LockerGoga

Description

(Fortinet) The binary for this particular variant of LockerGoga does not utilize any type of security evasion or obfuscation. Instead, the binary only goes as far as encoding the RSA public key that is used in its later stages for file encryption. It’s possible to speculate that the attackers may have already been fully aware of the target companies’ security measures, and were therefore confident that their malware would not be intercepted even without any obfuscation.

Another interesting fact is that the malware uses open-source Boost libraries for its filesystem, and inter-process communication and Crypto++ (Cryptopp) for file encryption. One of the advantages of using these libraries is easier development and implementation since developers only need to work with wrapper functions instead of calling individual native APIs to achieve the same goal. And since this utilizes a higher level of programming, statically and dynamically analysing the application without source code is more complicated than just reading a straight sequence of Windows APIs. However, since they do not use standard libraries, they need to be manually linked and the functions need to be physically added to the final binary, which results a larger file size than usual.

Names

Name
LockerGoga

Type

Ransomware
Big Game Hunting

Information

Mitre Attack

https://attack.mitre.org/software/S0372/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:LockerGoga

Playbook

https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-decryptor-for-lockergoga-ransomware/

Other Information

Uuid

8cdd2a40-7ddd-4caf-b7d0-94af5984a979

Last Card Change

2022-11-18

Threat Intelligence Garden

Explorer

LockerGoga

LockerGoga

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Alienvault Otx

Playbook

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks