DoDo & Proton

12219035090?profile=RESIZE_192XDoDo ransomware was first reported last February of 2023.  It is a variant of the widely reported and observed Chaos ransomware.  Because it is a derivative, the DoDo ransomware is not considered new and recent.  However, a slightly different version of the DoDo ransomware has recently emerged, described below.[1]

Infection Vector - DoDo ransomware samples have the “Mercurial Grabber” file icon, which indicates the ransomware was likely distributed as such.  Mercurial Grabber is an open-source malware builder that can generate an infostealer configured to steal information such as Discord tokens, machine information, Windows product keys, and Chrome passwords from victims’ machines.  It was posted on GitHub on 3 June 2021 with the following disclaimer:  “Please do not use the program maliciously.  This program is intended to be used for educational purposes only.  Mercurial only demonstrates what type of information attackers can grab from a user’s computer.  This is a project [sic] was created to make it easier for malware analysts or ordinary users to understand how credential grabbing works and can be used for analysis, research, reverse engineering, or review.”  However, threat actors have been actively using this builder to target victims and steal information by using the built-in functions shown in Figure 2, below.


12219031274?profile=RESIZE_180x180Figure 1: File icon of the DoDo ransomware samples


12219031488?profile=RESIZE_584xFigure 2: Mercurial Grabber’s configuration screen

The latest DoDo ransomware samples have been submitted to a public file scanning service from the following countries:

  • France
  • Germany
  • India
  • China
  • United Kingdom
  • Peru

Older variants were submitted from the following countries:

  • The Philippines
  • United States
  • France
  • Spain
  • Sweden
  • Germany
  • United Kingdom
  • Turkey
  • Australia
  • Brazil
  • Serbia
  • Bulgaria

The masquerading of free apps and tools is a simple yet effective attack vector cybercriminals have used for years.  However, in this case, the DoDo ransomware is masquerading as the nefarious Mercurial Grabber application, meaning that the most likely potential victims are malicious attackers or curious users.  This also makes the abundance of submission sources rather surprising, indicating that users worldwide have all managed to find and download a copy of the fake Mercurial Grabber builder.  It is also important to note that the file icon can be easily changed. In other words, it can also impersonate other applications, which all users should be aware of when downloading and using apps off the internet.

Ransomware Execution - While the newer and older DoDo variants drop slightly different ransom notes and add different file extensions to encrypted files, they have two things in common: all DoDo ransomware samples were created using Chaos Builder version 3, which was released in mid-2021, and they all use the same Bitcoin address to receive ransom payments.  Chaos ransomware Builder 3 has the disadvantage that it can only encrypt files smaller than 1 MB.  Files larger than that are overwritten and considered unrecoverable unless backups remain intact.  This means that DoDo operates much like a wiper for larger files because the attacker cannot recover all of their files even if the ransom payment is made.  The older DoDo ransomware variants dropped a ransomware note labeled “dodov2_readit.txt” and added a “.dodov2” extension to the encrypted files. The ransom demand is $15 worth of Bitcoin or Monero (XMR).


12219031873?profile=RESIZE_584xFigure 3: Ransom note dropped by the older DoDo ransomware variants

12219032060?profile=RESIZE_710xFigure 4: Files encrypted by the older DoDo ransomware samples

In contrast, the recent DoDo ransomware samples drop a ransom note labeled “PLEASEREAD.txt,” add a “.crypterdodo” extension to the encrypted files, and replace the desktop wallpaper with the same ransom message.  The ransom demand is still $15 worth of Bitcoin or Monero (XMR).  The attacker has also included a contact email address, likely for better “customer” service.  In addition, the Monero address is different from the older variants.


12219031690?profile=RESIZE_710xFigure 5: Ransom note dropped by the recent DoDo ransomware samples

12219032258?profile=RESIZE_710xFigure 6: Files encrypted by the recent DoDo ransomware samples

12219032287?profile=RESIZE_710xFigure 7: Desktop wallpaper replaced by the recent DoDo ransomware samples

The Bitcoin address used by the DoDo ransomware has had more than 40 transactions since May 2022.  However, most incoming transactions were under $10, raising questions as to whether they were ransom payments. The Monero addresses were not available at the time of our investigation.

Proton Ransomware

Proton is a recently reported ransomware designed to encrypt files on the Windows platform and demand ransom payments from victims to recover their affected files.

Infection Vector - Information on the infection vector used by the Proton ransomware threat actor is not currently available.  However, it is not likely to differ significantly from other ransomware groups.  Proton ransomware samples were submitted to a public file scanning service from the following locations:

  • United States
  • Italy
  • India
  • China
  • Korea
  • Estonia
  • Netherland
  • Germany
  • Russia
  • Ukraine

While there is no indication that the Proton ransomware is widespread, this list shows that attackers have the means to distribute ransomware in different parts of the world.

Ransomware Execution - Once executed, the Proton ransomware encrypts files on victims’ machines and adds a “.[the attacker’s contact email address].Proton” extension to the affected files.  It also changes the file icon of the encrypted files and drops a ransom note labeled “#[Unique ID assigned to each victim].txt” while replacing the victim’s desktop wallpaper.


12219033284?profile=RESIZE_584xFigure 8: Files encrypted by the Proton ransomware

12219033671?profile=RESIZE_710xFigure 9: Ransom note dropped by the Proton ransomware


12219034053?profile=RESIZE_584xFigure 10: Desktop wallpaper replaced by the Proton ransomware

The Proton ransomware has several minor variants, most adding different contact email addresses as part of the file extensions added to the encrypted files.  Below is a list of the contact addresses that the attacker has included in the ransom notes:

  • .[filesupport@[redacted]].Proton
  • .[vpsadminmain12@[redacted]].Proton
  • .[helpdec10@[redacted]].Proton
  • .[contact.encryptor@[redacted]].Proton
  • .[DoraRec@[redacted]].Proton
  • .[RecoverProtonData@[redacted]].Proton

During the research, FortiGuard Labs came across what appears to be the earliest sample of the Proton ransomware (SHA2: f36dda3b97266a6a30d905c73e1f8a45c4b6681e81fb2f8f59b622de899c4421), which was released in late March 2023.  While the ransom note calls itself "Proton," it does not use a ".Proton" file extension.  Instead, the sample uses "Kigatsu@[redacted][victim's unique ID].kigatsu".  The ransom note includes the attacker’s Telegram ID, which is not seen in the recent ransom notes. As shown below, this variant does not replace the file icon of the encrypted files with the unique Proton logo.


12219034072?profile=RESIZE_584xFigure 11: Files encrypted by possibly the earliest Proton ransomware sample

12219033887?profile=RESIZE_710xFigure 12: Ransom note dropped by possibly the earliest Proton ransomware sample

Another Proton ransomware variant was submitted to a public file scanning service in late June. This variant (SHA2: 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb) uses a similar email address and the same Telegram ID as the oldest Proton ransomware sample but adds ".[attacker's email address]. Proton" to encrypted files and also changes their file icon.

12219034677?profile=RESIZE_584xFigure 13: Files encrypted by 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb

12219035253?profile=RESIZE_710xFigure 14: Ransom note dropped by 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb

Based on these observations, the attacker has made some effort to improve the operation of this ransomware since its inception.

 

IOCs

File-based IOCs:

SHA2

Malware

8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44

DoDo Ransomware

f912cd2a6cd21e828dc32b97eac0ce9b2c4e8d5a7944deaa4bd61f41ab8e1997

aee45cc2540d49a28e765c30f1c4d0b853c1a74ea2260bd7614ece8e54c3bcb3

8d76a9a577ea5ad52555a2824db6f5872548fe4bcc47d476cae57603386c4720

464d6aa8389dad3aebc36f748f6687cb57432ee791b84ff18b3dd5a342ce23a0

Proton ransomware

506dc9f186f820b5e1d39e5f553949415ced6c34d1ef4f4f723ce9d6558cfc5d

877a01b2b6b79572100ba61d799d08569063910a7f56e199bf4805cf0943e140

31485a7ce7e5b4ae39ee06c8c425fe9090d1520b062b4941ad37233cc4851fe6

9adae78f48f24419b6f8a895c1244a1576a4c7fe73e9bc32136893630ce735bd

b7fbf5561006e41d56bde9e26895c8be3a3853436870e86f6929f51b719089d9

8fa93ce6b9dcf00ecf853f266f68aa033b057187c2061b950367c9ec9891571e

e43db9691d7947f7edadb0f9ae8317301aeaea7604f74e69dbcb4b23420e4cbe

6a8ef9185b85490a258eda096777ba0805394e587cf8a0f8f800b87e0594edca

077621c13e3688eb4959b66a1f6f18f3791e5d869e8f064a72498d70b2e36727

39b8c17d79733974ced9a4beeb112d888174b7addca6cea008eea3846fa33658

3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb

f36dda3b97266a6a30d905c73e1f8a45c4b6681e81fb2f8f59b622de899c4421

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date. 

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

 

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

 

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!