Insights, news, education and announcements from PolySwarm

HavanaCrypt Distributed Via Fake Google Software Update

Written by PolySwarm Tech Team | Jul 18, 2022 4:04:52 PM



Executive Summary

Trend Micro recently reported on HavanaCrypt ransomware, which is being distributed disguised as a fake Google software update.

Key Takeaways

  • HavanaCrypt ransomware is delivered via a fake Google software update.
  • It uses a Microsoft web hosting service IP address for C2. 
  • HavanaCrypt employs multiple anti-virtualization techniques.
  • It uses modules from KeePass Password Safe in its encryption routine.

What is HavanaCrypt?

HavanaCrypt is a newly discovered ransomware family delivered via a fake Google software update. It is a .NET compile application protected by Obfuscar, an open-source obfuscator. To evade detection, HavanaCrypt uses a Microsoft web hosting service IP address for C2 and uses multiple methods to check for virtual machine environments.

When HavanaCrypt is executed, it hides its window and checks the AutoRun registry to see if the GoogleUpdate registry is present. If not present, HavanaCrypt continues, checking for virtual machine environments. If a virtual machine environment is detected, HavanaCrypt terminates itself.

HavanaCrypt uses several anti-virtualization techniques in an attempt to thwart dynamic analysis. It first checks for services run by virtual machines, including VMWare Tools and vmmouse. Next, it checks for files typically associated with virtual machine applications. It then checks for file names used for virtual machine executables. Finally, it checks the machine’s MAC address and compares it to organizationally unique identifier (OUI) prefixes known to be used by virtual machines.

If a virtual machine environment is not detected, the malware downloads a txt file from the C2 at 20.227.128[.]33, which is a Microsoft web hosting service IP address. HavanaCrypt saves the file as a batch file with a randomized file name of 20-25 characters. After creating the batch file, HavanaCrypt executes the file using cmd.exe with a /c start parameter. The file contains commands to make Windows Defender allow any threats detected in the %Windows% and %User% directories. The malware also terminates a variety of processes on the machine, including the following.

  • agntsvc
  • axlbridge
  • ccevtmgr
  • ccsetmgr
  • contoso1
  • culserver
  • culture
  • dbeng50
  • dbeng8
  • dbsnmp
  • dbsrv12
  • defwatch
  • encsvc
  • excel
  • fdlauncher
  • firefoxconfig
  • httpd
  • infopath
  • isqlplussvc
  • msaccess
  • msdtc
  • msdtsrvr
  • msftesql
  • msmdsrv
  • mspub
  • mssql
  • mssqlserver
  • mydesktopqos
  • mydesktopservice
  • mysqld
  • mysqld-nt
  • mysqld-opt
  • ocautoupds
  • ocomm
  • ocssd
  • onenote
  • oracle
  • outlook
  • powerpnt
  • qbcfmonitorservice
  • qbdbmgr
  • qbidpservice
  • qbupdate
  • qbw32
  • quickboooks.fcs
  • ragui
  • rtvscan
  • savroam
  • sqbcoreservice
  • sqladhlp
  • sqlagent
  • sqlbrowser
  • sqlserv
  • sqlserveragent
  • sqlservr
  • sqlwriter
  • steam
  • supervise
  • synctime
  • tbirdconfig
  • thebat
  • thebat64
  • thunderbird
  • tomcat6
  • vds
  • visio
  • vmware-converter
  • vmware-usbarbitator64
  • winword
  • word
  • wordpad
  • wrapper
  • wxserver
  • wxserverview
  • xfssvccon
  • zhudongfangyu
  • zhundongfangyu

Once the above processes are terminated, HavanaCrypt queries all disk drives, deletes shadow copies, system restore points, and changes the maximum amount of storage space to 401 MB. It then drops copies of itself as .exe files in the %ProgramData% and %StartUp% folders, with attributes set to Hidden and System File. It also drops a batch file in %User Startup% that is capable of disabling the Task Manager.

Trend Micro found that HavanaCrypt uses the QueueUserWorkItem function, a .NET System. Threading namespace method. QueueUserWorkItem queues a method for execution, and when a thread pool is available, the method executes. HavanaCrypt uses this to implement thread pooling for other payloads and encryption threads.

Prior to encryption, HavanaCrypt gathers information, including the number of processor cores, processor ID and name, socket designation, motherboard name and manufacturer, BIOS version, and product number,  and sends it to the C2.

HavanaCrypt uses modules from the open source password manager KeePass Password Safe, including the CryptoRandom function, during its encryption routine. It appends the .Havana extension to all encrypted files.

IOCs

PolySwarm has a sample of HavanaCrypt.

b37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87

You can use the following CLI command to search for all HavanaCrypt samples in our portal:

$ polyswarm link list -f HavanaCrypt


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports