BLOG: Makop RaaS Campaign targets South Korean Entities
Executive Summary
A recent Makop ransomware campaign has been targeting companies in South Korea in the manufacturing, education, media, technology, construction, pharmaceutical, legal, engineering and defence sectors, in addition to a Russian energy company. While reports describe this particular campaign as starting as early as December 2020, our investigation around Makop samples detected in the wild focused on samples delivered in three particular phishing events between 04 January 2021 and 15 January 2021.
Origins
The earliest reference to Makop was in January 2020, as a user named “Makop” posted about a new RaaS and its associated capabilities on a Russian-language forum in an attempt to recruit affiliates. In addition to Makop being written in C++ and affecting all versions of Windows since XP, the user advertised that the strain of ransomware leverages a combination of AES256 and RSA1024 encryption, boasting that this method will prevent files from being decrypted “in the near future”. The author also disclosed that decryption keys for individual victims were sold to partners for $250, allowing affiliates to access victim files held by developers. This relatively low price is likely to have risen since as the ransomware’s developers have added further capabilities to Makop, including a visual admin panel for managing campaigns and custom file extensions for the encrypted files. Researchers examining Makop’s source code have determined similarities with Oled, another ransomware strain that emerged in 2017. Makop’s developers may have used Oled’s source code to develop their own RaaS program with updated encryption techniques and additional operational security measures around the affiliate program.
Figure 1: User “Makop” advertising the RaaS capabilities
Further capabilities listed in the post include the following:
Small size of the portable executable file, between 27 and 34kb
Ability to run offline
Fast encryption process
Makop can turn off “common processes that can interfere” before encrypting
Generation of a unique ID for the infected machine
Victims are issued receipts upon payment in order to build trust
The forum user also advertised several features like deletion of shadow copies which we were able to observe during dynamic analysis of the Makop samples distributed in this campaign. While this thread was first posed in January 2020, analysis of these Makop samples reveals that the last compilation timestamp of the portable executable is 1 August 2020. Although there is a chance that the ransomware developers have “timestomped” their executables in order to obfuscate their true compilation dates, this may indicate that the executable was originally compiled in August and that subsequent campaigns with the latest strain may have started as early as September 2020.
Infection Vector
Makop samples found in this recent campaign were delivered to victims via phishing emails using lures around image copyright infringement, a theme also observed in prior Makop ransomware infections. These emails used headers pertaining to the copyright infringement lure, with headers such as “I am sending you an email regarding the copyright violation of the image” and “Contact us regarding infringement of photo copyright law”. Emails were sent in Korean and contained a .zip file said to contain infringing images for the victim to “check and drop off”, inciting the victims to download and open the malicious .zip attachment. The .zip file contains a malicious .exe file masquerading as a Word document by spoofing the Microsoft Word logo, inciting the user to open the file.
Figure 2: Screenshot of one of the phishing emails sent to victims
Analysis
Upon execution, the Makop unpacks a malicious DLL at C:\Users\user\AppData\Local\Temp\nsg91FF.tmp\System.dll, and uses DLL side-loading to escalate privileges by injecting itself into legitimate Windows processes like explorer.exe and SearchUI.exe. After escalating its privileges via DLL (Dynamic Link Library) injection, Makop adds itself to Windows Startup in order to persist upon reboot by manipulating Startup values in the registry. Having establish persistence and elevated privileges, Makop then proceeds to encrypt files with extensions included in a priority list defined by the operator, followed by any further other files of interest, splitting the latter into chunks of 256kb for files with a size of above 1 MB. In this particular campaign, the ransomware encrypts file using a .moloch extension, which may refer to the particular operator of the RaaS. Makop then drops ransomware notes into each directory with encrypted files named “readme-warning.txt”. The ransom notes contain instructions for victims to send enter in contact with one of two addresses, agares_help_desk[at]tutanota.com or agares[at]airmail.cc, which provides further information on the potential pseudonym of the particular Makop operator involved in this campaign.
Figure 3: Ransom note left in directories with encrypted data
Makop then takes further precautions to stifle user attempts to restore Windows by running different commands via cmd.exe, including:
“vssadmin delete shadows /all /quiet” to delete all shadow volume copies stored locally
“wbadmin delete catalog -quiet” to delete the Windows backup catalog
“wmic shadowcopy delete” is a further attempt to delete all shadow volume copies store locally
Makop also uses a relatively sophisticated technique which leverages the Windows Error Reporting service in order to make HTTP requests to a likely C2 server. The use of this technique has been observed in other ransomware strains such as Cerber, and in remote access tools (RATs) like Netwire. Over the course of its execution, Makop made several HTTP requests to a server located at 93[.]184[.]220[.]229 on ports 49679, 49684 and 49679. Upon further investigation, the contacted server is likely a proxy connection towards the operators’ true infrastructure and has been observed being used by malware and botnets in the past.
Conclusion
This recent campaign targeting South Korean organisations by Makop operators has allowed us to observe the strain’s latest capabilities, which includes more sophisticated techniques like exploiting the Windows Error Reporting service to obfuscate its network activity, DLL-side loading for privilege escalation and dual encryption. While the RaaS has been active since at least January 2020, the PE timestamp and recent evidence of campaigns indicate a recent uptick in activity of Makop ransomware. We were not able to ascertain whether the strain is still under active development- however, samples detected between 04 January and 15 January 2021 indicate that RaaS partners are still actively infecting victims.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.