skip to Main Content

Cybercrime, a DLL fixer spread Cyrat ransomware

Karsten Hahn: cybercrime is using a DLL fixer to spread Cyrat ransomware. It has been compiled in Python 3.7

A DLL fixer (2.5) leads to Cyrat ransomware, and the target are Windows users. It has been discovered by the G Data’s cyber security expert Karsten Hahn. Using Virus Total with custom Yara rules, he found a zlib archive in the overlay of the file. Further inspection showed references to the python37.dll and the archive’s name PYZ-00.pyz, typical for PyInstaller executables. It means Cyrat ransomware was compiled with Python 3.7 and converted to a Windows PE file using PyInstaller. Unpacking and decompiling this file requires PyInstxtractor, Python 3.7 and, e.g., uncompyle6. The version needs to be the same as the malware executable while extracting the .pyc files. Otherwise PyInstxtractor has issues properly constructing the files. The target platform is undoubtedly Windows because the PyInstaller executable only works there. The trojanized DLL fixer will only lure Windows users. Registry commands and persistence mechanisms are also Windows based.

The cyber security expert: The malware exploits Fernet to encrypt files and the ransom stock photo is on the wallpaper

According the cyber security expert, the DLL fixer 2.5 upon execution will display a randomly created number of corrupted DLLs it pretends to have found on the system. After it has been encrypted, a success message for fixing the DLLs is shown. Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic. It encrypts whole files regardless how big they are, whereas Fernet is unsuitable for them. To encrypt the key is used a public RSA key, downloaded from Mediafire. The cybercrime ransom note is placed in every target folder. Furthermore a malware stock photo is set as wallpaper. This one does not contain any ransom message. In this state the stock photo’s only purpose is to draw user’s attention.

Back To Top