Image for post
Image for post

The Power of Go and the Threat of Ransomware: Meet eCh0raix

I love the Go language. In fact, I have dumped C++ for most of my executable code, and now just use Go. Overall it is a simple, yet powerful, language and which produces robust, fast and powerful code. If you want any kind of library, it just connects to GitHub, and downloads the code in a simple to use form. For cryptography, it is one of the best languages around, as produces robust code, and which integrates most of the modern standards (such as RSA and Elliptic Curve for public key and AES for symmetric key encryption).

The Go language, though, is now evolving as one of the greatest threats in the creation of malware. While scripted languages, such as Python and Node.js, are often easy to detect, Go programs can easily install themselves in an executable format (or integrated as a Trojan program).

With Go, an adversary can create a fully compiled program, and which has access to a wide range of networking and cryptography methods, along with the direct access to the host machine. In fact, almost everything that a malware writer needs is in Go.

Now, a new Go-based ransomware —eCh0raix — has been detected in the wild. It has been named eCh0raix as there is a string of this name in the source code. A strange feature of it is that there seems to be a unique hard-coded public key for each target. This is unusual, as a single public key is normally used to encrypt a unique AES encryption key, but it seems that each public key might be unique for each target (or perhaps each campaign). Overall it uses fewer than 400 lines of code.

It has been detected in brute forcing network credentials on QNAP networked attached storage (NAS) devices and then encrypting the files. The great worry here is that NAS devices are often used for backups, and so organisations may have their systems crippled from the inability to recover their files. It is thought that the infection is through open ports on the Internet.

Image for post
Image for post

The ransomware notice contains a link to a Bitcoin payment (README_FOR_DECRYPT.txt):

All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this TOR website: http://sg3dwqfpnr4sl5hh.onion/order/[bitcoin_address]
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
Do NOT remove this file and NOT remove last line in this file!
[unique_id]

Notice the bad spelling … “unclock” and the poor grammar — perhaps hinting towards a non-English speaking source.

Overall it uses a standard connection to the Command and Control (C&C) server through the Tor protocol. After the connection, it downloads the ransomware note, and then it encrypts a unique AES encryption key with an RSA public key:

Image for post
Image for post

A strange feature of eCh0raix is that it does a check on the language used on the system, and will not encrypt for regions of Belarus, Ukraine, and Russia. Once active the ransomware then tries to kill the following processes:

apache2
httpd
nginx
mysqld
mysqd
php-fpm

And then while searching for files to encrypt, Ch0raix skips various system folders which would corrupt the operations of the QNAP NAS device, including:

/proc
/boot/
/sys/
/run/
/dev/
/etc/
/home/httpd
/mnt/ext/opt

The ransomware then creates a 256-bit AES key with Cipher Feedback Mode (CFB) and which is then encrypted with an embedded RSA public key or one downloaded from the C&C server. The following files are then encrypted and given a .encrypted file extension:

Image for post
Image for post

Quite simple … patch, and don’t connect your NAS to the Internet.

Here is an introduction to ransomware:

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles…

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store