Qilin Ransomware

Qilin Ransomware

Soaring to new heights

Threat Landscape

Qilin ransomware has built a highly configurable malware family that makes use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim. In the middle of November 2023, Yanfeng's production was disrupted by a cyber attack. The attack was later attributed to Qilin ransomware group. Yanfeng is a large automotive supplier who provides automotive components to many of the industries largest car manufactures such as: BMW, Toyota, Honda, General Motors and Volkswagen.

source: bleepingcomputer.com

Source: BleepingComputer.com

Keypoints

  • Extensive use of the esxcli tool
  • Evasion by funneling commands through vim-cmd
  • Large list of configurable options
  • Decrease the time to encrypt via native low level filesystem APIs and large list of file types and directory paths

Build information

Hashes

The file was first submitted to VirusTotal on October 26th 2023, and at the time of this analysis the last submission was November 23rd 2023.

  • SHA256: 555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4
  • MD5: 417ad60624345ef85e648038e18902ab
  • VirusTotal: VTI report

Compiler

The sample was compiled with GCC 11 in the ELF64 format and is 1.32MB in size.

Section Segments

The sections within the binary are not unusual and contain typically found section names for a program that was compiled by GCC. The .rodata section is fairly large and contains a number of strings used for logging and status updates for the encryptor.

Tactics and Techniques

The sample has a fairly large main routine, which faciliates a number of options provided by the encryptor. The program flow as seen below attempts to iterate over all of the options present within a tight loop. If the option for help (-h) is given the options listing is displayed (see options below).

Once the options are gathered, the encryptor will attempt to use each option to control the flow of the sample.

Options

The sample contains a number of options which helps the encryptor with ensuring that the right files are encrypted, the right paths and the ability to manage the virtual machines prior to encrypting.

An interesting option is the yes option that allows a certain level of scriptability to the sample and the option --dry-run which allows the sample to enumerate all the files that would have been encrypted but does not inhibit system recovery or encrypt any files.

The VM is managed via two options --no-snap-rm and --no-vm-kill. These options by default will inhibit system recovery of the virtual machine files, unless specified.

The customizable sleep delay before encryption is handled via the -t --timer option, this anti-sandbox and potential evasion option will help the sample either out last a potential EDR tracing or any sandboxing the process maybe running in.

-d,--debug Enable debug mode (logging level set to DEBUG, disables backgrounding)

--dry-run Perform scan for files to be processed, do not modify them

-h,--help This help

-l,--log-level Set logging level. Values are from 0 for FATAL up to 5 for DEBUG

--no-df Ignore configured white-/black- lists of directories

--no-ef Ignore configured white-/black- lists of extensions

--no-ff Ignore configured white-/black- lists of files

--no-proc-kill Disables process kill

-R,--no-rename Disables rename of completed files

--no-snap-rm Disables snapshot deletion

--no-vm-kill Disables VM kill

-p,--path Specifies top-level directory for files search

--password Password for startup

-r,--rename Enables rename of completed files (default)

-t,--timer Enabled timed delay before encryption (seconds)

-w,--whitelist Use whitelists for inclusion instead of blacklists for exclusion

-y,--yes Assume answer 'yes' on all questions (script mode)

Prepare the system

The sample prepares the system for encryption by retrieving system information and setting key process options to ensure a successful encryption.

Determine OS and number of CPUs

The sample will attempt to determine if the OS is Linux, ESXi, FreeBSD, Unknown. Given the OS type, if it is FreeBSD it will attempt to get the CPU information through CPU registers and a sys call using futex(). Otherwise it will attempt to open /proc/cpuinfo and count the number of processors. Both code paths will return the total number of CPUs.

The CPUs are then used to determine how many threads are allocated in the thread pool. If the CPUs come back as a single CPU, the threads are hardcoded to 2.

Set open file limits

The sample will attempt to ensure that a hard limit for open files are not hit when encrypting. To do so the setrlimit() is called with the RLIMIT_NOFILE constant and a value of 4096

Inhibit system recovery

The sample will execute 4 different ESXi command via the local shell. It uses esxcli to do so. This is a common tool found in an ESXi based system, and is typically used by threat actors as a way to configure or probe the system prior to encrypting. Ensuring access rights to using the esxcli is necessary.

First command

The first command will attempt to use the command storage filesystem list. This command will "List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions." and for each filesystem found and the ESXi filesystem version is VMFS5 to use the vmkfstools and the -c options to create a new virtual disk thats 10MB and the -d option to set the disk format to eagerzeroedthick, the result will overwrite the disk and any errors are fowarded to /dev/null. Lastly then delete the new disk with the -U option.

Ref: https://vdc-download.vmware.com/vmwb-repository/dcr-public/780e06f7-08ce-45c3-be80-dd77124e1504/1bea0664-dbd7-4363-aee3-020bfd6fd5c8/doc/esxcli_storage.html

Second command

The second command is similar to the first but instead for the VMFS-6 filesystem version.

Third command

Will attempt to improve performance of handling the virtual machine when the shared storage is remote, the sample will modify the advanced configuration for /BufferCache/MaxCapacity. It does so by copying the exact command from the VMWare knowledge base article https://kb.vmware.com/s/article/2052302 and attempting to change the number of buffers via esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity

Fourth command

Similar to the third command above, it will also set the buffer cache flush via esxcfg-advcfg -s 20000 /BufferCache/FlushInterval which is also found in the knowledge base article.

VIM-CMD evasion

The sample will attempt to use the ESXi vim-cmd which is symbolically linked in the /bin/vim-cmd. The vm snapshots will be manipulated by using the local shell and piping the command through vim-cmd.

Get the VM Process list

The sample will attempt to obtain the VM process list by using the existing esxcli tool and search for the World ID: to determine what VM process is listed.

Configuration

The configuration block will evaluate static hardcoded strings that are part of the .data section.

The process blacklist filters out any process with a references to kvm, qemu and xen.

The directory blacklist contains a list of common linux directories that should not be processed when attempting to encrypt files.

The file blacklist contains a list of common linux files that would potentially cause instability in the system if encrypted. Although the black list contains directories that hold these files, there could be potential links throughout the system that reference them.

The file extensions blacklist contains typical mountable files for the ESXi host.

The directory whitelist will be used to target directories and files inside them for encryption.

The file extensions will be used to filter what files to discover and then subsquently encrypt.

Github

The encryption extension used during the encryption process is hardcoded in the sample as seen below.

The definition of a skip mode will functionally affect the encryption process of a file.

Directory and file discovery

The sample uses the nftw() function in the ftw.h header file. Starting at the root directory the sample will attempt to analyze each object in the filesystem tree recursively by getting a handle to a directory object using the fdopendir() call and a pointer to a DIR structure found in dirent.h and sys/types.h.

Once the sample is iterating over the filesystem, the sample will apply a filtering function which uses the sample configuration (see: configuration above) to determine if the right file paths and extensions are matched or not matched.

Encryption library

The sample uses openssl. The public key is hardcoded at the address 0x004EB3A8. The statically linked openSSL library is used to facilitating the loading of the public key. If the key fails to load, the sample will exit all threads and shutdown.

During the encryption process, thee are a number of status strings being logged. One of those strings contains a partially obfuscated word 'bug'.

Defacement

The sample will attempt to open and write to the motd files, as a method to deface the system.

The ransom note is located in the .rodata section in address 0x04E9700 and is stored in stack strings to evade basic static string searching.

Source: BleepingComputer.com

YARA

/*
MIT License
Copyright 2023 ShadowStackRe.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
rule QilinRansomware {
    meta:
      description = "rule to detect Qilin Ransomware"
      author = "ShadowStackRe.com"
      date = "2023-12-06"
      Rule_Version = "v1"
      malware_type = "ransomware"
      malware_family = "Qilin"
      License = "MIT License, https://opensource.org/license/mit/"
    strings:
      $strMotd = "/etc/motd"
      $strEncryptQuestion = "Are you sure to start encryption"
      $strConfigStart = "--- Configuration start ---"
      $strEsxiUsage = "esxcli"
      $strEncryptRenameFail = "Failed to rename encrypted file to"
      $strStartJob = "Started job..."
      $strBug = "\x1B[%uG 100%%"
    condition:
      all of them
}
Previous
Previous

Rhysida Ransomware

Next
Next

LostTrust Ransomware