Karmen Ransomware Variant Introduced by Russian Hacker

Karmen Ransomware Variant Introduced by Russian Hacker

On March 4, 2017, a member of a top-tier cyber criminal community mentioned a new ransomware variant called “Karmen.” We’ve taken a closer look.

The post Karmen Ransomware Variant Introduced by Russian Hacker appeared first on Recorded Future.

     

On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.”
Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.
However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.

Mentions of “Karmen” by DevBitox or Dereck1 on dark web and special access sources in Recorded Future, which include posts by the actors selling the Karmen malware on the aforementioned criminal forum.

Mentions of Karmen malware on the web over time.
Background
The Karmen malware derived from “Hidden Tear,” an open source ransomware project, available for purchase by anyone. As is typical for ransomware infections, Karmen encrypts files on the infected machine using the strong AES-256 encryption protocol, making them inaccessible to the user and may trigger a ransom note or instructions demanding that the user pay a large sum of money to obtain the decryption key from the attacker.
A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.

Here are screenshots of the affiliate’s page seen by purchasers of Karmen. Configuration of Karmen through this interface allows actors to change the malware’s settings using a control panel that requires very minimal technical knowledge.

The “Clients” page allows for tracking of computers infected with the virus, including the status of any ransom that’s been paid.

The dashboard gives an overview of other relevant information including the number of clients they have, how much money they’ve earned, and updates to the Karmen software.

On the computer of a user infected with Karmen the above message is displayed, warning them not to interfere with the malware.
Description of Karmen Malware Provided by DevBitox
Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
*Or if an analyzing software is detected
Notes
Application .NET dependent
Support infrastructure: PHP 5.6, MySQL, “file()” function must be activated on the server
Rebuild: free (up to three copies)
Updates: free
Price: $175
Known Indicators
File Name: joise.exe
File Name: n_karmen.exe
File Name: build.exe
File MD5: 9c8fc334a1dc660609f30c077431b547
File MD5: 56b66af869248749b2f445be8f9f4a9d
File MD5: 521983cb92cc0b424e58aff11ae9380b
SHA1: dc875c083c5f70e74dc47373a4ce0df6ccd8ae88
SHA1: f79f6d4dd6058f58b384390f0932f1e4f4d0fecf
SHA1: 2a3477ea2d09c855591b3d16cfff8733935db50b

Video presentation of Karmen ransomware operation. Please note although this video appears on the Recorded Future YouTube channel it was produced by DevBitox as a marketing tool for their ransomware.
The seller has admitted he was only involved with web development and control panel design; the malware is utilizing the open source encryption project “Hidden Tear” and was created by an unknown associate operating out of Germany.
As of this writing, 20 copies of Karmen malware were sold by DevBitox, while only five copies remain available to potential buyers.
The post Karmen Ransomware Variant Introduced by Russian Hacker appeared first on Recorded Future.
     
Go to Source
Author: Diana Granger

Powered by WPeMatico