Ransomware Builder — New Variant of “Hidden Tear” tracked to THT (Turk Hack Team)

Ransomware are everywhere — and its creators too. All you have to do is look closely!

It is common to find Ransomware on file hosting services such as Anonfiles, Mediafire, Mega or other such platforms until powerful dorks are queried or get the direct link access. Hence, we can classify it under Deep Web Category.

Today, I came across a file named “Ransomware-Builder-v0.2d-master.rar” with the tiny file size of 120KB. As the name indicates, this program is designed to build customized Ransomwares (Name of the Crypto-Ransomware Operation, Contact Email Address and Crypto Wallet Address) with inbuilt standards.

Upon unraring the package, 8 files are found in which 2 Executables are present along with 2 folders namely Decryptor and Icons, other files includes Config, Log and PDB.

Following are the features of this Ransomware Builder:-

Can add more extensions to encrypt files
Message for Victim
Explode Self Option
Add Directories for Crypting — C, D, E etc
Files are encrypted with .crypt Extension
Mouse Movement for Random Generated Password
The decryption keys goes to the log directory along with the timestamp

Moving to the technicalities, it is found that this Ransomware Builder is coded in C# using Visual Studio 2012 and uses AES-256 File Encryptor.

Analysis

Upon analysis, it is found that the file is having similarity with other 2 malicious files, which are “ Arquivos.exe” and “ Fortnite Multi v1.03.exe”.

On diving deep, it is found that the program had utilized several codes from offensive programs such as Slayer RDP Scanner and Bitcoin-Grabber and legit programs like IntelliLock .

Slayer RDP Scanner is a massive bruteforcer that checks for the RDP live connections, which is still active and Bitcoin-Grabber is the cryptovirus that swaps victims’ crypto address with attacker’s bitcoin address.

IntelliLock is the packer program which limits the number of executions, implements locks for custom trial limitations and much more.

By checking the time stamp, it is found that the program is revamped/compiled on 1st September, 2019; where other files (excluding executable) were recorded on 24th April, 2019.

String Reuse of other malwares were also spotted on closed observation such as:-

From the above image, it is found that :- Bitcoin-Grabber is also sharing the same string with this file and “ $bdc7eb29-a13f-4e0c-867f-294d90c3b5a2” is associated with the Bitcoin-Grabber Project.

It is also noted that the string “uzunluk” is a foreign word — upon searching it is found that uzunluk is a Turkish word — for “length” — Here is the first evidence of Turkish Presence.

As common strings were matched to Bitcoin-Grabber and Uzunluk; there are unique strings spotted on inspection, which includes the real author’s file execution path.

It is interesting to note that another actor had also been spotted for Bitcoin Grabber Master named “Abdou”.

On a simple search, it is found that the person is maintaining the Github profile with the handle NYAN-x-CAT (As earlier matched string $bdc7eb29-a13f-4e0c-867f-294d90c3b5a2 is found in the same profile’s repo).

From the above image, it can be found that the author’s name “Harun”got exposed while compiling the program “RansomBuilder”.

Let’s demystify the fog…

On a simple search, it is found that the author of this program had posted the same program in an Turkish Speaking Tech Forum on 12th April, 2019–2nd Evidence of Turkish Presence.

(The images from the author’s computer also set to Turkish — 3rd Evidence of Turkish Presence).

As a sign of warning, it had also been alerted that the program is coded for only Educational Purposes.

Upon further analysis, it is found that the new version (v3) of Ransomware-Builder tutorial is put on a video platform named KZ Torrrent. As per the timestamp in the video, the new version (v3) is re-compiled on 19th October, 2019.

On checking the details of the video author, it is found that the person is linked (or member) to the infamous hacking group “Turk Hack Team (THT)” who:

Carried massive cyber attack against Russia and Iran in 2016

Notable to deface 2024 websites in “THT Russia Operations”.

Orchestrated DDoS attacks, in which the attackers claimed to shut down top Russian and Iranian ministry websites.

From the comment section, it is found that the tool is being used actively by the community.

The domain turkhackteam.org is still active and poses as an Ethical Hacking Community with IP : 137.74.85.93 (fr-loadbalancer.turkhackteam.org)

On domain-digging, following things are found:-

Hosted In : Czech Republic
Server Used : LiteSpeed
Provider : Luna Node

By checking the IP reputation, it is found that THT is involved in the following network attacks, that are fingerprinted recently-

Targeting and attacking VPS is a common methodology adopted by adversaries in order to succeed Ransomware. This gives a solidified hint about the current usage of Ransomware.

KEY INTAKES

Ransomware Builder is the variant of Hidden Tear, which is the first open source Ransomware Trojan. Hence, old CryptoMalwares can still be evolved at any time.

Obsolete/Disfunctional Malware’s Codes are reused with slight changes like Obfuscation or revision.

Though the author had quoted that the program is for educational purpose, it can still get dirty when received in the wrong hands.

Old filenames can be replaced with new filenames with the same program, hence even the newbies get fooled.

Following are the IOCs for the file:-

MD5
701d229bfb274801626cf65d7829db93

SHA1
61647ed6978f88d9bad3425bf4620ce168afbb35

SHA256
354d02c57914426ce5f7c284e52f73a88797297f453db9e6123004d0baec04e0

SSDEEP
3072:mpgoRBe/dSe8rOoisHu13c/DVrs0JI0KhU+KAT794qNbqnk4q52i2:joiQrfiEuW/DAqk4g2i2

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store