As ransomware variants become increasingly sophisticated, it’s important to note there are still lesser known variants that are less advanced yet still use interesting techniques to infect systems.
Kangaroo ransomware made waves in November 2016 and was described as a straightforward family of malware that doesn’t make any attempt to obfuscate code and tries to lock users out of Windows in addition to locking up their data.
The ransomware is installed by the malware’s developer after the threat actor manually breaks into computers using remote desktop, according to a Bleeping Computer blog post.
Threat actors then gain access to a user’s system via RDP, drop and execute the malware, and copies off the unique ID and encryption key from the victim system, researchers said. The ransomware requires that the threat actor have GUI access to the system, uses no code obfuscation, and requires threat actors to maintain the stability of the system.
Carbon Black researchers further examined the ransomware and found that during the setup stages, the malware’s author uses three API calls, BeginUpdateResourceW, UpdateResourceW, EndUpdateResourceW, to match the version language information of the malware to the native explorer.exe binary, according to an Oct. 2, blog post.
Researchers said this combination of APIs allows the malware to read in the version information, apply it to the malware, and look like explorer on disk.
The malware then looks to hide its origins on the system by performing final anti-forensic tasks and clears both the SYSTEM and SECURITY logs, deletes the copy backups from the systems, deletes any shadow copies from the system, and attempts to hide from the victim by impersonating explorer.exe.
“In order to complete the charade, Kangaroo performs time stomping on the malware by reading in explorer’s create/write/access times and applying them to itself using GetFileTime and SetFileTime,” researchers said in the post. “This combination can make it difficult to locate the malware if traditional timeline forensics are performed on the system.”
The Kangaroo ransomware family also uses an encryption whitelist to prevent any damage from occurring to the system itself.
Researchers recommend users prevent or limit access to RDP from the internet or at least use two-factor authentication where it is required to prevent infections.