1/7

Dump-GUY

NightSky Ransomware – just a Rook RW fork in
VMProtect suit

github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware–
just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware–just_a_Rook_RW_fork_in_VMProtect_suit.md

The main subject of this analysis is to explain Cryptographic functions used in
NightSky and Rook ransomwares and compare their similarities and
differences. This is not just some kind of show-off report but the main purpose
of this, is to share some knowledge, ideas, work-flow and problems which
could occur during this kind of research.

Before we jump in, both of these ransomwares are using the same version of
statically linked OpenSource library Mbed TLS (2.23.0 – 2.24.0) to implement
Crypto functions. Because of minor changes in Mbed TLS between versions
2.23.0 and 2.24.0 (ransomware code is not affected by these changes), there is
no way to specify which one of these version was used, but more important is
that both ransomwares are using the same version of Mbed TLS.

Finding out the exact version was a pitty work, involving compilation of different
version of Mbed TLS (last 20 versions) with exact same version of Visual
Studio (2015) and same version of compiler tools (19.00.24245 – obtained from
Rook RW). Because of shredded Rich Header in NightSky ransomware

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md


2/7

(caused by used VMProtect), we can only presume that both of these RW were
built with compiler tools 19.00.????? probably Visual Studio 2015 but not
necessary. In the Rook case, we also know the exact version of compiler tools
(19.00.24245) – Rich Header presented.

Real hard work started with many attempts to find the correct C\C++ compiler
and linker configuration which was used in both of these ransomwares
(involving reversing of Mbed TLS functions in ransomwares and produced .dll
and .obj (in .lib file) files). Fortunately, and not surprising, the best configuration
was the same for both of these ransomwares. Built .lib files served for
generating FLIRT signatures and .dll files with pdb symbols were used for fuzzy
matching with Rizzo signatures, fingermatch signatures, diaphora... Big
differences between matched functions, using different versions of Mbed TLS,
let to exact version of Mbed TLS (2.23.0 – 2.24.0) which was used in both
cases. These facts could be just an interesting coincidence but after I introduce
the code similarity it will be obvious that NightSky Ransomware is just a fork of
Rook and there is possibility that same TA is behind the creation of these
Ransomwares. (another possibility is leaked src code etc..).

NightSky RW vs Rook RW brief crypto summary

Let´s do some reversing

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/25b5e2a596abdfaebd3dc49b8932421b.png
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/459315fdc9f7862aca1c3ff5896c1b10.PNG


3/7

After this brief introduction we can jump to the main function of these
ransomwares. We can see main function of Rook and NighSky RW in the
picture below. NightSky omitted some functionality of Rook (processing cmdline
arguments, debug mode…) and some were just moved to different functions
but code similarity related to multi-threading and synchronization remains.

One of the first function in “main” in both of these ransomwares -
“setPRNG_generate_VictimRSAKeys_encryptVictimPrivateKEY” is responsible
for generating Victim RSA2048 key pair where Victim RSA2048 private KEY is
encrypted by TAs embedded RSA2048 public key. The encryption of victim
RSA private key is performed in loop of 200 bytes as you can see in the picture
below. Again the similarity of code is obvious.

We can move on to function which is start routine of newly spawned threads.
This NightSky routine is handled by literally copy-paste code from Rook RW
and serves as synchronization which leads to function responsible for file
encryption “encrypt_file”.

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/3b00de6998edaec41f72bf9a02fdcd77.png
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/8f20ba35c27de171a4be2859469c6d34.png


4/7

In “encrypt_file” function code below we can see that both of these
ransomwares are using Mbed TLS random module to generate for each file
unique 16 bytes random AES key. This AES key is later used but also gets
encrypted by previously generated victim RSA2048 public key and saved to
structure which will be later part of encrypted file footer.

Usage of the randomly generated AES key is different in NightSky and Rook
ransomware. Rook ransomware encryption is a combination of AES128 ECB
mode with intermitten encryption -> looping 32 bytes chunks where only first 16
is encrypted. Max encrypted size is 524288*3.

NightSky ransomware encryption is AES128 CBC mode with hardcoded IV
where max encrypted size is the same as in Rook case - 524288*3.

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/a361de490d912413143e3556a52b2e29.PNG
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/7396b9184b0fc529a2dd6faa846d3a92.PNG


5/7

You can see NightSky AES128 CBC mode with hardcoded IV below.

Our final stage of analysis is comparing of encrypted file structure.

Rook Ransomware encrypted file structure (only something I named
Quadpart_presented tag is in addition to NightSky – this tag has no meaning
and because of that was probably omitted):

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/8cb4efeb44801e0411e9478926057e6f.PNG
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/3ff3f8df2e259d12087333da9ff54635.PNG


6/7

NightSky Ransomware encrypted file structure:

Conclusion:

As we could see, the similarity between Rook and NightSky ransomware looks
sometimes like copy-paste of code.

What could be quite tricky thing for analysts is that NightSky is delivered as
VMProtected and with combination of statically linked Mbed TLS crypto library
it could be let´s say “unpleasant”.

Some functionality from Rook Ransomware (not part of crypto process) is not
presented in code of NightSky. Only one difference in encryption is that
NightSky RW replaced intermitten AES-ECB encryption for more secured AES-
CBC.

Recommendation:

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/f00d91b202e199acec7f35ff8c176950.PNG
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/media/3937fb153e250ee14d1b9e810e9fc0e7.PNG


7/7

If possible always try to perform decryption on your own (spoofing public key,
grabbing session keys, hooking etc…) to confirm your analytical assumptions.

If you were able to read it to this part, you can also check my steps without
correction [HERE]

Download:

Unpacked, repaired and debuggable sample of NightSky RW is available
[HERE-pass:infected]

Generated FLIRT, Rizzo and Fingermatch signatures for Mbed TLS 2.24.0
[HERE]

IOCs:

NightSky Ransomware MD5: 9608c8b6c8d80fdc67b99edd3c53d3d2
Rook Ransomware MD5: 6d87be9212a1a0e92e58e1ed94c589f9

https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/TrueStory_notes.txt
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/files/Repaired_debuggable_NightSkyRW.7z
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/tree/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/files/Signatures_MbedTLS2.24