Threat Analysis Unit - Threat Intelligence Notification
Title: Sussy Ransomware
Summary
Sussy ransomware is seen using the RAR vulnerability CVE-2023-38831 to infect the users. Upon infection it removes volume shadow copies, making it impossible for victims to retrieve their data. It also exports the Wi-Fi profiles saved on the system to steal the saved passwords.
Behavioral Summary
The CVE-2023-38831 vulnerability allows a RAR archive to contain a benign file (such as a JPG, PDF, or txt file) and a folder with the same name as the benign file, as shown in Figure 1. A malicious CMD or BAT script within a folder is executed when a user double-clicks a benign file in the archive, the contents of which are shown in Figure 2.
Figure 1. Content of RAR file
We can see the CMD file content which downloads and executes Sussy ransomware payload as below
Figure 2. Content of CMD file
Sussy ransomware may append the “.ransom” extension to each of the encrypted files. Other than that, it will spawn the prompt for notifying about ransomware infection as with below command line:
C:\Windows\system32\cmd.exe /c powershell -command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('You have been pwned by sussy ransomware...', 'Amongus', 'OK', 'Error')"
Figure 3. Screenshot of ransom prompt
We can see the process chart of Sussy ransomware below :
Figure 4. Process chart of Sussy Ransomware.
After that, it kills the below processes if found running on the system to ensure smooth encryption:
|
anvirlauncher.exe
|
SysInspector.exe
|
|
VirusTotalUpload.exe
|
proc_analyzer.exe
|
|
ProcessHacker.exe
|
joeboxcontrol.exe
|
|
ImmunityDebugger.exe
|
joeboxserver.exe
|
|
HookExplorer.exe
|
httpdebugger.exe
|
Table 1. List of process to be terminated
It also deletes all shadow copies and the backup catalog by executing the below commands:
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
This ransomware exports the wireless profiles along with stored passwords with below command line:
C:\Windows\system32\cmd.exe /c netsh wlan export profile folder=C:\Windows\System32\wifies\\ key=clear && cl
Customer Protection
Sussy Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behavior, detection and protection capabilities within the VMware Carbon Black suite of products against Sussy Ransomware, you may refer to the following blog post:
TAU-TIN - Ransomware Threats
MITRE ATT&CK TIDs
TID
|
Tactic
|
Description
|
|
T1059
|
Execution
|
Command and Scripting Interpreter
|
|
T1083
|
Discovery
|
File and Directory Discovery
|
|
T1057
|
Discovery
|
Process Discovery
|
|
T1486
|
Impact
|
Data Encrypted for Impact
|
|
T1070
|
Defense Evasion
|
Indicator Removal on Host: File Deletion
|
|
T1497
|
Defense Evasion
|
Virtualization/Sandbox Evasion
|
|
T1622
|
Defense Evasion
|
Debugger Evasion
|
|
T1543.003
|
Privilege Escalation
|
Create or Modify System Process: Windows Service
|
Table 2. MITRE ATT&CK TIDs
Indicators of Compromise (IOCs)
|
Indicator
|
Type
|
Context
|
|
9c8cf3de80161ea51ccf1e7d51b8643c6ee1dc2e7bef64ca9e5b4f2492e1bfd3
|
SHA256
|
Sussy Ransomware
|
|
f1911d970193592c27dc137fd1f0892b82980c3301ef01255cb308e3cfd051f5
|
SHA256
|
Malicious RAR
|
|
51fdaef5a06d393a52c5eb24938428ebb5dd2d69
|
SHA1
|
Sussy Ransomware
|
|
140c6f2f8985e6e6a67148455c78e26fbe199ed9
|
SHA1
|
Malicious RAR
|
|
1f05517e065bb88f500085026bfe456f
|
MD5
|
Sussy Ransomware
|
|
b4dbf34ed91c1090653c178d377a4215
|
MD5
|
Malicious RAR
|
Table 3. Indicator of compromise
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.