Malware

Ransomware as a service Princess Evolution looking for affiliates

Author: Joseph C Chen (Fraud Researcher).


Johannesburg, 23 Aug 2018
Read time 4min 40sec

Trend Micro has been observing a malvertising campaign via Rig exploit kit delivering a crypto-currency-mining malware and the GandCrab ransomware since 25 July.

On 1 August, it found Rig's traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, Trend Micro checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016.

Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.

The new malvertising campaign the company has observed since 25 July is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren't diverted to the exploit kit and infected with the ransomware, the cyber criminals can still earn illicit profit through crypto-currency mining. Another characteristic of this new campaign is that the cyber criminals hosted their malvertisement page on a free Web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious Web page on the service.

The Princess Evolution's logo on its payment site.
The Princess Evolution's logo on its payment site.
Traffic of the malvertisement delivering Princess Evolution via Rig exploit kit (top), and the domain name system (DNS) response of the malvertisement's domain (bottom).
Traffic of the malvertisement delivering Princess Evolution via Rig exploit kit (top), and the domain name system (DNS) response of the malvertisement's domain (bottom).

Trailing Princess Evolution

Princess Evolution has the same ransom note as Princess Locker's. Princess Evolution encrypts files on the system and changes their original file extension to a randomly generated string of characters. It drops a ransom note that contains instructions on where and how to pay the ransom of 0.12 bitcoin (equivalent to US$773 as of 8 August 2018).

Trend Micro found that Princess Locker's developers made a post in underground forums on 31 July advertising an affiliate program for its newly created Princess Evolution. Under its business model, the affiliates get 60% of the ransom payment, and the rest are the malware authors' commissions. And based on the advertisement, it seems the operators took the time to develop Princess Evolution.

Here's the original text of the advertisement for Princess Evolution found in an underground forum, written in Russian:

Written in Russian.
Written in Russian.

Translated in English:

Good summer day, friends! Few months ago we had to suspend our activities to review our stance/situation on many aspects and to start a journey to perfection. It was a period of observations, developments, experiments, long waits and arguments. The loom of perfection always slips away in an ecstasy of chasing it. This is a gist of progress, with which we are happy to return and greet you with the new version of our product. ** Princess Evolution **

Technical analysis

Its encryption routine involves scrambling the file's first chunk of data using both XOR and AES algorithms, while it uses AES to encrypt the rest of the file's data. A significant change Trend Micro saw on Princess Evolution from Princess Locker is the shift from using hypertext transfer protocol (HTTP) POST to user datagram protocol (UDP) for command-and-control (C&C) communication. The change is likely due to the faster way that UDP transmits and sends data, as it has less overhead (eg, no need to establish a connection before sending data).

Princess Evolution generates a random XOR key (0x80 bytes) and another in AES-128 algorithm, and sends these keys, along with the following information, to the network range 167[.]114[.]195[.]0/23[:]6901 via UDP:

* Username of the infected computer
* Name of the active network interface
* The system's locale ID (LCID)
* Version of operating system (OS)
* Victim ID
* Security software registered with Windows
* Timestamp of when the program was started

Princess Evolution's approach to its C&C communication is similar to Cerber's. It's also worth noting that Princess Locker's payment Web site resembled Cerber's. Princess Evolution's payment page now sports a new design.

Princess Evolution's C&C communication on UDP (top) and its payment website (bottom).
Princess Evolution's C&C communication on UDP (top) and its payment website (bottom).

Exploit kits are a reminder to users and businesses on the significance of patching. Ransomware may have plateaued (and even declined in some regions), but it is still a significant threat given its destructive nature. Follow best practices: think before clicking, keep systems and their applications patched (or consider virtual patching for corporate environments and legacy systems and networks), and implement defence in depth.

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities, from the gateway, endpoints, networks and servers. Trend Micro OfficeScan with XGen endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits before patches are even deployed. Trend Micro's endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free Business Security protect end-users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

Indicators of compromise (IOCs):

Related hashes (SHA-256):
* 1408a24b74949922cc65164eea0780449c2d02bb6123fd992b2397f1873afd21: RANSOM_PRINCESSLOCKER.B
* 981cf7d1b1b2c23d7717ba93a50fc1889ae78ee378dbb1cbfff3fd0fe11d0cbc: RANSOM_PRINCESSLOCKER.B
* 8fc9353cc0c15704f016bc1c1b05961ab267b6108cfa26725df19a686ec2ad28: RANSOM_GANDCRAB.TIAOBH
* 6502e8d9c49cc653563ea75f03958900543430be7b9c72e93fd6cf0ebd5271bc: COINMINER_MALXMR.TIDBF

Malvertisement domains related to Princess Evolution:
* greatchina[.]ga
* princessno1[.]tk
* smokeweedeveryday[.]tk

IP addresses related to Princess Evolution:
* hxxp://188[.]225[.]34[.]86/ (Rig exploit kit's IP address)
* hxxp://178[.]32[.]201[.]161/ (C&C IP address related to the crypto-currency-mining malware)

With additional insights from Nakaya Yoshihiro, Kawabata Kohei, and Noel Llimos

Editorial contacts
Have your say
Facebook icon
Youtube play icon