Author(s): Vlad Pasca
- New Rust-based ransomware FunkSec emerges with claimed AI capabilities, potentially indicating an advanced development approach.
- Aggressive defense mechanisms include anti-VM detection and process termination, effectively disabling user access.
- Immediate disabling of Windows security features and logging capabilities ensures minimal detection opportunity.
- Implements persistent access via scheduled tasks and XChaCha20 encryption for file compromise.
- Encryption process depends on successful download of specific wallpaper image, suggesting an implementation shortcoming.
In a new development for cybersecurity professionals, a novel Rust-based ransomware called FunkSec has emerged, claiming to leverage artificial intelligence in its development. First appearing in 2024 and recently analyzed by CheckPoint researchers, this ransomware demonstrates an interesting mix of sophisticated capabilities and developmental inconsistencies that suggest it's still a work in progress.
While FunkSec implements advanced features like the XChaCha20 encryption algorithm and comprehensive anti-VM techniques, its execution reveals several technical anomalies. Most notably, the malware includes an unusual dependency on downloading a specific wallpaper image from imgur.com without which the encryption process won't initiate. This peculiar feature, combined with attempts to connect to local IP addresses on port 4444 and a relatively low ransom demand of 0.1 BTC, suggests this ransomware may be in continuous development and could evolve more.
This technical deep dive examines FunkSec's inner workings, from its advanced capabilities to its apparent developmental shortcomings.
A Hybrid Analysis Perspective
As we can see in the “Malicious indicators” section of the Hybrid Analysis report, the ransomware disables Security and Application event logging using wevtutil:
 |
Figure 1 - Ransomware spawns processes to modify the configuration of Windows event logs |
The process disables real-time protection for Windows Defender using PowerShell, as highlighted below:
 |
Figure 2 - Real-time protection for Defender is disabled |
It modifies the PowerShell execution policy to “Bypass” for the current PowerShell session:
 |
Figure 3 - PowerShell execution policy set to “Bypass” |
The ransomware runs multiple Windows commands, one of which implements an anti-analysis technique that verifies if a process containing “vmware” is running on the host (see Figure 4). It also checks the user privileges using the net session command.
 |
Figure 4 - Multiple processes spawned by the malware |
The ransom note called “README-<random chars>.md” is shown in the “Extracted Files” section of the report:
 |
Figure 5 - Ransom note |
A Deeper Dive Into The Ransomware
The malicious executable verifies if it’s running with admin privileges by executing the “net session” command. If it’s not running with elevated privileges, then “Access is denied.” is displayed in the output:
 |
Figure 6 - Check for admin privileges |
Anti-VM Techniques
The executable checks for virtualization software such as VMware or VirtualBox, as displayed in the figure below:
 |
Figure 7 - List of VM-related processes |
The following processes and services will be stopped by the ransomware. An interesting note is that the “explorer.exe” process is killed and the user loses access to the user interface:
 |
Figure 8 - Processes and services to stop |
The binary is looking for drives starting with “A:” to “Z:”. It checks for their existence using the CreateFileW API (0x7 = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 0x3 = OPEN_EXISTING):
 |
Figure 9 - Enumeration of drives |
The malware copies itself to all available drives and outputs the “Copied to USB:” message (Figure 10). Of course, not all of these drives are USB, but the process doesn’t check the drive type.
 |
Figure 10 - Self-copy to all available drives |
A sign that the ransomware could be still in the development phase is that it tries to connect to some local IP addresses on port 4444. It uses the connect method in order to perform the operation:
 |
Figure 11 - Connect function call |
 |
Figure 12 - Local IP addresses with port 4444 |
Persistence
The ransomware establishes persistence by creating a scheduled task called “funksec” that will execute the initial executable:
 |
Figure 13 - New scheduled task created |
The malicious process disables Security and Application event logging using the wevtutil command. Moreover, it also turns off real-time protection for Windows Defender:
 |
Figure 14 - Multiple evasion techniques are implemented |
The ransom note is hard-coded in the binary. It contains the ransomware version (V1.5), the amount to pay in BTC (0.1) and the Bitcoin wallet address:
 |
Figure 15 - Content of ransom note |
The malware verifies whether the machine uses a proxy server to connect to the internet and extracts the IP address/host name of the proxy server if that’s the case (see Figure 16).
 |
Figure 16 - Proxy check |
It tries to download an image that will be set as the Desktop wallpaper from i.imgur[.]com. If the operation is unsuccessful, then the ransomware doesn’t encrypt the files:
 |
Figure 17 - Desktop Wallpaper is downloaded from a remote website |
The downloaded image is set as the Desktop wallpaper via a function call to SystemParametersInfoW (0x14 = SPI_SETDESKWALLPAPER):
 |
Figure 18 - SystemParametersInfoW API call |
The list of file extensions that are targeted is displayed in Figure 19.
 |
Figure 19 - List of targeted extensions |
Encryption of Files
The ransomware traverses the file system and retrieves the files using the FindFirstFileW and FindNextFileW methods:
 |
Figure 20 - FindFirstFileW API call |
 |
Figure 21 - FindNextFileW API call |
The NtReadFile function is utilized to read the content of files that will be encrypted.
 |
Figure 22 - File’s content is read using NtReadFile |
The files are encrypted using the XChaCha20 algorithm. The nonce (24 bytes) and key (32 bytes) are generated by calling the BCryptGenRandom API, as shown below.
 |
Figure 23 - XChaCha20 nonce and key are randomly generated |
A snippet of the XChaCha20 implementation is displayed in Figure 24.
 |
Figure 24 - XChaCha20 implementation |
The malware creates a new file with the “.funksec” extension and populates it with encrypted content via a function call to NtWriteFile. The original file is deleted using the DeleteFileW API.
 |
Figure 25 - Encrypted file is populated using NtWriteFile |
Through the Eyes of Hybrid Analysis
Hybrid Analysis has been able to identify that FunkSec ransomware disables Windows Event logging and real-time protection for Windows Defender. The detailed report contains information about the check for VM-related processes and the command that verifies whether the user has administrative privileges. The ransom note containing the ransomware version 1.5 can be downloaded for attribution purposes.
Hybrid Analysis is an ideal platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Indicators of Compromise
SHA256
Files created
downloaded_wallpaper.jpg
README-<random chars>.md
Processes spawned
net session
tasklist /fi IMAGENAME eq <VM process>
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true”
powershell -Command "wevtutil sl Security /e:false"
powershell -Command "wevtutil sl Application /e:false"
powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force"
Scheduled task
funksec
