Hacker holding up a donation jar
Image: Creation of Bing

A new ransomware operation hacks Zimbra servers to steal emails and encrypt files. However, instead of demanding ransom payment, threat actors claim to demand donation to charity to provide encryptor and prevent data leakage.

The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers around late March 2023, with victims reporting both the BeepComputer And Zimbra Forums that their emails were encrypted.

Many victims in Zimbra forums report finding suspicious JSP files uploaded in /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders.

These files were found under different names including info.jsp, noops.jsp and heartbeat.jsp [VirusTotal]. Startup1_3.jsp [VirusTotal]that BleepingComputer found, is based on a open source webshell.

Heartbeat.jsp webshell found on hacked Zimbra server
Heartbeat.jsp webshell found on hacked Zimbra server
Source: BleepingComputer.com

When encrypting emails, no additional file extension is added to the file name. However, the security researcher MalwareHunterTeam tells BleepingComputer that they add a message “This file is encrypted, search README.txt for decryption instructions” at the end of each encrypted file.

File encrypted by MalasLocker
File encrypted by MalasLocker
Source: BleepingComputer

An unusual ransom demand

The encryptor will also create ransom notes named README.txt that accompany an unusual ransom demand to receive a decryptor and prevent the leaking of stolen data: a donation to a non-profit charity they “endorse”.

“Unlike traditional ransomware groups, we don’t ask you to send us money. We just don’t like businesses and economic inequality,” the MalasLocker ransom note reads.

“We’re just asking you to donate to a non-profit we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”

Note on MalasLocker ransomware
MalasLocker ransom note
Source: BleepingComputer

Ransom notes contain either an email address to contact threat actors or a TOR URL that includes the group’s most recent email address. The note also has a Base64 encoded text section at the bottom that is needed to receive a decryptor, which we will cover in more detail later in the article.

Although the ransom notes do not contain a link to the ransomware gang’s data leak site, Emsisoft’s threat analyst Brett Callow found a link to their data leak site, titled “Somos malas… podemos ser peores”, translated as “We are bad…we can be worse”.

The MalasLocker data leak site is currently distributing the stolen data for three companies and the Zimbra setup for another 169 victims.

The data leak site’s main page also has a long emoji-filled message explaining what they represent and the ransoms they require.

“We are a new ransomware group that has encrypted corporate computers to ask them to give money to whomever they want,” data leak site MalasLocker reads.

“We ask them to donate to a nonprofit of their choice, then save the email they receive confirming the donation and send it to us so we can verify the DKIM signature for make sure the email is real.”

This ransom demand is highly unusual and, if honest, puts the operation more in the realm of hacktivism.

However, BleepingComputer has not yet determined whether threat actors keep their word when a victim donates money to a charity for a decryptor.

Uncommon Age Encryption

BleepingComputer was unable to find the encryptor for the MalasLocker operation. However, the Base64-encoded block in the ransom note decodes into an Age cipher tool header required to decrypt a victim’s private decryption key.

-> X25519 GsrkJHxV7l4w2GPV56Ja/dtKGnqQFj/qUjnabYYqVWY
-> .7PM/-grease {0DS )2D'y,c BA
--- 7bAeZFny0Xk7gqxscyeDGDbHjsCvAZ0aETUUhIsXnyg

The Age encryption tool was developed by Filippo Valsorda, a cryptographer and Go security manager at Google, and uses the X25519 (an ECDH curve), ChaChar20-Poly1305 and HMAC-SHA256 algorithms.

This is an uncommon encryption method, with only a few ransomware operations using it, and not all of them targeting Windows devices.

The first was AgeLockerdiscovered in 2020 and the other by MalwareHunterTeam in August 2022, both targeting QNAP devices.

Tweet from MalwareHunterTeam

Moreover, the QNAP campaign and AgeLocker ransom notes share similar language, further linking these two operations at least.

While a weak link at best, the targeting of non-Windows devices and the use of Age cipher by all of these ransomware operations could indicate that they are related.


Source link