Threat analysis: DoppelPaymer ransomware

Acronis Cyber Protect Cloud
for service providers

Threat analysis: DoppelPaymer ransomware

Summary

  • DoppelPaymer ransomware was first discovered in April 2019
  • Belongs to the Dridex malware family, distributed by the INDRIK SPIDER cybercrime group
  • Encryption algorithm is changed from RC4 to AES-256-CBC
  • Creates obsolete system services and modifies them to start the ransomware
  • Manually resolves API functions via PE structure and TEB
  • Over 60 organizations have been successfully compromised
  • The DoppelPaymer group runs a Twitter account

Attack vector

DoppelPaymer is a successor of BitPaymer ransomware, and is part of the Dridex malware family. It’s currently being distributed in various forms, including phishing or spam emails with attached documents that are embedded with malicious code — either JavaScript or VBScript. On execution, this code downloads DoppelPaymer’s first-stage loader on the victim’s machine. The attackers then use the PowerShell Empire toolkit to run a brute-force attack on Active Directory. The Mimikatz module is used to dump passwords from the system memory.

To start, DoppelPaymer injects its code to explorer.exe, leveraging the DLL hijacking technique.

Once user credentials are compromised, the ransomware can be distributed across the network, stealing and encrypting confidential data.

DoppelPaymer is known to exploit the CVE-2019-19781 vulnerability affecting Citrix ADC in its latest campaigns.

Bypassing UAC

DoppelPaymer ransomware is delivered as a self-extracting archive. It enforces extraction to the path C:\Users\gratemin\Desktop, mimicking the typical, benign software installation process.

If extracted to any other path, DoppelPaymer will not run, as it looks for files at this specific location. This indicates that this particular sample was designed to run on a specific target with an existing user named “gratemin.”

Installation of the ransomware requires admin privileges. As a result, the UAC window pops up and users are prompted to click “Yes” to proceed.  

The ransomware drops a 3,231 KB executable file from the archive and runs it with the parameter QWD5MRg95gUEfGVSvUGBY84h.”

The executable is signed and pretends to be the “SpotLife WebAlbum Service Plugin” supposedly released by Logitech Inc. The certificate is issued to “LOVER BRANDS UK LTD.”

Payload

DoppelPaymer’s executable is obfuscated in the way specific to the Dridex malware family. The obfuscated starting code contains junk code and control flow obfuscation, and is used to decode the payload.

After decoding the payload, it jumps to the original entry point (OEP) where the ransomware starts initialization with the creation of command-line arguments.

The value of the argument that will be passed to ransomware is calculated as a CRC32 hash from the passed argument value. Next, the value is added to the hard-coded value (0xE484133A, in this sample). DoppelPaymer then jumps to the address that is the sum of the current value of the instruction pointer and the calculated value.

Obfuscated Runtime Linking

DoppelPaymer stores API functions and strings hashed with CRC32. The next screen shows how the API function is resolved. The first value is a hash for the DLL name, and the second one is for the API function to be imported. Both are sent to the resolving function.

The function is quite complex and volumetric. There are many loops performed for checking with known hashes, PEB structure, and PE header.

To iterate over loaded modules, DoppelPaymer gets DllBase using the TEB structure.

To iterate over API functions, DoppelPaymer uses the PE structure and export directory.

To resolve DLL, it checks the given hash against the list. If matched, DoppelPaymer gets the DLL base address from the second column of the resolving table.

87B8391C - ntdll.dll

7E038593 - kernel32.dll

E58BCD71 - advapi32.dll

28B22D7D - shlwapi.dll

6FDEE9F3 - crypt32.dll

Otherwise, DoppelPaymer enumerates over TEB, gets a module name, makes it uppercase, calculates CRC32 hash, XORes with 0xE788D68D, and checks with the given one:

CRC32(Upper(‘kernel32.dll’)) ^ 0xE788D68D = CRC32(‘KERNEL32.DLL’) ^ 0xE788D68D = 0x998B531E ^ 0xE788D68D = 0x7E038593

After the DLL name is resolved, API function hash is XORed with 0xE788D68D and functions are hashed, one by one, by CRC32 to match with the given hash.

Alternate Data Streams (ADS)

Once launched, DoppelPaymer creates an alternate data stream (ADS) with a random name in the %AppData% folder:

<random>:<random>

In this way, DoppelPaymer hides its malicious executable by leveraging ADSes provided within NTFS to avoid detection by antivirus solutions.

The second stage payload of the ransomware is then launched using the created ADS:

‘C:\Users\<USER>\AppData\Roaming\<random>:<random> QWD5MRg95gUEfGVSvUGBY84h C:\Users\gratemin\Desktop\p1q135no.exe’

Creating System Service

With its elevated privileges, DoppelPaymer creates an obsolete service that is not used under the current Windows version, and modifies it to start the ransomware executable.

To take control over the created service, DoppelPaymer runs the following commands:

C:\Windows\system32\takeown.exe /F <service_name>

C:\Windows\system32\icacls.exe <service_name> /reset

In one such case, DoppelPaymer creates the “RPC Locator” service, which enabled RPC clients that use the RpcNs* APIs to locate RPC servers until Windows 2003. In later Windows versions, like Windows 7 and Windows Vista, the service is present to support application compatibility but is not generally used. 

A comparison of two versions of RPC services, with the second screen shows DoppelPaymer’s malicious service:

The differences between both RPC services are as follows:

  1. The legitimate RPC service logs on as “Network Service,” while DoppelPaymer’s does so as “Local System.”
  2. DoppelPaymer’s service has no dependencies.
  1. DoppelPaymer’s service starts the Locator.exe file, which is a copy of the ransomware executable p1q135no.exe mentioned above.

Encryption

Before encryption, the attackers exfiltrate sensitive data and threatens to publish it on its data leak site.

DoppelPaymer deletes shadow copies:

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

Additionally, the ransomware creates a <random>.tmp file in %TEMP% folder with the following content:

delete shadows all

exit

Finally, the malware runs a .tmp file using diskshadow.exe to delete shadow copies.

C:\Windows\system32\diskshadow.exe /s C:\Users\User\Appdata\Local\Temp\<random>.tmp

DoppelPaymer receives the permissions for the <random>.tmp file by calling the following commands five times:

C:\Windows\system32\takeown.exe /F <file>

C:\Windows\system32\icacls.exe <file> /reset

DoppelPaymer uses AES-256-CBC encryption with zero IV to encrypt the victim’s files. The ransomware generates an AES-256-CBC key for each file using CryptGenKey().  It then encrypts the key with the embedded RSA-1024 public master key and encodes with Base64 to store it in the ransom note.

The following folders are placed on an allowlist and will not be encrypted:

System Volume Information

$RECYCLE.BIN

WebCache

Caches

Nor will files with the following extensions:

schre*.bat svcho*.exe v01res*.jrs RacWmi*.sdf v01.lo* v01.ch* Web*v01.dat readme2unlock.txt locked
chm hlf lng inf ttf cmd exe dll sys lnk ico ini msi

The encrypted folder looks as follows:

DoppelPaymer creates a ransom note for each file where DATA is AES-256-CBC key encrypted with RSA-1024 in the format <file name>.readme2unlock.txt. This contains the encrypted key for the current file.

The personal page and leak site are currently deactivated:

  • http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
  • http://doppleshare.top

Detection by Acronis

Acronis Cyber Cloud detects DoppelPaymer as Trojan.Ransom.GenericKD.34036779, and blocks execution of the ransomware.

Conclusion

DoppelPaymer uses the attack techniques that can be attributed to the Dridex malware family. It uses ADS to hide its payload and sets up a malicious service to establish persistence. Encrypted files cannot be restored without the private master key or decryptor. According to the data leak site, the DoppelPaymer group has successfully attacked more than 60 organizations.

Whether you’re a home user, business, or service provider, Acronis’s cyber protection solutions can safeguard your systems against DoppelPaymer and other modern ransomware variants. An advanced integration of data protection and cyber security — powered by Acronis Active Protection’s AI-driven behavioral heuristics — actively protects critical data and applications across entire workloads, stopping ransomware and other cyberthreats in their tracks.

IoCs

MD5: 8c54bbe3f191a8627bfeeb4cb02634a9

SHA256: f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

btpsupport@protonmail.com

q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion

C:\Users\gratemin\Dekstop

C:\Users\gratemin\Desktop\p1q135no.exe

*.locked

.readme2unlock.txt

http://doppleshare.top

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.