Dissecting BlueSky Ransomware Payload

Introduction

BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered inside cracks of programs and videogames.

For these reasons, we at Yoroi malware ZLab decided to keep track of the threat, following the distribution of the samples, and we decided to provide a technical analysis of the ransomware payload.

Technical Analysis

The API Loading Scheme

The sample starts by walking the PEB (Process Environment Block) to dynamically load the APIs. It is a common technique to not statically show them in the import table, it walks one of the three linked lists located in the PEB_LDR_DATA such as InLoadOrderModuleList. In this way, the sample is able to enumerate the modules contained inside the linked list and to compare them with the hashed names hidden inside the code in order to correctly import the desired ones. In this case, the APIs are hashed with djb2 algorithm. 

The following figure shows the routines to dynamically load the function:

The obfuscated Stack Strings

Instead, other critical strings are obfuscated through the stackstrings method and a simple routine to encrypt them 

However, the algorithm is easy to revert, and we developed an easy script to decrypt the stackstrings: 

string = [123,82,90,123,45,56,32,88,94] 

decrypted = "" 

for i in string: 

    decrypted += chr((34 * (i - 94) % 127 + 127) % 127) 

print(decrypted)

Anti-Debug Technique

Once resolved the first functions, the sample calls NtSetInformationThread with ThreadHideFromDebugger hiding the thread and if any breakpoint is placed causing the crash of the process, you can read more about this anti-debug technique here 

Privilege Escalation

While analyzing the sample, we also found similarities with Conti Ransomware in how the strings are obfuscated and some other routines, like how BlueSky removes the shadow copies through the WMI COM Interface. It abuses the “ICMLuaUtil COM Interface (3E5FC7F9-9A51-4367-9063-A120244FBEC7)”. However, this technique is a well-known and documented technique publicly available on the internet, adopted both in intrusion and malware development operations. 

The sample calls RtlAdjustPrivilege API call with the token “SeDebugPrivilege”, in order to gain the privilege to arbitrary manipulate every file and process. 

Generating the Victim ID

BlueSky proceeds by generating the victim ID by hashing with MD5 the following system info: 

• MachineGuid (4 Bytes) 
• DigitalProductId 
• InstallDate 
• C:\ Serial Number 

Then the hash is passed to the following custom routine: 

The sample proceeds creating a mutex “Global\\{generated_id}” in this case being “Global\1580B4213F8F3E90E4E0E3CD1F6FAC52” 

The Encryption Routine

Now it’s time to encrypt the files. The first operation of the sample is to aquire a handle to the cryptographic provider PROV_RSA_FULL by calling CryptAcquireContextA: 

BlueSky stores the information related to the encryption, in the registry key “HKCU\SOFTWARE\1580B4213F8F3E90E4E0E3CD1F6FAC52\”. To store the recovery information, it uses “ChaCha20 + Curve25519 + RC4 (on RECOVERYBLOB)”, meanwhile “ChaCha20 + Curve25519” for the encryption 

Below the encryption routine: 

 BlueSky creates a list of the excluded files inside the code. The list is the following: 

• Extensions (ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx) 

• Directories ($recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser) 
• Filenames (# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db, ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db) 

Exception Handling and other features

The sample implements also some interesting Exception Handling features in order to avoid the system crash. In detail, before proceeding to the encryption BlueSky checks if after calling CreateFileW the LastErrorValue is ERROR_SHARING_VIOLATION if true, the sample calls NtQueryInformatonFile retrieving the FileProcessIdsUsingFileInformation which contains a list of the PIDs which use the file. If the PID isn’t equal to itself or the PID of explorer.exe retrieved before, it calls NtQueryInformatonProcess  with ProcessInformationClass set to 29 (ProcessBreakOnTermination) to retrieve a value indicating whether the process is considered critical. In this case, the malware skips that file and keeps encrypting others. 

 The sample can prevent the system from entering sleep or turning off the display by calling SetThreadExecutionState to ES_CONTINUOUS 

 At the end of the encryption, the ransom note points to the blog of the attackers: 

Conclusion

Blusky ransomware is a proof that even nowadays cyber criminals use basic and highly effective social engineering techniques. When we are looking for a cracked software, we have to know that there is always a price and in this case it’s a ransomware with a high ransom.  

So, it is necessary to sensibilize people to avoid installing cracked software, not only inside the company perimeter, but also inside the home devices. It is a simple but effective preventive measure to defend against similar threats.  

The attention for emerging threats is one of the core activities of Yoroi and we think that BlueSky needs to be observed with attention.  

Yara Rules

rule bluesky_ransomware 

{ 

  meta: 

    author = "Yoroi Malware ZLab" 

    description = "Rule for BlueSky Ransomware" 

    last_updated = "2022-09-14" 

    tlp = "WHITE" 

    category = "informational" 

    hash = "9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f" 

  

  strings: 

     //sub_00407a30 

    $1 = {55 8b ec 83 ec ?? 56 e8 ?? ?? ?? ?? 85 c0 0f 84 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 0f 11 4? ?? 68 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? 0f 11 4? ?? e8 ?? ?? ?? ?? 0f 10 4? ?? 83 c4 ?? 8b d0 8d 4? ?? 50 83 ec ?? 8b cc 6a ?? 6a ?? 83 ec ?? 0f 11 01 8b c4 0f 10 4? ?? 0f 11 00 ff d2 85 c0 0f 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4d c8 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 0f 10 4? ?? 8b 4? ?? 83 ec ?? 8b c4 83 ec ?? 8b 11 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 0f 10 4? ?? 51 0f 11 00 ff 52 28 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 85 f6 78 ?? 8b 4? ?? 8d 5? ?? 52 68 ?? ?? ?? ?? 50 8b 08 ff 5? ?? 85 c0 78 ?? 8b 4? ?? 6a ?? ff 7? ?? 8b 08 50 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 50 08 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? ff d0 5e 8b e5 5d c3} 

  

  condition: 

    uint16(0) == 0x5A4D and $1 

} 

This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB