Search This Blog

Showing posts with label botnet Golang. Show all posts

Hive Gang Changes Programming from Go to Rust

About Hive Ransomware

Microsoft Security researchers found new versions of Hive ransomware written in the Go programming language but now in Rust. Hive surfaced in June 2021, it was found by the FBI in August. In November, Mediamarkt, a European electronics retail company was hit by Hive. 

It's a RaaS (Ransomware as a service) double extortion gang that has recently been attacking vulnerable Microsoft Exchange Servers, compromised VPN credentials, phishing, and vulnerable RDP servers to install the ransomware and steal information that can be leaked. 

Why the change from Go to Rust

The Rust change from Hive has been underway for quite some time, it took its lessons from BlackCat ransomware, written in Rust as well. Researchers from Group-IB in March discovered that Hive changed its Linux encryptor (for attacking VMware ESXi servers) to Rust to make it difficult for cybersecurity experts to monitor the ransom talks with targets. 

The Rust rewrite is much easier, Microsoft Threat Intelligence Center in its blog said, "the upgrades in the latest variant [of Hive] are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. 

What is the impact

The implications of these updates are far-reaching, we should consider that Hive is a RaaS payload that Microsoft found in attacks against organizations in the software and healthcare industries from big ransomware actors like DEV-0237. 

Microsoft has mentioned some advantages of Rust over other languages that make it one of the most preferred languages among programmers, like good crypto library support and better memory security. 

Following are the benefits of Rust language, as per Microsoft: 

  • It offers memory, data type, and thread-safety It has deep control over low-level resources It has a user-friendly syntax 
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption 
  • It has a good variety of cryptographic libraries 
  • It's relatively more difficult to reverse-engineer 

ZDNet reports "Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: "Do not delete or reinstall VMs. There will be nothing to decrypt" and "Do not modify, rename or delete *.key files. Your data will be undecryptable." The *.key files are the files that Hive has encrypted."

New Golang Botnet Drains Windows Users’ Cryptocurrency Wallets


A new Golang-based botnet has been ensnaring hundreds of Windows PCs, each time its operators launch a new command and control (C2) server. This previously undiscovered botnet, dubbed Kraken by ZeroFox researchers in October 2021, utilizes the SmokeLoader backdoor and malware downloader to proliferate to new Windows systems. 

The botnet adds a new Registry key after compromising a new Windows device in order to accomplish persistence across system restarts. It also includes a Microsoft Defender exclusion to assure that its installation directory is never examined, and use the hidden attribute to hide its binary in Window Explorer. 

Kraken has a basic feature set that allows attackers to download and run additional malicious payloads on infected devices, such as the RedLine Stealer malware. RedLine is the most extensively used data thief, capable of gathering victims' passwords, browser cookies, credit card information, and cryptocurrency wallet information. 

ZeroFox stated, "Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet." 

The botnet, however, has built-in data-stealing skills and can steal cryptocurrency wallets before dropping other data thieves and cryptocurrency miners. Kraken can steal information from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets, according to ZeroFox. This botnet appears to be adding almost USD 3,000 to its masters' wallets every month, according to data obtained from the Ethermine cryptocurrency mining pool. 

The researchers added, "While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP."

Regardless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2."