Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.
Now that it is being distributed via a large campaign and an exploit kit, it was time to take a deeper dive into this ransomware to see what features it has. What was found is interesting as Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts and uploads stats about the types of files that are encrypted.
When the Matrix Ransomware was first spotted around December 2016 it did not have a wide distribution compared to ransomware infections like Cerber or Spora Ransomware. Now that Matrix is being distributed using the RIG exploit via the EITest campaign it can become a real game changer.
According to Brad Duncan, Matrix is distributed via hacked sites that have the EITest scripts injected into them. When a visitor goes to one of these hacked sites, depending on various criteria, Brad has seen EITest injecting either the "The "HoeflerText" font wasn't found" attack, which is distributing the Spora Ransomware, or the RIG exploit kit, which is now distributing Matrix.
You can see the source code of a hacked site with the injected RIG iframe below.
Once the RIG iframe is loaded, the exploit kill will attempt to exploit vulnerable programs on the computer in order to install the Matrix ransomware.
Some variants of the Matrix Ransomware also include a worm feature that allows to to spread and infect other machines through folder shortcuts. First spotted by MalwareHunterTeam, when we both analyzed Matrix we saw that while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original, but now hidden, folder.
Below you can see an example of a user's profile folder after Matrix converted some of the folders to shortcuts.
Notice how the Documents and Downloads folder now show a shortcut symbol. If you go into the properties of this shortcut, you will see that it attempts to launch a program.
The full command of this infected shortcut is:
%SystemRoot%\system32\cmd.exe /C explorer.exe "Documents" & type "Documents\desktop.ini" > "%TEMP%\OSw4Ptym.exe" && "%TEMP%\OSw4Ptym.exe"
Using the above example, when a user tries to open the Documents folder, the following steps will be executed:
This method allows Matrix to spread to new computers via both network shares and removable drives.
We are also seeing that the Matrix Ransomware is being updated frequently. The first version was discovered around December 2016, followed by a new version of April 3rd, and then April 6th. Each of these version have different characteristics, encrypted file extensions, email addresses, and ransom note filenames.
The table below shows the various versions and their characteristics:
|Versions||Ransom Note Name||Encrypted File Extension||Email Addresses||EWorm Functionality|
Due to its wider distribution, we can expect Matrix to continue to change often.
While Matrix is running, it is very chatty with the Command & Control servers. In each stage of the encryption process, Matrix connects back to the C2 server and issues an update as to how far along in the process it is. Like Spora, Matrix will also upload a list of file extension and amount of files per extension that were encrypted. It is not known if Matrix also changes its ransom demand based on the types of files uploaded.
Last but not least, Matrix performs the follow behavior on the infected computer:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].hta %UserProfile%\AppData\Roaming\[victim_id].pek %UserProfile%\AppData\Roaming\[victim_id].sek %UserProfile%\AppData\Roaming\errlog.txt %UserProfile%\AppData\Roaming\[random].cmd %UserProfile%\AppData\Roaming\[random].afn %UserProfile%\AppData\Roaming\[random].ast %UserProfile%\AppData\Roaming\[random].hta matrix-readme.rtf Bl0cked-ReadMe.rtf WhatHappenedWithFiles.rtf
All your files have been encrypted! All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.) Following violations were detected: Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse! To unlock your files you have to pay the penalty! You have only 96 hours to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible! Each 12 hours the payment size will be automatically increased by 100$! You must pay the penalty through the Bitcoin Wallet. To get your unique key and unlock files, you should send the following code: [victim_id] to our agent e-mails: email@example.com or firstname.lastname@example.org You will recieve all necessary instructions! Hurry up or you will be arrested!!!
Аttеntiоn! Аll yоur filеs wеrе еnсryрtеd with RSА-2048 аlgоrithm. Withоut уоur pеrsоnаl dесrуptiоn kеy dаtа rеcоvеrу is impоssiblе! Tо gеt yоur uniquе kеy аnd dесrурt thе filеs, Yоu hаvе to sеnd thе fоllоwing cоdе: [victim_id] tо оur е-mаil аddrеss: email@example.com Thеn Yоu will rеciеvе аll nеcеssаry instruсtiоns. Yоu hаvе оnlу 96 hоurs tо rеcоvеr yоur dаtа! Аftеr this timе yоur uniquе dесrурtiоn kеy will bе аutоmаticаllу dеlеtеd аnd filе dесrурtiоn will bеcоmе imроssiblе! Hurrу uр! Еасh 12 hоurs thе pауmеnt sizе will bе аutоmаticаllу inсrеаsеd bу 100$! Аll thе аttеmpts оf dесryptiоn by yоursеlf will rеsult оnly in irrеvосаble lоss оf yоur dаtа. If yоu still wаnt tо try tо dеcrypt thеm by yоursеlf plеаsе mаkе а bаckup аt first bеcаusе thе dесryptiоn will bеcоmе impоssiblе in cаsе оf аny chаngеs insidе thе filеs. If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаil fоr mоrе then 24 hours (аnd оnly in this cаsе!), usе thе rеsеrvе е-mаil аddrеss: firstname.lastname@example.org