LIKEAHORSE Malware Report. Uncovering its Secrets

LIKEAHORSE Malware Report. Uncovering its Secrets

๐Ÿ“…๏ธ Published:

๐Ÿ”„ Updated:

๐Ÿ•” 4 min read โˆ™ 730 words

Introduction

LIKEAHORSE is ransomware that garnered news in January, but while it was looked at, I have found no actual report on its features and abilities online. Therefore, this blog post will be going over all its capabilities for future reference if any variation of it comes out in the future. Unlike most mainstream malware, LIKEAHORSE is small but just as robust in making the necessary attack assigned and should still be taken seriously.

Malware Targets

The first thing checked is the default language ID of the computer. If the following language ID numbers are found, the process is immediately terminated. The countries & languages not affected by this malware are Tatar via Russia, Armenian via Armenia, Azerbaijani via Azerbaijan, Kyrgyz via Kyrgyzstan, Tajik via Cyrillic and Tajikistan, Belarusian via Belarus, Kazak via Kazakhstan.

This leads me to speculate that this malware originated from somewhere eastern European, possibly Russia.

image

Privilege Escalation Attempt

The exciting feature of this sample is its ability to delete shadow copies using the program vssadmine.exe. Shadow copies are backups/snapshots of a windows system to roll back the clock on the system in the event of file corruption, deletion, or in this case, ransomware.

image

Because of this ability, LIKEAHORSE must then escalate its privileges. This is done through capturing tokens and then using the tool runas to launch LIKEAHORSE as administrator. If successful, the shadow copies will be deleted, making reverting to an earlier state after the attack more difficult, if not impossible, without proper offline backups.

image

Defense Take Down

Even if privileges are not escalated LIKEAHORSE can still issue the following commands to take down the defenses of the target.

  • bcdedit /set {current} bootstatuspolicy ignoreallfailures
  • bcdedit /set {current} recoveryenabled no
  • netsh advfirewall set allprofiles state off

Also, the program tesql.exe is tried to be found but the reason for this is unclear.

Encryption Keys Mechanisms & Fail Safe Feature

LIKEAHORSE utilizes a key encryption method that doesnโ€™t take away from its strength but acts like a host-based indicator for future variants. First, a hard-coded base64 encoded RSA encryption key is found within the binary. This key is then used to encrypt the generated private keys created during run time. This private key is then encoded with base64 and then written to a PNG file called uninstall.png. This, by the way, is a fake PNG file and not steganography. An unencrypted public key that is generated by the program at run time is also written to this file.

image

From analyzing this sample, I believe I can speculate that this is some fail safe. The file uninstall.png is written only once and registered as a PNG file. Therefore, this file will probably be overlooked. If the ransomware ever encrypted the author’s computer, the encryption keys can be recovered with the second pair of the hardcoded base64 encoded key. While this protects the authors, this also created a large host-based indicator that can be used to track possible versions of the malware sample.

Hard Coded Key

  • MD5: 6c9954510b946650e2334662cd66deb9
  • SHA-1: 187f1ec4893e51a7a0d8387770b74a35863a4254
  • SHA-256: 64383d0284c129587615505c8967d5a924b999a8c6a44a326988b4df461f8c50

This doesnโ€™t help the victim as they will never have access to the 2nd key pair.

RANSOMWARE NOTE

LIKEAHORSE leaves a ransomware note detailing how the payment method should go down. It also contains a unique ID.

image

  • MD5: a096f2bd21b84276abd6b39833db1714
  • SHA-1: 13044247b7c10bd46edf267b745f29b057265fb8
  • SHA-256: 0b2c5164788763f143600520cb9e89e797cbe3e634db182100bdb51312c2c21c

Network Capabilities

From my analysis there are no signs that LIKEAHORSE can move through a network or that it is actively looking for a vulnerability to do so. There is a total lack of network activity all together. It does have the ability to encrypt multiple logical drives though but that is the extent of its pervasiveness.

Conclusion

LIKEAHORSE should be categorized as low-grade ransomware. Its lack of worm-like abilities and less ensured privilege escalation tactics make it not as powerful as other ransomware. The analysis here was done on a Windows 7 virtual machine, and even then, its privilege escalation technique did not work. Using good backups which are offloaded is still an effective mechanism for combatting this ransomware, but there are several more.

  • Hardening configuration audits so that this sample cannot take down defenses is a must.

  • Updating IOCs found in this report should also happen. The encryption keys hard coded provide a great host-based IOC that can be used to quickly determine this sample and track version changes.

LIKEAHORSE SIGNATURES

  • MD5: bb23e3de5bcd95e4c5b47ba1276f4a39
  • SHA-1: e8066a96876c287b837869412e6be99847f4588c
  • SHA-256: 6d2efda037fe23b1fe3a5bae44f5b9f7ddfdf621c5df6cb6999d801bbdf79b0f

Encryption key and IDA IDC

Edit on Github.

๐Ÿ’ฌ Comment: