![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
![Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/GK-Blog_Images-1)
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking Trojan. This Russia-based eCrime group originally began deploying TrickBot in 2016 to conduct financial fraud, but has since evolved into a highly capable group with a diverse and potent arsenal, including Ryuk, Conti and BazarLoader. Their toolset covers the entirety of the kill chain, from delivery to post-exploitation tools and big game hunting (BGH) ransomware, enabling WIZARD SPIDER to conduct a wide range of criminal activities against enterprise environments.
Sidoh (aka Ryuk Stealer) is a keyword-based exfiltration tool used by WIZARD SPIDER. Sidoh (as well as Ryuk) is the name of a character from the anime series Death Note. In the series, the character Sidoh has an item stolen by Ryuk. Since WIZARD SPIDER’s tool is used for exfiltration, the name Sidoh is fitting. DeleteFileW to delete the file. Along with the deletion of the file, Sidoh’s code was compiled in Visual Studio, contained the same API chains to accomplish specific functionality and the code even “felt” like Ryuk. It was only upon deeper inspection that it was realized that the sample was not Ryuk, but a family of malware that looks to have borrowed code from Ryuk’s source code. Even though both Sidoh and Ryuk are compiled using Visual Studio, they are not compiled using the same build chain. For example, a Ryuk binary compiled on June 26, 2019, contains an older toolset than a Sidoh binary compiled on July 8, 2019. The difference in the detected toolsets between Ryuk and Sidoh hint that the samples were compiled on different machines with different installed versions of Visual Studio. Table 1 shows the detected Visual Studio toolsets for the binaries.
| Ryuk | Sidoh |
| Visual C++ 14.0.x 2015 (build 23918) | Visual C++ 14.0 2015 (build 24215) |
| Visual C++ 9.0 2008 SP1 (build 30729) | Visual C++ 14.0.x 2015 (build 24210) |
| Visual C++ 14.0.x 2015 (build 23907) | Visual C++ 14.0 2015 (build 24215) |
| Visual C++ 14.0.x 2015 (build 23918) | |
| Visual C++ 9.0 2008 SP1 (build 30729) | |
| Visual C++ 14.0.x 2015 (build 24123) |
Table 1. Ryuk and Sidoh detected toolsets
The exact intent of Sidoh is only known by the threat actors that operated it, but the keywords used by WIZARD SPIDER open up speculation of its targeted audience and usage of the exfiltrated data.
Technical Analysis
The following technical analysis is based on the newest version of Sidoh. Differences between the two variants are noted throughout the text when applicable. Upon execution, Sidoh checks for the presence of a command line argument passed to it. If the argument is present, it is treated as a file path. Sidoh sleeps for 5,000 microseconds and then deletes the file if the argument is present. Sidoh lists all available drives on the host by calling GetLogicalDrives. For each available drive, it calls GetDriveTypeW to ensure the drive type is not DRIVE_CDROM. If the drive type is not a CD-ROM, the drive path’s contents are searched. After the drives have been searched, Sidoh attempts to search the contents of hosts that have IP addresses present within the compromised host’s ARP entries. The ARP entries are retrieved by calling GetIpNetTable. For each entry, Sidoh attempts to mount the IP address from within the entry as a network drive, using Server Message Block (SMB), and then proceeds to search the drive.
To enumerate files on disk, Sidoh calls FindFirstFileW and FindNextFileW. Sidoh contains a deny list targeting specific file types of folder names. Table 2 shows a block list of folders and file names whose contents are ignored by Sidoh.
Sample Music | Sample Pictures | $Recycle.Bin |
Tor Browser | Package Cache | RyukReadMe.txt** |
microsoft | UNIQUE_ID_DO_NOT_REMOVE** | PUBLIC |
windows | PerfLogs | Windows |
ProgramData | Firefox | Intel |
Mozilla | Microsoft | $WINDOWS |
Program Files | \\Users\\Public\\Pictures | MySQL |
log | .dll | AhnLab |
Table 2. Sidoh folder name block list
Some of the names in Table 2 are not directories (e.g., .dll). The fields that end with ** are names that are artifacts from a Ryuk infection. For example, RyukReadMe.txt was the name for Ryuk ransom notes before WIZARD SPIDER switched the ransom note to HTML. Sidoh does not attempt to exfiltrate files over 50MB, and earlier variants would not exfiltrate files over 20MB. If a file is over 50MB, it is ignored. Along with folders names, Sidoh has an allow list of file extensions. Earlier variants contained the file extension .RYK, which is appended to files after being encrypted by Ryuk. The presence of the string related to Ryuk suggests that Sidoh was either derived from the Ryuk source code or designed to be compatible with systems that have been encrypted by Ryuk. Table 3 contains the block list of file extensions for variant 2. The newer list is more extensive, likely with an end goal of speeding up time spent scanning the host for files.
.exe | .sdi | .pem | .sys | .xpi | .rsm | .msc |
.msi | .dic | .ibd | .ddf | .mp3 | .wbverify | .ascx |
.dll | .pyd | .db | .sqlite | cached | .tmp | .css |
.lnk | .qml | .h | .ttf | ppt | .cat | .browser |
.sdi | .js | .lib | .cdx | ppsm | .asp | .bmp |
.wim | .png | .microsoft | .thmx | cached | .config | .url |
.chm | .log | .txmx | .new | wtv | .inf | .search-ms |
.vicache | .ini | .tif | .little | NTUSER | .din | .wmv |
.chm | .lnk | .iobj | .cdx | .contact | .oem | .icml |
.xml | .cab | .ipdb | .gif | .wbcat | .ps1 | readme |
Table 3. Sidoh file extension name block list
If the filename contains an extension of .cpp, .h .xls, .xlsx, .doc, .docx, .docb, .pdf or
wallet.dat, an attempt to automatically exfiltrate the file is made. Early variants also included .txt and .gov file extension but were removed. Further details about the attempt are described in the next section, Exfiltration and Infrastructure. If the filename does not contain one of the previously mentioned file extensions, the filename is then checked against the keyword list in Table 4. If the filename contains one of the keywords in the following table, the file is exfiltrated.
| SECURITY | marketwired | fbi | Secret | war | victim | federal |
| N-CSR | 10-Q | csi | scheme | suspect | court | bureau |
| 10-SB | 10Q | gun | tactical | cyber | hidden | government |
| EDGAR | 8K | NATO | Engeneering | document | bribery | security |
| spy | fraud | Nato | explosive | treasonrestricted | contraband | unclassified |
| radar | hack | convictMilitary | drug | private | operation | concealed |
| censored | NSA | military | traitor | confident | undercover | newswire |
| agent | FBI | submarine | embeddedspy | important | clandestine | marketwired |
| newswire | CSI | Submarinesecret | radio | pass | investigation | Clearance |
Table 4. Sidoh file name exfiltration keyword list
Early variants of Sidoh contained functionality to search the contents of .docx or .xlsx files. To search the contents of .docx or .xlsx files, Sidoh must first parse the file type. Modern Microsoft Office documents are stored in the Microsoft Open XML (MOX) format. This format primarily consists of a ZIP file with XML data. Before decompressing the ZIP file, Sidoh would import a Dynamic Link Library (DLL) named libzip.dll. It is derived from the open-source C library, libzip, which can be used for reading, writing and modifying ZIP files. This library is not installed on Windows by default. In order to execute properly, these early variants of Sidoh would need libzip.dll to be present within the working directory or within the standard DLL search order. The Sidoh executable and libzip.dll are likely written to disk by a dropper. Once the libzip has been imported, it is used to decompress the document. Once decompressed, Sidoh reads the path word/document.xml for .docx files and xl/worksheets/sheet*.xml for .xlsx. The contents are read into a buffer and then searched for the keywords in Table 5. The bug existed in how Sidoh searched .xlsx for keywords. Data from rows and columns in Excel spreadsheets are not stored in xl/worksheets/sheet*.xml but are stored at the path xl/SharedStrings.xml. Therefore, the .xlsx file data that Sidoh reads and searches only contains the mapping of the rows and columns to fields in SharedStrings.xml but none of the text that would contain the keywords being searched for. The reading and searching of
.docx or .xlsx was removed in the newest variant, likely because of the described error. Newer variants simply read the contents of the file and search for one of the keywords in Table 5.
| personal | censored | traitor | checking | clandestine | seed | Olivia |
| securityN-CSR10-SBEDGAR | bribery | suspect | saving | illegal | personal | Noah |
| spy | contraband | cyber | routing | compromate | confident | Ava |
| radaragentnewswire | operation | document | finance | privacy | William | |
| marketwired | gun | embeddedspy | agreement | private | letter | Isabella |
| 10-Q | attack | radio | SWIFT | contract | passport | James |
| 10Q | military | war | BIC | concealed | victim** | Sophia |
| 8K | tank | submarine | IBAN | backdoorundercover | court | Logan |
| fraud | convict | fbi | license | clandestine | id | Clearance |
| hack | scheme | restricted | Compilation | investigation | NATO | |
| NSA | tactical | secret | report | federal | Nato | |
| FBI | Engeneering | CSI | secret | bureau | scans | |
| defence | explosive | balance | confident | government | Emma | |
| treason | drug | statement | hidden | security | Liam |
Table 5. Sidoh file name exfiltration keyword list
The lists in Table 4 and Table 5 contain many words that are misspelled (e.g., Engeneering) or two words concatenated (e.g., treasonrestricted). These errors hint that this list was hastily imputed or never reviewed. Further details about the attempts to upload the files are described next.
Exfiltration and Infrastructure
Sidoh uploads documents that match the search criteria to a command-and-control (C2) IP address via FTP with a hard-coded username and password of anonymous. If the FTP server is not available, Sidoh typically contains a backup IP address that it can use. One variant of Sidoh did not contain a backup IP address. Once connected, the files are uploaded to a hard-coded directory with four random digits prefixing the original filename. If the connections fail, Sidoh sleeps for a random amount of time (between 0 and 125 seconds) and then tries to connect again. Sidoh does not keep an active connection to the FTP server but continuously logs into the FTP server.
If during the exfiltration process Sidoh fails to connect to the C2 after three attempts, it scans the filename or contents of files with an extension of .cpp, .xls, .xlsx, .doc, .docx, .docb or .pdf for the targeted keywords to determine if additional effort should be made to exfiltrate those files. If there is a match, Sidoh makes another three connection attempts. After each failed connection, Sidoh will sleep for a random amount of time (between 0 and 125 seconds) between each attempt. If all attempts to connect to the C2 fail, Sidoh discards the current file being uploaded and continues to search for more files to exfiltrate. Table 6 contains all known Sidoh IP addresses and observed folder paths for uploading exfiltrated files.
| IP Address | IP Address | Upload Path | Build Time
|
109.236.92<.>162 | N/A | /upload/files/a7 | 2019-06-16 21:20:14 |
109.236.92<.>162 | 185.254.121<.>157 | N/A | 2019-06-21 08:30:19 |
185.254.121<.>157 | 109.236.92<.>162 | /upload/files/military2 | 2019-06-22 03:37:21 |
185.254.121<.>157 | 109.236.92<.>162 | /upload/files/3 | 2019-07-08 17:21:37 |
185.254.121<.>157 | 109.236.92<.>162 | /upload/files/sharpsec | 2019-07-11 22:26:03 |
185.254.121<.>157 | 109.236.92<.>162 | upload/files/a71 | 2019-07-17 12:12:37 |
66.42.76<.>46 | N/A | /files_server/a8-5 | 2019-08-18 19:45:35 |
66.42.108<.>141 | 45.76.1<.>57 | /test50/fx3-92 | 2020-01-18 23:44:40 |
66.42.108<.>141 | 45.76.1<.>57 | /test50/fx3-92 | 2020-01-19 00:11:32 |
Table 6. Sidoh IP addresses, upload paths and build times
Due to reallocation, the IP addresses in Table 6 should not be used for blocking.
| SHA256 | Build Time |
df6847bbf7e75ded54028081f5f27abb199562409aee6e20f99abcda5b48fb51 | 2019-06-16 21:20:14 |
f07079472f1cb0247f530001f02d6189443146a719d986bca750ee9b1139e84f | 2019-06-21 08:30:19 |
a1ce52437252001b56c9ccd2d2da46240dc38db8074a5ed39a396e8c8e387fc2 | 2019-06-22 03:37:21 |
e6762cb7d09cd90d5469e3c3bfc3b47979cd67aa06c06e893015a87b0348c32c | 2019-07-08 17:21:37 |
6f06e5a8bdf983ec73177ef63ea053d391b46915a7dd1fbd0ddea5c70471f593 | 2019-07-11 22:26:03 |
cc4a0b4080844e20fb9535679f7b09a3e2449729ce1815d1e5a64272b0225465 | 2019-07-17 12:12:37 |
c64269a64b64b20108df89c4f1a415936c9d9923f8761d0667aa8492aa057acb | 2019-08-18 19:45:35 |
a8c4703fab7d2548701523b4c215d7cb57d337cc243046647bda18d4e6690853 | 2020-01-18 23:44:40 |
5794ce98af725b29ae32280909a725812a89fd4ecdbbf7f121b83f031526a967 | 2020-01-19 00:11:32 |
Table 7. Sidoh SHA256 Hashes and Build Time
Conclusion
WIZARD SPIDER is one of the most sophisticated groups tracked by CrowdStrike. Their threat arsenal ranges from banking trojans to spam bots to ransomware — with all of these tools designed with an end result of getting money from their victims. Some of these tools have been short-lived, but the diversity in tooling used by WIZARD SPIDER demonstrates their desire to use new strategies to monetize their attacks. It is unknown if Sidoh is one such strategy that experimented with monetizing victims by stealing potentially sensitive or proprietary data, or if Sidoh was used by WIZARD SPIDER to steal data from specific victims at the request of a third party. There is even the possibility that the original Hermes source code (which Ryuk was derived from) was modified to be Sidoh, and the threat actors added the Ryuk file artifact references as a false flag. But the likely and simplest solution is Sidoh was used in rare instances to automatically steal data from compromised hosts by WIZARD SPIDER.
As of this publication date, CrowdStrike has not observed Sidoh within the telemetry of our customers. If your company was a victim of Sidoh and you have further details you’d be willing to share, please reach out to CrowdStrike Intelligence.
Additional Resources
- For more intel about WIZARD SPIDER, visit the CrowdStrike Adversary Universe.
- To find out how to incorporate intelligence on threat actors into your security strategy, visit the CROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.
- Learn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.
- Get a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV performs against today’s most sophisticated threats.
