# Dissecting BlueSky Ransomware Payload **yoroi.company/research/dissecting-bluesky-ransomware-payload/** 09/30/2022 ## Introduction September 30, 2022 BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered inside cracks of programs and videogames. For these reasons, we at Yoroi malware ZLab decided to keep track of the threat, following the distribution of the samples, and we decided to provide a technical analysis of the ransomware payload. ----- Figure 1: Bluesky Control Flow Technical Analysis Hash 9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f Threat Ransomware Brief Description BlueSky Ransomware SSDEEP 1536:G+5geBR2Q+a8M124Zl2i5SADBDg8trv4t9MBY5ySvV:GDeBgQ+a8M12Y2i59hrvWMBGvV ### The API Loading Scheme The sample starts by walking the PEB (Process Environment Block) to dynamically load the APIs. It is a common technique to not statically show them in the import table, it walks one of the three linked lists located in the PEB_LDR_DATA such as InLoadOrderModuleList. In this way, the sample is able to enumerate the modules contained inside the linked list and to compare them with the hashed names hidden inside the code in order to correctly import the desired ones. In this case, the APIs are hashed with djb2 algorithm. ----- Figure 2: Dynamically loading APIs The following figure shows the routines to dynamically load the function: ----- Figure 3: "mw_load_function routine" ### The obfuscated Stack Strings Instead, other critical strings are obfuscated through the stackstrings method and a simple routine to encrypt them ----- Figure 4: Strings Decryption Routine However, the algorithm is easy to revert, and we developed an easy script to decrypt the stackstrings: ``` string = [123,82,90,123,45,56,32,88,94] decrypted = "" for i in string: decrypted += chr((34 * (i - 94) % 127 + 127) % 127) print(decrypted) ### Anti-Debug Technique ``` Once resolved the first functions, the sample calls NtSetInformationThread with ThreadHideFromDebugger hiding the thread and if any breakpoint is placed causing the crash of the process, you can read more about [this anti-debug technique here](https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread) Figure 5: NtSetInformationThread anti-debug Privilege Escalation ----- While analyzing the sample, we also found similarities with Conti Ransomware in how the strings are obfuscated and some other routines, like how BlueSky removes the shadow copies through the WMI COM Interface. It abuses the “ICMLuaUtil COM Interface (3E5FC7F9-9A51-4367-9063-A120244FBEC7)”. However, this technique is a well-known and documented technique publicly available on the internet, adopted both in intrusion and malware development operations. Figure 6: Bypassing UAC via ICMLuaUtil The sample calls RtlAdjustPrivilege API call with the token “SeDebugPrivilege”, in order to gain the privilege to arbitrary manipulate every file and process. Figure 7: Evidence of privilege escalation method ### Generating the Victim ID BlueSky proceeds by generating the victim ID by hashing with MD5 the following system info: MachineGuid (4 Bytes) DigitalProductId InstallDate C:\ Serial Number ----- Then the hash is passed to the following custom routine: Figure 8: Hash custom routine The sample proceeds creating a mutex “Global\\{generated_id}” in this case being “Global\1580B4213F8F3E90E4E0E3CD1F6FAC52” Figure 9: Mutex Creation ### The Encryption Routine Now it’s time to encrypt the files. The first operation of the sample is to aquire a handle to the cryptographic provider PROV_RSA_FULL by calling CryptAcquireContextA: ----- Figure 10: Acquiring a handle to PROV_RSA_FULL BlueSky stores the information related to the encryption, in the registry key “HKCU\SOFTWARE\1580B4213F8F3E90E4E0E3CD1F6FAC52\”. To store the recovery information, it uses “ChaCha20 + Curve25519 + RC4 (on RECOVERYBLOB)”, meanwhile “ChaCha20 + Curve25519” for the encryption Figure 11: BlueSky Recovery Information Below the encryption routine: ----- Figure 12: Encryption routine BlueSky creates a list of the excluded files inside the code. The list is the following: **Extensions (ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat,** rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx) **Directories ($recycle.bin, $windows.~bt, $windows.~ws, boot, windows, windows.old, system volume** information, perflogs, programdata, program files, program files (x86), all users, appdata, tor browser) **Filenames (# decrypt files bluesky #.txt, # decrypt files bluesky #.html, ntuser.dat, iconcache.db,** ntuser.dat.log, bootsect.bak, autorun.inf, bootmgr, ntldr, thumbs.db) ### Exception Handling and other features ----- The sample implements also some interesting Exception Handling features in order to avoid the system crash. In detail, before proceeding to the encryption BlueSky checks if after calling CreateFileW the LastErrorValue is **[ERROR_SHARING_VIOLATIONif true, the sample calls NtQueryInformatonFile retrieving the](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_file_information_class)** **FileProcessIdsUsingFileInformation which contains a list of the PIDs which use the file. If the PID isn’t equal** to itself or the PID of explorer.exe retrieved before, it calls NtQueryInformatonProcess with **ProcessInformationClass set to 29 (ProcessBreakOnTermination) to retrieve a value indicating whether the** process is considered critical. In this case, the malware skips that file and keeps encrypting others. Figure 13: Checking file availability The sample can prevent the system from entering sleep or turning off the display by calling **SetThreadExecutionState to ES_CONTINUOUS** Figure 14: Preventing sleep mode At the end of the encryption, the ransom note points to the blog of the attackers: ----- Figure 15: BlueSky Ransomware Website ## Conclusion Blusky ransomware is a proof that even nowadays cyber criminals use basic and highly effective social engineering techniques. When we are looking for a cracked software, we have to know that there is always a price and in this case it’s a ransomware with a high ransom. So, it is necessary to sensibilize people to avoid installing cracked software, not only inside the company perimeter, but also inside the home devices. It is a simple but effective preventive measure to defend against similar threats. The attention for emerging threats is one of the core activities of Yoroi and we think that BlueSky needs to be observed with attention. ## Yara Rules ----- ``` y_ { meta: author = "Yoroi Malware ZLab" description = "Rule for BlueSky Ransomware" last_updated = "2022-09-14" tlp = "WHITE" category = "informational" hash = "9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f" strings: //sub_00407a30 $1 = {55 8b ec 83 ec ?? 56 e8 ?? ?? ?? ?? 85 c0 0f 84 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 0f 11 4? ?? 68 ?? ?? ?? ?? 0f 10 05 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ?? 0f 11 4? ?? e8 ?? ?? ?? ?? 0f 10 4? ?? 83 c4 ?? 8b d0 8d 4? ?? 50 83 ec ?? 8b cc 6a ?? 6a ?? 83 ec ?? 0f 11 01 8b c4 0f 10 4? ?? 0f 11 00 ff d2 85 c0 0f 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4d c8 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 0f 10 4? ?? 8b 4? ?? 83 ec ?? 8b c4 83 ec ?? 8b 11 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 83 ec ?? 0f 10 4? ?? 0f 11 00 8b c4 0f 10 4? ?? 51 0f 11 00 ff 52 28 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? 8d 4? ?? 51 ff d0 85 f6 78 ?? 8b 4? ?? 8d 5? ?? 52 68 ?? ?? ?? ?? 50 8b 08 ff 5? ?? 85 c0 78 ?? 8b 4? ?? 6a ?? ff 7? ?? 8b 08 50 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 5? ?? 8b 4? ?? 85 c9 74 ?? 8b 01 51 ff 50 08 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 ?? ff d0 5e 8b e5 5d c3} condition: uint16(0) == 0x5A4D and $1 } ``` _This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB_ -----