Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload.   

Initial Access Method

The initial lure was delivered as an ISO file. 

Figure 1 –  ISOFile

The payload included a shortcut file (with a .doc extension) and a zip file.

Figure 2 – Contents Inside ISO File

The shortcut was using PrintBrm.exe to unpack the and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool.

Figure 3 – Shortcut File
cmd.exe /c xcopy .\ %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\ -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe

Figure 4 –  HR-Update.exe Running

HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike.

At the time of writing the blog, we were unable to get the exact DarkBit ransomware payload. So we are using another available sample that belonged to the same campaign.

Analysis of Ransomware

This DarkBit ransomware sample is written in GoLang. It contains command line arguments.

Figure 5 –  Ransomware Features

It also contains an inbuilt configuration file as shown in Figure 6.

Figure 6 – InBuilt Config

Further analysis revealed that they had obfuscated some dll names like advapi32.dll and functions like SystemFunction036.

Figure 7-  Obfuscation

Its dynamically resolving API at this address. Malware authors tend to dynamically resolve API to avoid static detections.

Figure 8 –  Dynamically Resolving API

CreateMutexW API is being used to check if an instance of the malware is already running. As can be seen in Figure 5 previously, they are also using multithreading.

As the customary prelude to file encryption, they are using vssadmin.exe to delete all the shadow copies.

Figure 9 – Delete Shadow all

Here they are using SystemFunction036 (documented in MSDN as RtlGenRandom) to generate a random key as shown in Figure 10.

Figure 10 –  SystemFunction036

SystemFunction036 is accessed multiple times in the code with varying buffer sizes passed to it.

Figure 11 – Call To Dynamically Resolve API and Then SystemFunction036

Here we can see that the buffer size of 80 is made available for SystemFunction036. 

Figure 12 – Encrypting Key

Later-on, the key used for encrypting the files is itself encrypted and attached to the encrypted files.

Figure 13 –  EncryptionAlgorithm

From Figure 13, we can see that It’s encrypting. It is likely using AES to encrypt the files, as strings related to the same functions can be found elsewhere in this same sample.

FindFirstFileW, FindNextFileW are used to iterate through the file system, to find the appropriate file and then encrypt it.

At that point it was observed that its writing file in chunks and not as a whole. For doing the same it’s using SetFilePointerEx API to move the file pointer to a specific address.

Figure 14 – SetFilePointerEx

It’s then using the WriteFile API.

Figure 15 –  WriteFile

All these functions are called one after another, till all the files are encrypted.

After encrypting the file, the key is stored at the end of the file.

Figure 16 –  Ransomware key

The encrypted files are given ‘.darkbit’ extension and also a ransom note is dropped in the respective folders.

Figure 17  – Ransomware Note

Tweet from a self-identifying DarkBit twitter handle, associating itself with  MuddyWater

Figure 18 – Tweet on DarkBit

MuddyWaters uses different types of attacks for initial access like phishing email campaigns, using tools like MimiKatz to break into the system, etc. In this case, MuddyWaters made use of Cobalt Strike to get initial access into the system. From the ransomware note, we figured out that it was a politically motivated attack.

We at K7 Labs provide detection for DarkBit ransomware and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

Indicators of Compromise (IOCs)

File NameHashDetection Name
DarkBit.exe9880FAE6551D1E9EE921F39751A6F3C0Trojan (0058e3dd1)
hr-update.iso1219A8880DEBDD10D081195E27A2A016Trojan (0001140e1)


Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “MuddyWater Back with DarkBit”