A recent Makop ransomware campaign has been targeting companies in South Korea in the manufacturing, education, media, technology, construction, pharmaceutical, legal, engineering and defence sectors, in addition to a Russian energy company. While reports describe this particular campaign as starting as early as December 2020, our investigation around Makop samples detected in the wild focused on samples delivered in three particular phishing events between 04 January 2021 and 15 January 2021.
The earliest reference to Makop was in January 2020, as a user named “Makop” posted about a new RaaS and its associated capabilities on a Russian-language forum in an attempt to recruit affiliates. In addition to Makop being written in C++ and affecting all versions of Windows since XP, the user advertised that the strain of ransomware leverages a combination of AES256 and RSA1024 encryption, boasting that this method will prevent files from being decrypted “in the near future”. The author also disclosed that decryption keys for individual victims were sold to partners for $250, allowing affiliates to access victim files held by developers. This relatively low price is likely to have risen since as the ransomware’s developers have added further capabilities to Makop, including a visual admin panel for managing campaigns and custom file extensions for the encrypted files. Researchers examining Makop’s source code have determined similarities with Oled, another ransomware strain that emerged in 2017. Makop’s developers may have used Oled’s source code to develop their own RaaS program with updated encryption techniques and additional operational security measures around the affiliate program.
Further capabilities listed in the post include the following:
- Small size of the portable executable file, between 27 and 34kb
- Ability to run offline
- Fast encryption process
- Makop can turn off “common processes that can interfere” before encrypting
- Generation of a unique ID for the infected machine
- Victims are issued receipts upon payment in order to build trust
The forum user also advertised several features like deletion of shadow copies which we were able to observe during dynamic analysis of the Makop samples distributed in this campaign. While this thread was first posed in January 2020, analysis of these Makop samples reveals that the last compilation timestamp of the portable executable is 1 August 2020. Although there is a chance that the ransomware developers have “timestomped” their executables in order to obfuscate their true compilation dates, this may indicate that the executable was originally compiled in August and that subsequent campaigns with the latest strain may have started as early as September 2020.
Makop samples found in this recent campaign were delivered to victims via phishing emails using lures around image copyright infringement, a theme also observed in prior Makop ransomware infections. These emails used headers pertaining to the copyright infringement lure, with headers such as “I am sending you an email regarding the copyright violation of the image” and “Contact us regarding infringement of photo copyright law”. Emails were sent in Korean and contained a .zip file said to contain infringing images for the victim to “check and drop off”, inciting the victims to download and open the malicious .zip attachment. The .zip file contains a malicious .exe file masquerading as a Word document by spoofing the Microsoft Word logo, inciting the user to open the file.
Upon execution, the Makop unpacks a malicious DLL at C:\Users\user\AppData\Local\Temp\nsg91FF.tmp\System.dll, and uses DLL side-loading to escalate privileges by injecting itself into legitimate Windows processes like explorer.exe and SearchUI.exe. After escalating its privileges via DLL (Dynamic Link Library) injection, Makop adds itself to Windows Startup in order to persist upon reboot by manipulating Startup values in the registry. Having establish persistence and elevated privileges, Makop then proceeds to encrypt files with extensions included in a priority list defined by the operator, followed by any further other files of interest, splitting the latter into chunks of 256kb for files with a size of above 1 MB. In this particular campaign, the ransomware encrypts file using a .moloch extension, which may refer to the particular operator of the RaaS. Makop then drops ransomware notes into each directory with encrypted files named “readme-warning.txt”. The ransom notes contain instructions for victims to send enter in contact with one of two addresses, agares_help_desk[at]tutanota.com or agares[at]airmail.cc, which provides further information on the potential pseudonym of the particular Makop operator involved in this campaign.
Makop then takes further precautions to stifle user attempts to restore Windows by running different commands via cmd.exe, including:
- “vssadmin delete shadows /all /quiet” to delete all shadow volume copies stored locally
- “wbadmin delete catalog -quiet” to delete the Windows backup catalog
- “wmic shadowcopy delete” is a further attempt to delete all shadow volume copies store locally
Makop also uses a relatively sophisticated technique which leverages the Windows Error Reporting service in order to make HTTP requests to a likely C2 server. The use of this technique has been observed in other ransomware strains such as Cerber, and in remote access tools (RATs) like Netwire. Over the course of its execution, Makop made several HTTP requests to a server located at 93[.]184[.]220[.]229 on ports 49679, 49684 and 49679. Upon further investigation, the contacted server is likely a proxy connection towards the operators’ true infrastructure and has been observed being used by malware and botnets in the past.
This recent campaign targeting South Korean organisations by Makop operators has allowed us to observe the strain’s latest capabilities, which includes more sophisticated techniques like exploiting the Windows Error Reporting service to obfuscate its network activity, DLL-side loading for privilege escalation and dual encryption. While the RaaS has been active since at least January 2020, the PE timestamp and recent evidence of campaigns indicate a recent uptick in activity of Makop ransomware. We were not able to ascertain whether the strain is still under active development- however, samples detected between 04 January and 15 January 2021 indicate that RaaS partners are still actively infecting victims.
Appendix 2: Indicators of Compromise (IOCs)
Makop samples (SHA256):