ELPACO is a sophisticated ransomware variant of another ransomware named "Mimic", what they have in common is the use of legittimate softwares other than the main ransomware.
Peculiarity about this sample is the customizable UI given to the operator and the fact that almost a year later is still effective on up to date Windows systems
The initial file is a self-extracting archive wich contain the following files:
Inside an installation of Everything.exe from voidtools
What is Everything?
"Everything" is search engine that locates files and folders by filename instantly for Windows. Unlike Windows search "Everything" initially displays every file and folder on your computer (hence the name "Everything"). You type in a search filter to limit what files and folders are displayed.
This is an interesting use of legitimate tools for two reason:
- Ransomwares most of the time will call APIs like FindNextFile or FindFirstFile, knowing this a lot of security solutions like EDRs or more specialized ransomware detection systems like Elastic will flag those functions as suspicius
- Developers can avoid the trouble of re-implementing from scratch multi-threaded functionality to traverse the file system. Usually you want to do this with more thread pools and some shared queues.
Inside the archive we can found Everything64.dll, its not an actual dll but its another compressed zip archive, this time password protected
To find the password you can simply execute the sample and monitor its activity with procmon or other tools, there will obviously be a time when it will need to extract the files inside and provide a password
Its also a piece of advice that i give to someone when he want to reverse engineer a malware, you usally dont want to open right away inside the debugger, it can be daunting and dispersive, what you want to do is first run it inside a sandbox and observe what it does, then you can have a general idea of what you are looking for and where to start. Its a matter of defined goals to avoid losing times
Inside the extracted archive after providing the password:
This is the beauty of compressed archive, you can bring whatever you want in a small size.
Inside of relevant we have:
- DC.exe: Defender Control is a "system administrator" tool to disable windows defender
- svchostss.exe: Malware agent
- session.tmp: A recovery key in case the ransomware is interrupted mid encryption
- xdel.exe: Another system administrator tool from sysinternal, used for deleting files (probably payloads or stager)
- gui35/gui40: UI for the operator behind the ransomware
This is session.tmp key
Operator Interface
To make life easier for those who need to use the ransomware developer choose to create a GUI, it is as simple as it is practical. The Interface allows the operator to customize the ransomware behavior during and after the encryption, it has some spicy features that make the ransomware very sophisticated
In this panel is possible to change the number of worker threads dedicated for encryption, choose which files to skip, self-delition, task-kill capabilities and more.
In the background the ransomware continuosly print debugging messages
There is a dedicated panel for editing the ransom note
This panel is where the operator can start/stop the ransomware and choose which drives to encrypt
Why elevated
Looking at the task manager while Elpaco is running we can see that its process and sub processes are elevated without having needed to prompt the UAC, this mean that it found a way to bypass the prompt and escalate the privileges to high integrity automatically. Let see how it do that
We can have a look inside the code of `svhostss.exe`
Its basically abusing a feature of Windows COM objects. This is a known technique for UAC bypass where the program abuse an auto elevated COM object like cmstplua com interface The call to CoGetObject take as an argument the entire moniker string: Elevation:Administrator!new:{3E5FC...} and return a pointer to the interface of the requested object. After this there is a call to ObjectStublessClient9, the 9 indicate the index inside the vtable of the interface ICMLuaUtil. We can do a little of reverse engineer of the vtable to understand what it does
We can see that inside it call ShellExecuteExW(). You can say almost with certainty that the program is creating another elevated instance of itself abusing this elevated call
So i analyzed the sample on a 24H2 Windows machine, Defender probabily would have noticed the attempt to escalate privileges, but as it is now if you can get around it the technique still work on semi up to date system (not on 25H2).
You can find working POC here and in this blog
Encryption
ELPACO use ChaCha20 as encryption algorithm, during the process it avoid to encrypt critical files like those in \windows\. All the files are renaimed with .ELPACO-team extension. Inside the temp folder it drop session.tmp as a ricovery key to use in case the program is stopped mid encryption for whatever reason
Trying to restart the machine this is the ransom note shown
Conclusion
This one was brief but i had fun playing with the user interface and the ransomware functionalities
Links i used for researching:
- https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/
- https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/
- https://www.tripwire.com/state-of-security/mimic-ransomware-what-you-need-know