GlobeImposter Ransomware: Blocked by enSilo
During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight, this ransomware looks very similar to other ransomware samples and uses common technique known as process hollowing. However, deeper inspection showed that, like LockPoS, which was analyzed by CyberBit, GlobeImposter also bypasses user-mode hooks, a technique used by many security products for malware and exploit detection, by calling directly into the kernel. Due to this evasion technique is being leveraged by new malware samples, it may signal a trend of more attacks evading user-mode security products. The enSilo Platform is not affected by such evasion techniques.
Figure 2 shows this connection attempt to these three domains:
Figure 2: Network Connection
Figure 3: Binary File Download
The domains appear to be offline at the time of writing this post.
The GlobeImposter Ransomware binary file contains the following static characteristics:
SHA256 Hash: 3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547
File size: 239,104 bytes
Compile Time: 2016-12-11 21:50:59
GlobeImposter ransomware leverages a very interesting packer in attempt to avoid detection. Like many malware samples, GlobeImposter leverages the process hollowing technique to avoid detection. However, Similar to LockPoS Malware the was published by CyberBit, GlobeImposter uses direct system calls in order to bypass user-mode hooks, a technique that many security vendors employ to prevent process hollowing, thread injections and similar techniques. Full analysis of the sample can be found on BreakingMalware.
After unpacking GlobeImposter, it appears to be almost identical to an older variant found in early November 2017. Here is a comparison of the encryption routines, one from the old GlobeImposter and one from the new variant:
Figure 4: Comparison between the GlobeImposter variants. The old version on the left, and the new unpacked one on the right.
As show in figure 4, the files that are encrypted are then renamed in the following format: filename.doc
Figure 5: Encrypted Files
When the Ransomware finishes encrypting all files, a message is presented to the victim within a browser as shown in figure 5
Figure 6: Ransom Notification Message
The Ransomware also offers to decrypt one file for free to prove the decryption works. The note states the following "Before paying you can send us 1 file for free decryption."
ENSILO POST-INFECTION PLATFORM IN ACTION
The GlobeImposter Ransomware sample was executed in a controlled environment protected by enSilo platform.
We can see GlobeImposter attempt to encrypt files in figure 6. As can be seen, invokes itself as part of the unpacking stage, this is where the process hollowing technique is being used to thwart security solutions. Once the unpacking of the actual payloads executes it starts encrypting files. EnSilo platform blocks the encryption process before any damage to the system is done.
Figure 7: GlobeImposter attempts to encrypt
Note: These types of attacks can get blocked by enSilo platform on multiple stages from an initial execution, download of a payload and a payload execution. However, if we allow execution to occur, we can see that the last encryption process is blocked.