The Power of Go and the Threat of Ransomware: Meet eCh0raix
The Power of Go and the Threat of Ransomware: Meet eCh0raix
I love the Go language. In fact, I have dumped C++ for most of my executable code, and now just use Go. Overall it is a simple, yet powerful, language and which produces robust, fast and powerful code. If you want any kind of library, it just connects to GitHub, and downloads the code in a simple to use form. For cryptography, it is one of the best languages around, as produces robust code, and which integrates most of the modern standards (such as RSA and Elliptic Curve for public key and AES for symmetric key encryption).
The Go language, though, is now evolving as one of the greatest threats in the creation of malware. While scripted languages, such as Python and Node.js, are often easy to detect, Go programs can easily install themselves in an executable format (or integrated as a Trojan program).
With Go, an adversary can create a fully compiled program, and which has access to a wide range of networking and cryptography methods, along with the direct access to the host machine. In fact, almost everything that a malware writer needs is in Go.
Now, a new Go-based ransomware —eCh0raix — has been detected in the wild. It has been named eCh0raix as there is a string of this name in the source code. A strange feature of it is that there seems to be a unique hard-coded public key for each target. This is unusual, as a single public key is normally used to encrypt a unique AES encryption key, but it seems that each public key might be unique for each target (or perhaps each campaign). Overall it uses fewer than 400 lines of code.
It has been detected in brute forcing network credentials on QNAP networked attached storage (NAS) devices and then encrypting the files. The great worry here is that NAS devices are often used for backups, and so organisations may have their systems crippled from the inability to recover their files. It is thought that the infection is through open ports on the Internet.
The ransomware notice contains a link to a Bitcoin payment (README_FOR_DECRYPT.txt):
All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[bitcoin_address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
Do NOT remove this file and NOT remove last line in this file!
[unique_id]
Notice the bad spelling … “unclock” and the poor grammar — perhaps hinting towards a non-English speaking source.
Overall it uses a standard connection to the Command and Control (C&C) server through the Tor protocol. After the connection, it downloads the ransomware note, and then it encrypts a unique AES encryption key with an RSA public key:
A strange feature of eCh0raix is that it does a check on the language used on the system, and will not encrypt for regions of Belarus, Ukraine, and Russia. Once active the ransomware then tries to kill the following processes:
apache2
httpd
nginx
mysqld
mysqd
php-fpmAnd then while searching for files to encrypt, Ch0raix skips various system folders which would corrupt the operations of the QNAP NAS device, including:
/proc
/boot/
/sys/
/run/
/dev/
/etc/
/home/httpd
/mnt/ext/optThe ransomware then creates a 256-bit AES key with Cipher Feedback Mode (CFB) and which is then encrypted with an embedded RSA public key or one downloaded from the C&C server. The following files are then encrypted and given a .encrypted file extension:
Conclusions
Quite simple … patch, and don’t connect your NAS to the Internet.
Here is an introduction to ransomware: