The group/people behind Mole ransomware campaign are, as any other active Malware Group, continuously working to remain one step ahead of anti-malware organisations and trying to be evasive and persistent.
As researched by us earlier and published in our blog, Mole ransomware have been changing their infection mechanisms and binaries and now there is a new development from them again.
The infection chain below gives the current scenario of the malware campaign.
The array var x keep changing with the new compromised webpages. The script takes the website in array (var x), adds counter/? and concatenates the long string in var m which looks like
If navigated to the same URL we get more content with heavy obfuscation.
We can de-obfuscate this script in two steps
1. Replace the string from var m with letter a which will give
The final script goes through each website (if any link is not working) and downloads three executable malware binaries.
Example – boorsemsport.be/templates/yoo_aurora/less/uikit + /counter/exe + exe(n).exe where n holds value 1 to 3 ( n=1;n<=3;n++ )
We found out the /counter/exe1.exe to be the mole Ransomware which comes with the /counter/exe2.exe which seems to be trojanKovter or other downloader malware, and counter/exe3.exe seems to be cleaning up or self destructing component. These can change in future.
The rest of the actions are similar to what were observed earlier, ie, escalation of privileges by UAC, persistence through Registry entries, deletion of Volume Shadow Copies and encryption of data files with the .MOLE extension
Indicators of Compromise
Exe1 –MD5 – D93CBC6D175C148E4694EC3340F64F7F
Exe2 –MD5 – 03DD8DC3441B74463EE8055C2A39B381
Exe3 –MD5 – EF62FBE4CED15038A5C845C968FF94C7