Hermes ransomware distributed to South Koreans via recent Flash
zero-day | Malwarebytes Labs
By Malwarebytes Labs
Published: 2018-03-13 · Archived: 2026-04-05 12:47:36 UTC
This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas.
At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player
zero-day used in targeted attacks. The flaw, which exists in Flash Player 28.0.0.137 and below, was distributed via
malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public
announcement, spam campaigns were already beginning to pump out malicious Word documents containing the
newly available exploit.
While spam has been an active distribution channel for some time now, the news of a Flash exploit would most
certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-
4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by
download instead.
On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit called GreenFlash
Sundown had started to use this recent Flash zero-day to distribute the Hermes ransomware. This payload was
formerly used as part of an attack on a Taiwanese bank and suspected to be the work of a North Korean hacking
group. According to some reports, it may be a decoy attack and “pseudo-ransomware“.
By checking on the indicators published by MDNC, we were able to identify this campaign within our telemetry
and noticed that all exploit attempts were made against South Korean users. Based on our records, the first hit
happened on February 27, 2018, (01:54 UTC) via a compromised Korean website.
We replayed this attack in our lab and spent a fair amount of time looking for redirection code within the
JavaScript libraries part of the self hosted OpenX server. Instead, we found that it was hiding in the main page’s
source code.
We had already pinpointed where the redirection was happening by checking the DOM on the live page, but we
also confirmed it by decoding the large malicious blurb that went through Base64 and RC4 encoding (we would
like to thank David Ledbetter for that).
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 1 of 16

Hermes ransomware
The payload from this attack is Hermes ransomware, version 2.1.
Behavioral analysis
The ransomware copies itself into
%TEMP%
under the name
svchosta.exe
and redeploys itself from that location. The initial sample is then deleted.
The ransomware is not particularly stealthy—some windows pop up during its run. For example, we are asked to
run a batch script with administrator privileges:
The authors didn’t bother to deploy any UAC bypass technique, relying only on social engineering for this. The
pop-up is deployed in a loop, and by this way it tries to force the user into accepting it. But even if we don’t let the
batch script be deployed, the main executable proceeds with encryption.
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 2 of 16

The batch script is responsible for removing the shadow copies and other possible backups:
It is dropped inside C:UsersPublic along with some other files:
The file “PUBLIC” contains a blob with RSA public key. It is worth noting that this key is unique on each run, so,
the RSA key pair is generated per victim. Example:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 3 of 16

Another file is an encrypted block of data named UNIQUE_ID_DO_NOT_REMOVE. It is a blob containing an
encrypted private RSA key, unique for the victim:
Analyzing the blob header, we find the following information:
0x07 –  PRIVATEKEYBLOB
0x02 – CUR_BLOB_VERSION: 2
0xA400 – ALG_ID: CALG_RSA_KEYX
The rest of the data is encrypted—at this moment, we can guess that it is encrypted by the RSA public key of the
attackers.
The same folder also contains a ransom note. When the encryption finished, the ransom note pops up. The note is
in HTML format, named DECRYPT_INFORMATION.html.
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 4 of 16

The interesting fact is that, depending on the campaign, in some of the samples the authors used BitMessage to
communicate with victims:
This method was used in the past by a few other authors, for example in Chimera ransomware, and by the author
of original Petya in his affiliate programs.
Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext
produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. That suggests
that some stream cipher or a cipher with chained blocks was used. (The most commonly used in such cases is AES
in CBC mode, but we can be sure only after analyzing the code). Below, you can see a visualization of a BMP file
before and after being encrypted by Hermes: 
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 5 of 16

Inside each file, after the encrypted content, there is a “HERMES” marker, followed by another blob:
This time the blob contains an exported session key (0x01 : SIMPLEBLOB) and the algorithm identifier is AES
(0x6611: CALG_AES). We can make an educated guess that it is the AES key for the file, encrypted by the
victim’s RSA key (from the generated pair).
The ransomware achieves persistence by dropping a batch script in the Startup folder:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 6 of 16

The script is simple; its role is just to deploy the dropped ransomware: svchosta.exe.
So, on each system startup it will make a check for new, unencrypted files and try to encrypt them. That’s why, as
soon as one discovers that they have been attacked by this ransomware, they should remove the persistence entry
in order to not let the attack repeat itself.
Inside the ransomware
Execution flow
At the beginning of the execution, the ransomware creates a mutex named “tech”:
The sample is mildly obfuscated, for example, its imports are loaded at runtime. The .data section of the PE file is
also decrypted during the execution, so, at first we will not see the typical strings.
First, the executable begins to dynamically load all its imports via a function at 4023e0:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 7 of 16

It then checks the registry key for a language code. If Russian, Belarusian, or Ukrainian are found as the system
language, it exits the process (0x419 being Russian, 422 Ukrainian, and 423 Belarusian).
It then creates two subprocesses – cmd.exe. One that copies itself into directory appdata/local/temp/svchost.exe,
and another that executes the copied file.
It also generates crypto keys using standard CryoptAquireCOntext libraries, and saves the public key and some
kind of ID into the following files:
C:UsersPublicUNIQUE_ID_DO_NOT_REMOVE
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 8 of 16

C:UsersPublicPUBLIC
As mentioned earlier, it writes out a script to auto run on startup with contents: start “”
%TEMP%svchosta.exe into the Start menu startup folder. This is quite simple and conspicuous. Since it is
always running and keeps persistence, it makes sense that it saved out the public key into a file so that it can later
find that key and continue encrypting using a consistent key throughout all executions.
Below is the function that calls all of this functionality sequentially, labeled:
It proceeds to cycle all available drives. If it is CDRom, it will skip it. Inside the function, it goes through all files
and folders on the drive, but skips a few key directories, not limited to Windows, Mozilla, and the recycling bin.
Inside of the function labeled recursiveSearch_Encrypt are the checks for key folders and drive type:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 9 of 16

It then continues on to enumerate netResources and encrypts those files as well. After encryption, it creates
another bat file called window.bat to delete shadow volume and backup files. Here is its content:
vssadmin Delete Shadows /all /quiet vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB vssad
It then creates and executes another bat file called svchostaaexe.bat that cycles through the entire file system
again to search for and delete all backup files. This is interesting, as we have rarely seen ransomware looking in so
much detail for backup files.
There is no functionality that communicates a decryption key to a C2 server. This means that the
file UNIQUE_ID_DO_NOT_REMOVE, which contains the unique ID you have to send to the email address,
must be encrypted by a public key pair that the attackers have pre-generated and retained on their side.
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 10 of 16

We have found that there is a heavy code reuse from the old versions of Hermes with this one. The flow of the
code looks to be a bit different, but the overall functionality is the same. This is quite clear when comparing the
two versions in a disassembler.
Below are two screenshots: the first from the current version we are analyzing, and the second from the old
version. You can clearly see that even though the flow and arrangement are a bit different, the functionality
remains mostly the same.
The new version:
And the old version 237eee069c1df7b69cee2cc63dee24e6:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 11 of 16

Attacked targets
The ransomware attacks the following extensions:
 tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm jpg jpe jpeg bmp db eql sql adp
Encryption
Hermes, like many other ransomware, uses AES along with RSA for the encryption. AES is used to encrypt files
with a random key. RSA is used to protect the random AES key.
The ransomware uses two RSA key pairs, one being a RSA hardcoded public key for the attackers.
Then, there is a keypair for the victim. It is generated at the beginning of the attack. The private key from this key
pair is encrypted by the attackers’ public key and stored in the file UNIQUE_ID_DO_NOT_REMOVE.
When the victim sends this file, the attackers can recover the victim’s private key with the help of their own
private key. The victim’s public key is stored in PUBLIC in clear text. It is later used to encrypt random AES keys,
generated per file.
Cryptography is implemented with the help of Windows Crypto API. Function calls are mildly obfuscated, and
pointers to the functions are manually loaded.
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 12 of 16

Each file processing starts from checking if it was already encrypted. The ransomware uses the saved marker
“HERMES” that we already saw during the behavioral analysis. The marker is stored at the end of the file, before
the block where the AES key is saved. Its offset is 274 bytes from the end. So, first the file pointer is set at this
position to make a check of the characters.
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 13 of 16

If the marker was found, the file is skipped. Otherwise, it is processed further. As we noticed during the behavioral
analysis, each file is encrypted with a new key. Looking at the code, we can find the responsible function.
Unfortunately for the victims, the authors used the secure function CryptGenKey:
The used identifier for the algorithm is 0x6610 (CALG_AES_256). That means 256-bit is using AES
encryption. This key is used to encrypt the content of the file. The file is read and encrypted in chunks, with
1,000,000 bytes each.
At the end, the marker “HERMES” is written and the exported AES key is saved:
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 14 of 16

The handle to the attacker’s RSA public key is passed, so the function CryptExportKey automatically takes care of
protecting the AES key. Only the owner of the RSA private key will be able to import it back.
Protection
Malwarebytes users are  protected against this Flash Player exploit. In addition, the ransomware payload was
blocked at zero-hour strictly based on its malicious behaviour.
Conclusion
Another campaign that we know of targeting South Koreans specifically is carried by malvertising
and uses the Magnitude exploit kit, which also delivers ransomware—namely
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 15 of 16

After analyzing Hermes, we found it to be a fully functional ransomware. However, we cannot be sure what the
real motivations of the distributors were. Looking at the full context, we may suspect that it was politically
motivated rather than a profit-driven attack.
Although the infection vector appeared to narrow down to South Korea, the malware itself, unlike Magniber, does
not specifically target these users. The fact that the ransomware excludes certain countries like Russia or Ukraine
could tie the development and outsourcing of the malware to these areas or be a false flag. As we know, attribution
is always a complex topic.
Indicators of compromise
Domains involved in campaign:
2018-02-27 (01:54 UTC)
staradvertsment[.>com
hunting.bannerexposure[.]info
2018-02-28
staradvertsment[.]com
accompanied.bannerexposure[.]info
2018-03-01
switzerland.innovativebanner[.]info
2018-03-07
name.secondadvertisements[.]com
2018-03-08
assessed.secondadvertisements[.]com
marketing.roadadvertisements[.]com
2018-03-09
bannerssale[.]com
aquaadvertisement[.]com
technologies.roadadvertisements[.]com
IP addresses:
159.65.131[.]94
207.148.104[.]5
Hermes 2.1 ransomware:
A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
pretty040782@gmail[.]com
pretty040782@keemail[.]me
Source: https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
Page 16 of 16