, the “enc_test.txt” file is a text
file to test if the data is getting encrypted, and the “encrypted_files.txt”
contains the list of files encrypted by the ransomware.
The figure below shows the dropped files.
Figure 12 – Test File Created by Ransomware
Next, the ransomware checks the “encrypted_file_list.txt”. If the file is empty,
the ransomware sleeps for the time mentioned in the config file. In this config
file, the delay is 0; hence the ransomware will not delay the operation.
Subsequently, the ransomware conducts checks to determine whether the task
manager should be disabled and whether the ransomware needs to be added to the
startup programs. In the case of the WannaCry 3.0 ransomware, both of these
settings are disabled.
The figure below shows the code to sleep, check for disabling task manager, and
startup entry.
Figure 13 – Ransomware Checking Various Operations
Now ransomware initializes the encryption keys to encrypt the files in the
system. First, ransomware checks for the “key.txt” file present in the working
directory. If the key file is present, then it uses the key. If the key file is
absent, the ransomware generates the keys and stores them in the current working
directory in the new “key.txt” file.
The figure below shows the key loading and key generation code.
Figure 14 – Ransomware Initializing Encryption Keys
Afterward, the ransomware creates a list of files to be encrypted by the
malware. For this reason, the ransomware checks the system to find files to
encrypt and create a list of files with full path names. The ransomware has
whitelisted files to ignore from encryption and a list of extensions to be
targeted for encryption, presented in the configuration file. The ransomware
ignores three files from encryption WNCRY_PUBLIC_KEY_1.txt,
WNCRY_PUBLIC_KEY_2.txt, and WNCRY_README.txt present at the “C:\Users\Public”
location.
The figure below shows the file enumeration for encryption.
Figure 15 – Ransomware Listing Files to be Encrypted
The ransomware proceeds to encrypt the files from the generated list, utilizing
the AES encryption algorithm. Once the files are encrypted, the ransomware adds
a “wncry” extension at the end of the encrypted filename.
The figure below shows the code to encrypt the files.
Figure 16 – Ransomware Code to Encrypt Files
Unlike other ransomware variants, WannaCry 3.0 ransomware does not terminate
processes or stop services. This ransomware only deletes shadow copies from the
system using the task scheduler.
The ransomware creates a task scheduler entry named “updater47” and adds the
command vssadmin Delete Shadows /All /Quiet to the task. The task is executed
just after the creation to delete the shadowcopies.
The figure below shows the task created by the ransomware.
Figure 17 – Ransomware Deleting ShadowCopies
Once the shadowcopy files are deleted, the ransomware starts a cleanup procedure
in the system where it deletes the encrypted file list, deletes registry entries
(if created), and re-enables the task manager(if disabled).
The figure below shows the code for cleaning up the files and registry.
Figure 18 – Ransomware Cleaningup The System After Encryption
Next, the ransomware shows the ransom note in the form of a Graphical User
Interface (GUI) application. WannaCry 3.0 ransomware only contains the Telegram
account ID “wncry_support_bot” to negotiate with the TAs. Additionally, the
ransomware contains time remaining to pay the ransom, keys to encrypt the files,
a button to see the list of encrypted files, and the option to enter the
decryption key.
The figure below shows the GUI applications executed by ransomware after
encryption.
Figure 19 – Ransomware Executing GUI-Based Ransom Note
Finally, the ransomware changes the desktop background image to show additional
information, as shown in the figure below.
Figure 20 – Desktop Background Changed by Ransomware
CONCLUSION
WannaCry 3.0 Ransomware is a modified version of an open-source Python-based
Crypter ransomware that targets Russian-speaking gamers. The ransomware
operation is simple and does not have any leak site or dedicated chat link, but
it utilizes a Telegram bot for ransom-related communication.
Given the targeted user base, there is speculation that the motivation behind
its creation could be influenced by the ongoing Russia-Ukraine conflict.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
* Conduct regular backup practices and keep those backups offline or in a
separate network
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
* Detach infected devices on the same network
* Disconnect external storage devices if connected
* Inspect system logs for suspicious events
Impact of Ransomware
* Loss of valuable data
* Loss of the organization’s reputation and integrity
* Loss of the organization’s sensitive business information
* Disruption in organization operation
* Financial loss
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial AccessT1566PhishingExecutionT1204User
ExecutionDiscoveryT1083File and Directory DiscoveryDefense EvasionT1070
T1562Indicator Removal
Impair DefensesImpactT1486
T1490Data encrypted for impact
Inhibit System Recovery
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator
Type Description 65fdd5e706d45e8bb83bc13311fb4da4
6515911679fdb3d6267ab44b67415dc32e587440
c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2MD5
SHA1
SHA256enlisted_beta-v1.0.3.115.exe77873f29f166fd64350be2a1391ce9f9
dfaab002eca691708228846e0d16905290031d48
c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ceMD5
SHA1
SHA256enlisted.exea6c971ab47c13b513af07d6dc3b06e8e
aa86ba02efd41f624b51956311b8759711a207ab
3741580d662ba528004695bf6441fc03e6e195c8d599ea7cbb8a8c4ec59efef4MD5
SHA1
SHA256enlisted.exe55fac3a480c154fd5f2344992db4c5b0
31278826e062d0a8b4ffe52caf1aa5c2804f3441
444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790MD5
SHA1
SHA256enlisted.exe84c613a151449be56b5afb0291fc0cca
9b43fdfd6ddb70a7418158c33d4c9a41f341a4e2
51aeac86371a1dafe7601b40a1b897f1c5c62ed6aa6fcdb3fe39e6ebf480763fMD5
SHA1
SHA256enlisted.exe66742054e5ba484ef06d7cc2b52bd6c3
0dc36a78cb251f6272991d541b7dffb438e2eb36
dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005MD5
SHA1
SHA256enlisted.exehxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exeURLDownload
URLhxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exeURLDownload
URL
RECENT BLOGS
CLOUD MINING SCAM DISTRIBUTES ROAMER BANKING TROJAN
June 14, 2023
THREAT ACTOR TARGETS RUSSIAN GAMING COMMUNITY WITH WANNACRY-IMITATOR
June 13, 2023
OVER 45 THOUSAND USERS FELL VICTIM TO MALICIOUS PYPI PACKAGES
June 9, 2023
PrevPreviousOver 45 thousand Users Fell Victim to Malicious PyPI Packages
NextCloud Mining Scam Distributes Roamer Banking TrojanNext
June 14, 2023
Cyble analyzes a cloud mining scam leveraging phishing to distribute the Roamer
banking trojan, targeting Android Crypto wallets and banking applications,
aiming to steal sensitive information.
Read More »
June 13, 2023
CRIL analyzes WannaCry-Imitator Ransomware, a phishing gaming site targeting the
Russian Gaming community
Read More »
June 9, 2023
Through the analysis of more than 160 malicious Python packages, CRIL reveals
insights into the threat landscape associated with Python packages.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences