'Chaos' Malware Builder Rapidly EvolvingTrend Micro: Underground Forum Seeks Testers
An advertisement on an underground forum seeks testers for an under-construction version of the malware builder called "Chaos," researchers at Trend Micro report.
Trend Micro says it's been monitoring the latest Chaos development activity since June. "While it’s purportedly a .NET version of Ryuk, closer examination of the sample reveals that it doesn’t share much with the notorious ransomware," the researchers say. "In fact, early versions of Chaos, which is now in its fourth iteration, were more akin to a destructive Trojan than to traditional ransomware."
Researchers add that they haven't yet seen any active infections using the Chaos malware. But the developers apparently have access to distribution and deployment capabilities, they note.
Evolution of Chaos
Chaos version 1.0 was released in June; by Aug. 5, version 4.0 was available, Trend Micro reports.
Trend Micro researchers Monte de Jesus and Don Ovid Ladores say the most notable characteristic of the first version of the Chaos builder is that, despite having the Ryuk branding in its graphical user interface, it has little in common with the ransomware.
"In fact, it wasn’t even traditional ransomware, but rather a destructive Trojan. Instead of encrypting files, which could then be decrypted after the target paid the ransom, it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom," researchers note.
Chaos displays certain characteristics found in other ransomware families. It searches for file paths including contacts, desktop, documents, downloads, links, music, OneDrive, Pictures and more. Chaos also looks for certain extensions to infect, including 3gp, .7z, .apk, .aspx, .avi, .backup, .bmp, .contact, .doc, .docx, .flv, .html, .java, .jpeg, .json, .mp4 and .mpeg.
Chaos is designed to drop a ransom note named read_it.txt demanding a payment bitcoin for decryption of the victim’s files. One such ransom note discovered by researchers asked for .147 bitcoin, or about $6,800.
Version 1.0 of the malware had a worming function, which allowed it to spread to all drives found on an affected system and permitted the malware to jump onto removable drives and escape from air-gapped systems, the researchers say.
The worming feature is similar to that found in Ryuk crypto-locking malware. In March, the developers behind Ryuk gave their attack code the ability to spread itself between systems inside an infected network (see: Ryuk Ransomware Updated With 'Worm-Like Capabilities')
Chaos version 2.0 had advanced options for administrator privileges, the ability to delete all volume shadow copies and the backup catalog, and the ability to disable Windows recovery mode. It also overwrote the files that it targeted.
In version 3.0, Chaos started looking like traditional ransomware. It gained the ability to encrypt files under 1 MB using AES/RSA encryption and came with its own decryptor builder. The latest version - 4.0 - expands the AES/RSA encryption by increasing the upper limit of files that can be encrypted to 2 MB.
"In addition, it gives the ransomware builder’s users the ability to add their own extensions to affected files and the ability to change the desktop wallpaper of their victims," researchers note.
The researchers say that the Chaos malware builder is still far from being a finished product, and it lacks features that many modern ransomware families possess, "such as the ability to collect data from victims that could be used for further blackmail if the ransom is not paid."
Prevention the Best Solution
Javvad Malik, lead security awareness advocate with KnowBe4, says the rapid evolution of the Chaos builder is a common malware development. Cybercriminals typically seek to improve their malware so that they can maximize the damage to victims and ensure greater payouts.
"All malware, including ransomware, needs an initial infection vector. In most cases, this ends up being social engineering, such as phishing emails, or by taking advantage of unpatched public-facing systems. Other times, it's through compromising credentials," he says. "Therefore, organizations should put the appropriate controls in place to prevent these initial infection vectors from being taken advantage of, to begin with, and nip the problem in the bud."