GandCrab Ransomware Found Hiding on Legitimate Websites

The GandCrab ransomware continues to virulently spread and adapt to shifting cyber-conditions, most recently crawling back into relevance on the back of several large-scale spam campaigns.

What’s interesting is that GandCrab payload was found hiding on legitimate but compromised websites. These, when analyzed, were found to be riddled with vulnerabilities stemming from outdated software, highlighting one of the biggest issues when it comes to the security of cyberspace.

“Most small businesses aren’t aware that a new vulnerability has been released against a web framework and even if they did, most lack the expertise and time to be able to frequently update the software that the companies’ websites rely upon,” explained Cisco Talos researcher Nick Biasini, who, along with fellow researchers Nick Lister and Christopher Marczewski, examined the campaigns and published an analysis on Wednesday.

He added, “Adversaries, on the other hand, are able to quickly leverage these vulnerabilities and begin widely scanning the internet looking for potential victims. Leveraging these compromised sites in these types of spam campaigns is increasingly effective because adversaries don’t need to maintain persistence, or do much of anything other than copying a file to a specific location that they can point to systems, allowing for infection.”

Legitimate Payload Hosts

In all, Talos observed four, nearly identical offensives over the course of just one week at the beginning of May. Using e-commerce order lures, the emails included rudimentary body text and either an attached ZIP file or VBScrip file, which, when opened, pulled GandCrab off a website.

Digging deeper, the researchers found that the malware was actually being served from legitimate websites rather than malicious links, including one for a courier service in India, and a WordPress site for an herbal medicine purveyor.

After examining the Indian website, it became apparent that a host of issues were present in the website’s code, including the use of default credentials and multiple MySQL vulnerabilities. As for the WordPress site, it was running a version of the content management system that was more than a year out of date. Both also have publicly exposed admin pages for the web frameworks they’re using.

Sites that use antiquated software are easy pickings for adversaries, and Biasini noted that using them to serve up malware saves “time and money, doing things like registering domains, buying VPS, and configuring a web server to host the files.” The other added advantage is that bad actors can benefit from the web reputation of the site they compromise, which could help bypass some blacklisting technologies, in theory.

“This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving GandCrab not once, but twice, over a few days.”

The Payload

GandCrab spreads via the RIG and GrandSoft exploit kits, as well as via email spam as seen in the latest campaigns. However, there’s also a GandCrab Affiliate Program, according to recent from Check Point, which pays participants about 60 percent to 70 percent of the ransom revenue in return for full technical support. The firm observed one of the largest affiliates distributing 700 different samples of the malware during the month of March alone.

“[GandCrab] is under almost constant development, with its creators releasing new versions at an aggressive pace,” Talos’ Biasini said. “It does the typical things ransomware does, including encrypting files with the .CRAB extension, changing the user’s background and leveraging Tor for communication.”

For instance, the malware quickly morphed to get around a free decryption tool. A joint operation in February by Romanian police, Bitdefender and Europol hacked into the malware’s infrastructure, gathering analysis that ultimately produced a tool allowing victims to decrypt their files for free. But a new version of the bad code quickly emerged within a month, with a fix for the critical encryption flaw that would have allowed a universal decryptor.

Even though cryptomining has become the next big thing in malware, there are still billions of dollars to be had in the ransomware field. With tactics like using legitimate sites to hide the payload proving to be consistently effective, reaping those dollars becomes an easier task than it would be otherwise.

“Threats like GandCrab are going to continue to emerge time and time again,” Biasini said. “There are millions and millions of web pages running on platforms that have thousands of vulnerabilities. Since most of these pages are created and maintained by small organizations that don’t have the knowledge or resources to react to emerging vulnerabilities, this will continue to be a problem for the foreseeable future. As long as adversaries are able to hide their malware on legitimate sites, web reputation systems are going to be compromised.”