Threat Analysis Unit

Threat Analysis Unit (TAU) Threat Intelligence Notification: MailTo (NetWalker) Ransomware

MailTo is a ransomware variant that has recently been reported to have been part of a targeted attack against Toll Group, an Australian freight and logistics company. This ransomware makes no attempt to remain stealthy, and quickly encrypts the user’s data as soon as the ransomware is launched. Once the encryption phase completes, the encrypted files are renamed to contain the word “mailto”, which is where the name originated from. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) released an alert advisory for this ransomware. This ransomware also masquerades as a legitimate software application known as “Sticky Password”, which was created by formed executives of trusted AV company AVG. A sample of the ransom note is shown below.


Behavioral Summary

The TTPs for this particular sample discussed in this report are displayed within VMware Carbon Black Endpoint Standard as shown below.


Details

When the ransomware is first executed, a registry key is created under HKLM\Software\<6-digit-ID>. An example is shown below.


During execution, the ransomware makes an API call to AdjustTokenPrivileges in order to assign SeDebugPrivilege and SeImpersonatePrivilege to its own process. The ransomware immediately starts to encrypt the files on the victim’s local drive by using the Windows system calls NtQueryInformationFile and NtSetInformationFile. A ransom note is created using {ID}-Readme.txt (e.g. 8066A-Readme.txt) and is automatically opened using Notepad once the encryption completes. The same ID is used when a file is encrypted, and the email address used in the ransom note is appended to the encrypted file along with the {ID} used for the ransom note, for example: slides.pptx.mailto[[email protected]].8066A. The email used in the filename is the first email address shown in the ransom note. Once complete, the command C:\Windows\system32\vssadmin.exe delete shadows /all /quiet is executed to silently delete the volume shadow copies stored on the victim’s machine, making it impossible for the user to restore their system to its original state.

Next a batch file is temporarily written to the users %TEMP% directory. The file will be randomly named, for example BC7B.tmp.bat.This batch file is responsible for opening up two taskkill.exe processes and executing taskkill /F /im “<name-of-ransomware>.exe”. This forces (/F) the ransomware to kill its own process by specifying its own process name (/im).

The ransomware uses self-injection in order to hide part of the ransomware configuration by embedding the configuration into the resources section of the PE file. As the ransomware performs this unpacking in-memory, manual debugging of the sample is required in order to locate the unpacking stub. After further debugging, we come across a completely new PE file as shown by the MZ header. 


Dumping the memory region to a new PE file and loading it into IDA, we can get an idea of some of the configuration used by the ransomware. A snippet of part of the function is shown below. 


Above are some of the configuration options contained in the binary. For example, “crmask” contains the “.mailto[email].{ID}”, “mail” contains the email addresses shown in the ransom note, and “lend” contains the base64 encoded ransom note. 

The process activity from VMware Carbon Black Cloud Enterprise EDR is shown below.


To learn more about how to defend against this attack, click here.

To learn more about further ransomware behavior, detection and protection capabilities within the VMware Carbon Black platform against Zeppelin ransomware, you may refer to the following blog post:

TAU-TIN – Ransomware Threats

Remediation:

MITRE ATT&CK TIDs

TID

Tactic

Description

T1083

Discovery

File and Directory Discovery

T1119

Collection

Automated Collection

T1081

Credential Access

Credentials in Files

T1005

Collection

Data from Local System

T1486

Impact

Data Encrypted for Impact

Indicators of Compromise (IOCs)

Indicator

Type

Context

416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e

SHA256

MailTo Ransomware

d60d91c24570770af42816602ac19c97

MD5

MailTo Ransomware

eeba4f8b5ca7fd0e9bf27332d8d957a4523c79858ac4f0629880a619aa208a08

SHA256

MailTo Ransomware

ae2f1633bfdf059334757a67cdfa3fb8

MD5

MailTo Ransomware

df46c6da5eb78f41b1ae65077b05fd0bc03fba9372cdb8d1f09b05f2fa990dfe

SHA256

MailTo Ransomware

4a6202cd8ff1fd4d1fed5726b09da630

MD5

MailTo Ransomware

40e1a3fa5f081cc63f88760c50631c27f611bed899e4b46e2c28dd9a78b9b3d5

SHA256

MailTo Ransomware

391f23602d353219ba17703fa3b86a01

MD5

MailTo Ransomware

af5e73121d31a15c64d9cb03ef13a0b5cad74caaef9366f62173a63ad5356320

SHA256

MailTo Ransomware

d4173a6c727b0d77cf01fbb5819a9976

MD5

MailTo Ransomware

c5f7e0e9793beaf3ceb5af40f02446ca055aa1ead41838ed6aab67e233ef0c56

SHA256

MailTo Ransomware

7208ce1fe6d9b468f044a625f4ad9633

MD5

MailTo Ransomware

b4d3af805a9f2b73d893766982317eb215bd3887669131cb8ab8f7bf978d02cc

SHA256

MailTo Ransomware

38bc79fd79ba8b0add94dfa30d717af4

MD5

MailTo Ransomware

b372eac506e8c86009608552c0738884545a37877a150260f42ac23a5ec3e966

SHA256

MailTo Ransomware

4bea06dcd8c6edbb045502aa3749888a

MD5

MailTo Ransomware

5138380ef6aed6cd4c287997a15e58eab8f20fac0f23684ee34d1316867f190e

SHA256

MailTo Ransomware

1df515b51e3d3e6301327497e02432d3

MD5

MailTo Ransomware

46ab670dc5c8205646480299f93e7eb729f46a2cbe35bd6bebdfdccf2abb76b8

SHA256

MailTo Ransomware

b9f4fd9bb861a1f090ca8089e5f2069d

MD5

MailTo Ransomware

e4b995dd1f4a2f797e047676ef5f935fad3e60baa543b9ae5276589ead52317a

SHA256

MailTo Ransomware

032fba3f179706e74c584e95bb8ce2f7

MD5

MailTo Ransomware

3ae36b88d84b327f1cc3e7cb92f76d991b5db0776c7161079ef7bcf9e6c6a61b

SHA256

MailTo Ransomware

c84f7f1523452ac7252a7793ac7db4b1

MD5

MailTo Ransomware

0b62dc536d38af7cedce21f74cb7d6c9ae6378faf9ad8fc6ac1d55c5ba44c0b8

SHA256

MailTo Ransomware

c84a00b0228722cc560ee6385e194d54

MD5

MailTo Ransomware

c02935e80c8be5b8b758224b41b9c2c9507c0d344572adec45398fa02ac1b989

SHA256

MailTo Ransomware

9bf5cca0ee633b17e3be7ac5dc53bfc5

MD5

MailTo Ransomware

97d71faa77f245498f46624e34e95cdc30216f41d1e38c068b0ae595cb25df41

SHA256

MailTo Ransomware

7875d19f9d1dd8a623eb19aab9f06025

MD5

MailTo Ransomware

41d45132a28b370192167a696d5636e07eb9e552857141985b9d24b091e6a4ab

SHA256

MailTo Ransomware

f69240d52d11a41c040ad9d9365968bf

MD5

MailTo Ransomware

1a3a80e5724a3ad68ff4cd11cfb6360a6c1d2f650349dc3148f37ada4de5b530

SHA256

MailTo Ransomware

da88c6a02ccd4d00ce32408e32d8f487

MD5

MailTo Ransomware

0d0a5a1c0e938f5ff8b017bcd8804b52a00f275890742b8a2622576636c0f2b7

SHA256

MailTo Ransomware

1d60d1713af6281359baefe1f50532bb

MD5

MailTo Ransomware

06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036

SHA256

MailTo Ransomware

9aa3089af134627ef48b178db606268a

MD5

MailTo Ransomware

b8690ef15f4af6c731a46a1b8e0fbeeb4d44548fe445628fc87204ff335e0691

SHA256

MailTo Ransomware

4bdb2f712e8a4fd02a89b469978fd847

MD5

MailTo Ransomware

b25fd6a7782582a1c7e9248793316b2ed459c5629ff9f769065b4ddbfb610856

SHA256

MailTo Ransomware

e47b4be4a1f5c1566f713daee22a2326

MD5

MailTo Ransomware

5d44e240fdd9cc08ae35120775e361d009c160f15c3a8a23e6b7a133483a3f5e

SHA256

MailTo Ransomware

9aac488ed45c08c1de7a17ea918f9dc5

MD5

MailTo Ransomware

3f3130d2660e41b6b36a5e98bcd1b2b4e0b7ff017856b15269aa9d60fb414f47

SHA256

MailTo Ransomware

51e6d4390110743b37192817423de8f8

MD5

MailTo Ransomware

f735aaa68bca015b9ecc31dc24271fc0dc18e28fd869dfa072339951c5d83527

SHA256

MailTo Ransomware

ac53cd84bb08e6219c85781c77e3f896

MD5

MailTo Ransomware

6d032ea56a49235a186bc7f8971fa6111cad902f3cd7ce804f1af2b9ad147dde

SHA256

MailTo Ransomware

409287548dc7a2a97ab3163fb6ff8354

MD5

MailTo Ransomware