Dangerous Karo Ransomware Overshadowed by (Not)Petya

How would a regular computer user react to an email that says something along the lines of 'Your credit card is about to be charged a few thousand dollars. Open the attached Word document to cancel the transaction'? Most people would probably click on the attachment without thinking too much about it. If they do that, they might get themselves infected with the new Karo ransomware.

Karo appeared mere hours after the (Not)Petya outbreak which certainly caused some confusion among the infosec circles. A few of Karo's Indicators of Compromise (IOCs) were initially attributed to (Not)Petya, for example. After the dust settled, however, experts from Cysinfo and PhishLabs were able to take a closer look at Karo and see how it compares to (Not)Petya.

As many of you have probably guessed already, the Word document attached to the email comes with VBScript macros. The macros run a PowerShell script which first pings 127.0.0.1 (localhost) 15 times in order to fool researchers and automated analysis tools into thinking that nothing is happening. Then, it downloads a file called svchost.exe from 185.165.29[.]78 and drops it in the %temp% folder.

Along with the meaningless ping, the experts noticed a few other anti-analysis techniques implemented in the initial stages of infection. The VB macros, for example, were protected with a password. The code of the svchost.exe file was also heavily obfuscated, and when they tried to run it inside a virtual machine, it simply deleted everything in the %temp% directory and exited. Fortunately, the researchers defeated Karo's defenses and were able to see what the malware is capable of if it finds itself on a real PC.

First, it copies the malicious svchost.exe in the %AppData% directory, and alongside it, it places a file called "aes" which contains a randomly generated 32-character string. Then, one of the simplest persistence mechanisms is used. A shortcut called Notepad.lnk pointed at "%AppData%\svchost.exe" is dropped in the Startup folder ensuring that the executable runs every time the system boots up.

Next, the ransomware downloads and extracts the Tor browser and renames it as "Microsoft.vshub.32.exe. A special configuration file called "torrc" enables communication with the Command and Control server (C&C). An encrypted version of the aes file along with some information about the infected host is sent to the C&C after which Karo is ready to start encrypting information.

Apparently, different samples target different files. The Karo ransomware that Cysinfo examined was aimed at just 12 extensions while the sample found by PhishLabs scrambled 21 types of files. Not surprisingly, the most widely used document and image formats are present on the list. Karo uses the AES 256 algorithm for the encryption of the files, and unfortunately, the mechanism appears to be strong. For the time being, there are no free decryptors available.

When it's done encrypting files, the ransomware adds the .ipygh extension to affected files, extracts the ransom note from its resources, and downloads a colorful wallpaper from its C&C as shown in Figure 1 below.

Figure 1. Karo Ransomware Ransom Notification

Last but not least, it deletes all the files it has created and kills all the processes it has spawned in order to cover its tracks.

Karo failed to attract a lot of attention to itself which shouldn't really be a surprise considering the fact that it popped up right in the middle of the (Not)Petya storm. Nevertheless, the research carried out by the experts clearly shows that it's no less dangerous than the much talked about wiper under a ransomware disguise. Make sure you bear this in mind the next time you open an unexpected email.