Post

CurveLock

A Brief Overview of The Design Of CurveLock Ransomware

Posted Updated
By Swayam Tejas Padhy
2 min read
CurveLock

CurveLock

A modern ransomware designed from scratch to infect faster and encrypt target contents using Elliptical Curve Cryptography (ECC) algorithm.

Disclaimer

This project is a demonstration and should not be used maliciously. Developing or deploying ransomware without explicit permission is illegal and unethical. The author is not responsible for any misuse of this code.

Features Of CurveLock -

  1. Utilizes Api Hammering to obfuscate call stack of the ransomware to evade detection from sandbox environments
  2. Creates a random compile time IAT seed to evade static detection
  3. Unhooks NTDll by creating a suspended process, copying the clean Ntdll from it and replacing out NTDll in the .text section
  4. Extracts process token and checks it’s elevation and integrity and determines it it is being run as Admin or not.
  5. If not being run as admin, it exploits CVE-2024-6769 to create a new process with high integrity token. Cve Link -> https://github.com/fortra/CVE-2024-6769/tree/main
  6. Exploits DcSync using the DCSyncer tool (https://github.com/notsoshant/DCSyncer) to extract username and NTLM hash combinations from the domain controller and parses it.
  7. Performs self deletion to avoid manual analysis after execution.
  8. Embeds the Ransomware Payload into a .PNG file’s IDAT sections and encrypts each section with it’s own RC4 key.
  9. Payload is extracted from the .PNG file at runtime and executed.
  10. Also provides the decryptor for the encrypted files.

image Flowchart Of CurveLock

Features Of CurveLock’s Payload -

  1. ECC with Diffie-Hellman key exchange is used to generate the AES-256 keys.
  2. Each file in encrypted with it’s own AES-256 key and the keys are stored in the registry under - “HKCU_CURRENT_USER\CONTROL PANEL”

Encryption Details -

Elliptic Curve Cryptography (ECC) Operations

ECC is used in the code to securely generate a shared secret between two parties (na and nb). This secret is then used to derive the AES key.

The elliptic curve is defined by the equation:

image

image

image

image

AES-256 Encryption

The function Aes256EncryptBuffer encrypts a data buffer using AES-256 in CBC mode.

image

File Encryption

image

Steps To Run

  1. Build The Solution
  2. Host all the required exploits and the files given in “Attacker Server Files” in a web server.
  3. Execute the CurveLock binary in the target machine.

Results

CurveLock

  1. Execution In Unprivileged Context and Privilege Escalation

Execution_unprivileged_context_and_exploit_initial_stage

Exploit_stage_two

  1. Credential Dumping Using DCSyncer

Credential_Dumping_Using_DCSync

  1. Decryptor Download Success/Failure

Decryptor_successful_download

Decryptor_download_failed

  1. Attacker Server Output

files_being_downloaded_from_attacker_server

CurveLock Payload

  1. Before Execution Of Payload

Before_Execution_Of_Payload

  1. After Execution Of Payload

After_execution_Of_Payload

  1. Payload dealing with BlackListed extensions

payload_blacklisted_extension

  1. Decryptor Output

Decryptor_Output

Credits

I thank @Maldev-Academy for providing me with knowledge to build this malware. I would also like to thank @notsoshant and @fortra for DcSyncer and CVE-2024-6769 POC respectively.

Red Teaming, Projects
ransomware elliptical curves
This post is licensed under CC BY 4.0 by the author.