Hybrid Analysis Deep Dive Into Allegedly AI-Generated FunkSec Ransomware

Author(s): Vlad Pasca

• New Rust-based ransomware FunkSec emerges with claimed AI capabilities, potentially indicating an advanced development approach.
• Aggressive defense mechanisms include anti-VM detection and process termination, effectively disabling user access.
• Immediate disabling of Windows security features and logging capabilities ensures minimal detection opportunity.
• Implements persistent access via scheduled tasks and XChaCha20 encryption for file compromise.
• Encryption process depends on successful download of specific wallpaper image, suggesting an implementation shortcoming.

In a new development for cybersecurity professionals, a novel Rust-based ransomware called FunkSec has emerged, claiming to leverage artificial intelligence in its development. First appearing in 2024 and recently analyzed by CheckPoint researchers, this ransomware demonstrates an interesting mix of sophisticated capabilities and developmental inconsistencies that suggest it's still a work in progress.

While FunkSec implements advanced features like the XChaCha20 encryption algorithm and comprehensive anti-VM techniques, its execution reveals several technical anomalies. Most notably, the malware includes an unusual dependency on downloading a specific wallpaper image from imgur.com without which the encryption process won't initiate. This peculiar feature, combined with attempts to connect to local IP addresses on port 4444 and a relatively low ransom demand of 0.1 BTC, suggests this ransomware may be in continuous development and could evolve more. 

This technical deep dive examines FunkSec's inner workings, from its advanced capabilities to its apparent developmental shortcomings.

A Hybrid Analysis Perspective

As we can see in the “Malicious indicators” section of the Hybrid Analysis report, the ransomware disables Security and Application event logging using wevtutil:

Figure 1 - Ransomware spawns processes to modify the configuration of Windows event logs

The process disables real-time protection for Windows Defender using PowerShell, as highlighted below:

Figure 2 - Real-time protection for Defender is disabled

It modifies the PowerShell execution policy to “Bypass” for the current PowerShell session:

Figure 3 - PowerShell execution policy set to “Bypass”

The ransomware runs multiple Windows commands, one of which implements an anti-analysis technique that verifies if a process containing “vmware” is running on the host (see Figure 4). It also checks the user privileges using the net session command.

Figure 4 - Multiple processes spawned by the malware

The ransom note called “README-<random chars>.md” is shown in the “Extracted Files” section of the report:

Figure 5 - Ransom note

A Deeper Dive Into The Ransomware

The malicious executable verifies if it’s running with admin privileges by executing the “net session” command. If it’s not running with elevated privileges, then “Access is denied.” is displayed in the output:

Figure 6 - Check for admin privileges

Anti-VM Techniques

The executable checks for virtualization software such as VMware or VirtualBox, as displayed in the figure below:

Figure 7 - List of VM-related processes

The following processes and services will be stopped by the ransomware. An interesting note is that the “explorer.exe” process is killed and the user loses access to the user interface:

Figure 8 - Processes and services to stop

The binary is looking for drives starting with “A:” to “Z:”. It checks for their existence using the CreateFileW API (0x7 = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 0x3 = OPEN_EXISTING):

Figure 9 - Enumeration of drives

The malware copies itself to all available drives and outputs the “Copied to USB:” message (Figure 10). Of course, not all of these drives are USB, but the process doesn’t check the drive type.

Figure 10 - Self-copy to all available drives

A sign that the ransomware could be still in the development phase is that it tries to connect to some local IP addresses on port 4444. It uses the connect method in order to perform the operation:

Figure 11 - Connect function call

Figure 12 - Local IP addresses with port 4444

Persistence

The ransomware establishes persistence by creating a scheduled task called “funksec” that will execute the initial executable:

Figure 13 - New scheduled task created

The malicious process disables Security and Application event logging using the wevtutil command. Moreover, it also turns off real-time protection for Windows Defender:

Figure 14 - Multiple evasion techniques are implemented

The ransom note is hard-coded in the binary. It contains the ransomware version (V1.5), the amount to pay in BTC (0.1) and the Bitcoin wallet address:

Figure 15 - Content of ransom note

The malware verifies whether the machine uses a proxy server to connect to the internet and extracts the IP address/host name of the proxy server if that’s the case (see Figure 16).

Figure 16 - Proxy check

It tries to download an image that will be set as the Desktop wallpaper from i.imgur[.]com. If the operation is unsuccessful, then the ransomware doesn’t encrypt the files:

Figure 17 - Desktop Wallpaper is downloaded from a remote website

The downloaded image is set as the Desktop wallpaper via a function call to SystemParametersInfoW (0x14 = SPI_SETDESKWALLPAPER):

Figure 18 - SystemParametersInfoW API call

The list of file extensions that are targeted is displayed in Figure 19.

Figure 19 - List of targeted extensions

Encryption of Files

The ransomware traverses the file system and retrieves the files using the FindFirstFileW and FindNextFileW methods:

Figure 20 - FindFirstFileW API call

Figure 21 - FindNextFileW API call

The NtReadFile function is utilized to read the content of files that will be encrypted.

Figure 22 - File’s content is read using NtReadFile

The files are encrypted using the XChaCha20 algorithm. The nonce (24 bytes) and key (32 bytes) are generated by calling the BCryptGenRandom API, as shown below.

Figure 23 - XChaCha20 nonce and key are randomly generated

A snippet of the XChaCha20 implementation is displayed in Figure 24.

Figure 24 - XChaCha20 implementation

The malware creates a new file with the “.funksec” extension and populates it with encrypted content via a function call to NtWriteFile. The original file is deleted using the DeleteFileW API.

Figure 25 - Encrypted file is populated using NtWriteFile

Through the Eyes of Hybrid Analysis

Hybrid Analysis has been able to identify that FunkSec ransomware disables Windows Event logging and real-time protection for Windows Defender. The detailed report contains information about the check for VM-related processes and the command that verifies whether the user has administrative privileges. The ransom note containing the ransomware version 1.5 can be downloaded for attribution purposes. 

Hybrid Analysis is an ideal platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA256

00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c

Files created

downloaded_wallpaper.jpg

README-<random chars>.md

Processes spawned

net session

tasklist /fi IMAGENAME eq <VM process>

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true”

powershell -Command "wevtutil sl Security /e:false" 

powershell -Command "wevtutil sl Application /e:false"

powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force" 

 

Scheduled task

funksec

Recent Keylogger Attributed to North Korean Group Andariel Analyzed Through A Hybrid Analysis Perspective

Author: Vlad Pasca

• A technical deep dive into the new North Korean keylogger from a Hybrid Analysis perspective
• The keylogger incorporates junk code to hinder analysis and logs keystrokes and mouse activity, storing the data in a password-protected, encrypted archive
• The malware has been associated with a North Korean group targeting U.S. organizations

A new keylogger, attributed to the North Korean group Andariel (also known as APT45, Silent Chollima, or Onyx Sleet) has been recently disclosed and linked to targeted attacks against U.S. organizations. Using Hybrid Analysis we reveal some of the malware’s capabilities, including its ability to capture sensitive information through keystroke and mouse activity logging. Additionally, we conduct a deep dive into the keylogger’s anti-analysis techniques, such as code obfuscation through the use of junk code, implemented in an effort to hinder analysis. 

A Hybrid Analysis Perspective

Right at the top of the Hybrid Analysis report, the “Risk Assessment” section reveals that the malware sets a global Windows hook to intercept keystrokes and mouse events:

Figure 1 – Keylogger sets global hooks to intercept keystrokes and mouse events

Another important find in the Malicious Indicators section is that the keylogger installs a hook procedure monitoring low-level mouse input events (WH_MOUSE_LL), as highlighted in the figure below.

Figure 2 – API call with the WH_MOUSE_LL parameter

Expanding the “Spyware/Information Retrieval” malicious indicator reveals  that a hook procedure that monitors low-level keyboard input events (WH_KEYBOARD_LL) is also installed (Figure 3).

Figure 3 – API call with the WH_KEYBOARD_LL parameter

Moving forward to the Suspicious Indicators section and expanding the “Tries to save executable or command in registry” indicator, we notice the malicious process modifies the “(Default)” value found under the Run registry key in order to achieve persistence on the machine:

Figure 4 – Registry value modification detected by Hybrid Analysis

Expanding the “Found strings related to keylogger” indicator under the Spyware/Information Retrieval category part of the Informative indicators reveals multiple strings indicative of keylogger activity:

Figure 5 – Strings related to a potential keylogger were identified 

Finally, checking the Extracted Files section of the Hybrid Analysis report reveals the malware creates an archive called “DT_0004.tmp” in the “%TEMP%” directory, which may indicate where the keylogger logs are stored:

Figure 6 – A new file is created in the TEMP folder

A Deeper Dive into The Keylogger

Taking the sample apart by performing some additional manual analysis reveals an anti-analysis technique that is used to obscure the program’s execution flow and make malware analysis more difficult. This technique consists of adding a lot of junk code as shown in the instructions presented in Figure 7.

Figure 7 – Junk code seen in x64dbg

Payload Decryption

The binary stores a custom encrypted payload at a specific location found after 84 NULL bytes. It uses the ReadFile function to read the buffer:

Figure 8 – ReadFile API used to read the encrypted payload

The content is decrypted and an executable is revealed (see Figure 9). The PE file header is removed, and the rest of the content is copied to a new memory area.

Figure 9 – New executable is decrypted in memory

Moving forward, we have used PE-sieve to dump the malicious executable. The execution flow is redirected to the newly decrypted code using the instruction displayed below, where the target address (stored in  RSP+60) of the CALL instruction points to an executable address in the decrypted payload range.

Figure 10 – Redirect the execution flow to the decrypted payload

The SetErrorMode method is utilized to avoid displaying error message boxes when certain errors occur (0x8007 = SEM_NOOPENFILEERRORBOX | SEM_NOALIGNMENTFAULTEXCEPT | SEM_NOGPFAULTERRORBOX | SEM_FAILCRITICALERRORS):

Figure 11 – SetErrorMode API call

Persistence

Part of the persistence mechanism, the process opens the “Software\Microsoft\Windows\CurrentVersion\Run” registry key via a function call to RegCreateKeyExW:

Figure 12 – RegCreateKeyExW API call

It then modifies the “(Default)” registry value using the RegSetValueExW function to establish persistence on the machine.

Figure 13 – Persistence is achieved by modifying the registry value

Keylogging Installation

The binary installs two hook procedures that monitor low-level keyboard and mouse input events, as in the following pseudocode:

// Keyboard hooking

1. KeyboardHook = SetWindowsHookEx(

WH_KEYBOARD_LL, 

HookProcedure,

NULL,

   NULL 

);

2. MSG Msg;

3. while (GetMessageW(&Msg, NULL, 0, 0) > 0)

At line 1, the sample calls the  SetWindowsHookExW API specifying the following parameters:

• RCX: WH_KEYBOARD_LL (0xD), to monitor low-level keyboard input events
• RDX: the pointer to the hook procedure (described below in “Keylogger Routine”)
• R8: NULL, since the hook routine is within the code associated with the current process
• R9: NULL, to monitor all the existing threads running in the same desktop as the calling thread

At line 3., the binary uses the GetMessageW API to to obtain messages from the calling thread’s message queue, which will be stored in the first parameter (RCX: &Msg). Since the rest of the parameters are NULL,  the function retrieves all the messages for any window that belongs to the current thread and any thread messages, allowing keyboard events to be handled by the hooking procedure.

The installation of the hook procedure for mouse input events is very similar, with the first parameter being WH_MOUSE_LL (0xE).

Interestingly, a similar implementation of the keylogger mechanisms can also be found on GitHub. 

The new thread creates a file called “DT_0004.tmp” in the temporary folder. The file is a password protected archive that extracts a file called “a04.log”. The password is “Pass@w0rd#384”.

Figure 14 – A new file is created and will store the keylogger logs

In the new thread, the sample retrieves the current local date and time using the GetLocalTime method to track the starting time of the keylogger. It converts the output to file time format using SystemTimeToFileTime. The result will be stored in the log file before new keystrokes or mouse events are written.

Figure 15 – Local date and time will be written to the file when new events occur

The malware writes content to the archive one byte at a time. The first two written bytes are “PK”, which indicate that the file will be a ZIP archive:

Figure 16 – New file is populated

Keylogging Routine

When detecting new keystrokes or mouse events (see Figure 17), the keylogger hooking procedure (specified in the second parameter of  SetWindowsHookEx) extracts the text of the foreground window:

Figure 17 – Foreground window’s title is obtained using multiple APIs

The virtual-key code corresponding to keyboard keys or mouse buttons is compared with multiple values, as highlighted below:

Figure 18 – Virtual-key codes are compared with specific values

A partial list of virtual-key codes corresponding to special keys is displayed in the figure below.

Figure 19 – Special keys are recorded by the keylogger

The malicious process obtains the active input local identifier by calling the GetKeyboardLayout API:

Figure 20 – GetKeyboardLayout API call

ToUnicode is utilized to translate virtual-key codes and keyboard states to the corresponding Unicode character. For example, 0x50 key is translated to the “P” character:

Figure 21 – Virtual-key codes translation

On finishing the hook routine, the information is passed to the next hooking procedure in the hook chain using CallNextHookEx (Figure 22).

Figure 22 – Pass the hook information to the next hook procedure

The keylogger also steals data from the clipboard. It uses the OpenClipboard and GetClipboardData methods to achieve its objective:

Figure 23 – OpenClipboard and GetClipboardData API calls

An example of a log file is displayed below. Strings such as “[Lm]” and “[Rm]” are recorded when pressing the left mouse button and right mouse button, respectively.

Figure 24 – Example of a log file created by the keylogger

Through the Eyes of Hybrid Analysis

Hybrid Analysis has been able to identify the API calls used to install hook procedures and strings that might indicate keylogger activity, presenting all that information in a rich, detailed, and structured report. The keylogger’s persistence mechanism and the file created for storing logs are both revealed in the report, enabling threat hunters, analysts and researchers to quickly assess the impact and capabilities of the threat.

Hybrid Analysis is an ideal platform for identifying and analyzing  malware both sophisticated and mundane. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA 256

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

File created

%TEMP%\DT_0004.tmp

Hybrid Analysis Partners with Criminal IP, Bringing OSINT-Based Threat Analysis Search

Hybrid Analysis continues to add new features and capabilities, making our free malware analysis service more compelling than ever. As part of this growth, we are pleased to announce integration of the Criminal IP search engine as part of our Quick Scan analysis.

Criminal IP’s search engine is OSINT-based (open source Intelligence) and delivers extensive cyber threat intelligence data for URLs and domains, which can be a valuable tool for threat hunting and attack surface analysis. This includes the DGA (Domain Generation Algorithm) score for the scanned URL, phishing detection, suspicious cookies/apps/HTML on the website, SSL validation and more.

In Hybrid Analysis, simply enter an IP address or website, select Quick Scan, and then you’ll view the Criminal IP Scorecard on the Overview page, which represents the threat assessment level of the scanned domain/IP. Hybrid Analysis users can leverage this new Criminal IP integration to quickly and proactively identify potential threats, helping them make informed decisions about the state of an IP or URL.

Criminal IP Integration: Head For the Analysis Overview Section

Criminal IP is now included among the integrated technology partnerships in the Analysis Overview section, which is part of the Quick Scan analysis feature in Hybrid Analysis. You’ll find the new service as a Scorecard presenting a color-coded rating for the scanned entity. The Scorecard includes a More Details button that provides additional context and detail about the analysis of the scanned domain/IP. You can also click a button on the Scorecard that will take you directly to Criminal IP’s website for additional details of your scan based on the service’s extensive threat intelligence data.

Figure 1: Analysis Overview section showing Criminal IP Scorecard indicating a URL detected as malicious

Figure 2: Clicking More Details on the Criminal IP Scorecard from the previous screenshot brings up the URL Scan Report Summary, showing details 

Happy Hunting!

This new partnership with Criminal IP further enhances the ability of Hybrid Analysis users to identify and assess potential threats and cyber risks. Stay tuned for ongoing updates on the ways that we are continuing to make our platform even stronger – including collaboration and partnership with organizations like Criminal IP – providing the Hybrid Analysis community with the most extensive suite of threat research tools available.