Threat analysis: DoppelPaymer ransomware
- DoppelPaymer ransomware was first discovered in April 2019
- Belongs to the Dridex malware family, distributed by the INDRIK SPIDER cybercrime group
- Encryption algorithm is changed from RC4 to AES-256-CBC
- Creates obsolete system services and modifies them to start the ransomware
- Manually resolves API functions via PE structure and TEB
- Over 60 organizations have been successfully compromised
- The DoppelPaymer group runs a Twitter account
To start, DoppelPaymer injects its code to explorer.exe, leveraging the DLL hijacking technique.
Once user credentials are compromised, the ransomware can be distributed across the network, stealing and encrypting confidential data.
DoppelPaymer is known to exploit the CVE-2019-19781 vulnerability affecting Citrix ADC in its latest campaigns.
DoppelPaymer ransomware is delivered as a self-extracting archive. It enforces extraction to the path C:\Users\gratemin\Desktop, mimicking the typical, benign software installation process.
If extracted to any other path, DoppelPaymer will not run, as it looks for files at this specific location. This indicates that this particular sample was designed to run on a specific target with an existing user named “gratemin.”
Installation of the ransomware requires admin privileges. As a result, the UAC window pops up and users are prompted to click “Yes” to proceed.
The ransomware drops a 3,231 KB executable file from the archive and runs it with the parameter QWD5MRg95gUEfGVSvUGBY84h.”
The executable is signed and pretends to be the “SpotLife WebAlbum Service Plugin” supposedly released by Logitech Inc. The certificate is issued to “LOVER BRANDS UK LTD.”
DoppelPaymer’s executable is obfuscated in the way specific to the Dridex malware family. The obfuscated starting code contains junk code and control flow obfuscation, and is used to decode the payload.
After decoding the payload, it jumps to the original entry point (OEP) where the ransomware starts initialization with the creation of command-line arguments.
The value of the argument that will be passed to ransomware is calculated as a CRC32 hash from the passed argument value. Next, the value is added to the hard-coded value (0xE484133A, in this sample). DoppelPaymer then jumps to the address that is the sum of the current value of the instruction pointer and the calculated value.
Obfuscated Runtime Linking
DoppelPaymer stores API functions and strings hashed with CRC32. The next screen shows how the API function is resolved. The first value is a hash for the DLL name, and the second one is for the API function to be imported. Both are sent to the resolving function.
The function is quite complex and volumetric. There are many loops performed for checking with known hashes, PEB structure, and PE header.
To iterate over loaded modules, DoppelPaymer gets DllBase using the TEB structure.
To iterate over API functions, DoppelPaymer uses the PE structure and export directory.
To resolve DLL, it checks the given hash against the list. If matched, DoppelPaymer gets the DLL base address from the second column of the resolving table.
87B8391C - ntdll.dll
7E038593 - kernel32.dll
E58BCD71 - advapi32.dll
28B22D7D - shlwapi.dll
6FDEE9F3 - crypt32.dll
Otherwise, DoppelPaymer enumerates over TEB, gets a module name, makes it uppercase, calculates CRC32 hash, XORes with 0xE788D68D, and checks with the given one:
CRC32(Upper(‘kernel32.dll’)) ^ 0xE788D68D = CRC32(‘KERNEL32.DLL’) ^ 0xE788D68D = 0x998B531E ^ 0xE788D68D = 0x7E038593
After the DLL name is resolved, API function hash is XORed with 0xE788D68D and functions are hashed, one by one, by CRC32 to match with the given hash.
Alternate Data Streams (ADS)
Once launched, DoppelPaymer creates an alternate data stream (ADS) with a random name in the %AppData% folder:
In this way, DoppelPaymer hides its malicious executable by leveraging ADSes provided within NTFS to avoid detection by antivirus solutions.
The second stage payload of the ransomware is then launched using the created ADS:
‘C:\Users\<USER>\AppData\Roaming\<random>:<random> QWD5MRg95gUEfGVSvUGBY84h C:\Users\gratemin\Desktop\p1q135no.exe’
Creating System Service
With its elevated privileges, DoppelPaymer creates an obsolete service that is not used under the current Windows version, and modifies it to start the ransomware executable.
To take control over the created service, DoppelPaymer runs the following commands:
C:\Windows\system32\takeown.exe /F <service_name>
C:\Windows\system32\icacls.exe <service_name> /reset
In one such case, DoppelPaymer creates the “RPC Locator” service, which enabled RPC clients that use the RpcNs* APIs to locate RPC servers until Windows 2003. In later Windows versions, like Windows 7 and Windows Vista, the service is present to support application compatibility but is not generally used.
A comparison of two versions of RPC services, with the second screen shows DoppelPaymer’s malicious service:
The differences between both RPC services are as follows:
- The legitimate RPC service logs on as “Network Service,” while DoppelPaymer’s does so as “Local System.”
- DoppelPaymer’s service has no dependencies.
- DoppelPaymer’s service starts the Locator.exe file, which is a copy of the ransomware executable p1q135no.exe mentioned above.
Before encryption, the attackers exfiltrate sensitive data and threatens to publish it on its data leak site.
DoppelPaymer deletes shadow copies:
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Additionally, the ransomware creates a <random>.tmp file in %TEMP% folder with the following content:
delete shadows all
Finally, the malware runs a .tmp file using diskshadow.exe to delete shadow copies.
C:\Windows\system32\diskshadow.exe /s C:\Users\User\Appdata\Local\Temp\<random>.tmp
DoppelPaymer receives the permissions for the <random>.tmp file by calling the following commands five times:
C:\Windows\system32\takeown.exe /F <file>
C:\Windows\system32\icacls.exe <file> /reset
DoppelPaymer uses AES-256-CBC encryption with zero IV to encrypt the victim’s files. The ransomware generates an AES-256-CBC key for each file using CryptGenKey(). It then encrypts the key with the embedded RSA-1024 public master key and encodes with Base64 to store it in the ransom note.
The following folders are placed on an allowlist and will not be encrypted:
System Volume Information
Nor will files with the following extensions:
The encrypted folder looks as follows:
DoppelPaymer creates a ransom note for each file where DATA is AES-256-CBC key encrypted with RSA-1024 in the format <file name>.readme2unlock.txt. This contains the encrypted key for the current file.
The personal page and leak site are currently deactivated:
Detection by Acronis
Acronis Cyber Cloud detects DoppelPaymer as Trojan.Ransom.GenericKD.34036779, and blocks execution of the ransomware.
DoppelPaymer uses the attack techniques that can be attributed to the Dridex malware family. It uses ADS to hide its payload and sets up a malicious service to establish persistence. Encrypted files cannot be restored without the private master key or decryptor. According to the data leak site, the DoppelPaymer group has successfully attacked more than 60 organizations.
Whether you’re a home user, business, or service provider, Acronis’s cyber protection solutions can safeguard your systems against DoppelPaymer and other modern ransomware variants. An advanced integration of data protection and cyber security — powered by Acronis Active Protection’s AI-driven behavioral heuristics — actively protects critical data and applications across entire workloads, stopping ransomware and other cyberthreats in their tracks.