{"id":2553,"date":"2024-09-25T18:51:43","date_gmt":"2024-09-25T18:51:43","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2553"},"modified":"2025-07-29T03:53:54","modified_gmt":"2025-07-29T03:53:54","slug":"karo-ransomware-is-bad-for-your-health","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/karo-ransomware-is-bad-for-your-health\/","title":{"rendered":"Karo ransomware is bad for your health"},"content":{"rendered":"\n

While the recent Petya (NotPetya?) pandemic made the world recognise just how devastating ransomware can be, another variant slipped largely under the radar.   

This variant, dubbed \u2018Karo\u2019, may not have shut down hospitals and other critical services, but it\u2019s still worth examining because it\u2019s essentially a mash up of several other successful strains. 

Karo uses the classic \u2018phishing email, word document attachment, malicious macro\u2019 propagation formula (we\u2019ve covered malicious macros in more depth, so read here<\/a> if you\u2019d like more information on how it works), though it also includes a slight twist; the document is password protected.

This password protection helps the document evade security controls by allowing it to bypass many sandbox environments. The password is generally included in the body of the phishing email so the victim can open the document and enable macros. 

I won\u2019t spend too much delving into its background, instead let\u2019s jump straight into the analysis. 

Static analysis<\/strong>

The sample we\u2019re analysing today is \u2018svchost.exe\u2019:<\/p>\n\n\n\n

File Name<\/td>Svchost.exe<\/td><\/tr>
File Size<\/td>708kb<\/td><\/tr>
Md5sum <\/td>51c7fff87a2fc5d62a31990643a5083c<\/td><\/tr>
Sha1 hash<\/td>e65ca51e8d82a5dfac95d858d0f497824e84cc1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Below, static analysis highlights multiple suspicious strings:

\"\"

When further examined, these strings illuminate the ransomware\u2019s specific functionality:

\"\"

Once executed, Karo checks for the username and machine name, as well as for the %TEMP% and %appdata folders:

\"\"\u00a0

Here we see the folder\u2019s target path:

\"\"

Next, Karo confirms file attributes\u2026

\"\"

\u2026 and then it tries to retrieve process information:

\"\"\u00a0

Dynamic analysis<\/strong>

As with all dynamic analysis, the first step is to open the malware:

\"\"

Once triggered, it contacts multiple Tor domains in order to download and execute \u2018Microsoft.vshub.32.exe\u2019:\u00a0<\/p>\n\n\n\n

File Name<\/td>Microsoft.vshub.32.exe<\/td><\/tr>
File size<\/td>3.12 MB<\/td><\/tr>
Md5sum<\/td>bc301e7d26c4ed498e9f966996fc4370<\/td><\/tr>
Sha1 hash<\/td>dcdb0deca2ed47b78263631addea0e07af51b4da<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Below we see the specific Tor domains that Karo calls out to:

\"\"

\"\"

\"\"\u00a0

Next, microsoft.vshub.32.exe uses cmd.exe, to initiate a ping request \u2013 our sample favoured Google Chrome \u2013 to connect to several more Command and Control (C2) servers:

\"\"

\"\"

\"\"

When network traffic is viewed in the pcap file, we see even more domains:

\"\"

\"\"

\"\"

\"\"\u00a0

When this process is complete, the encryption starts. Our sample displayed the following ransom demand via Google Chrome:

\"\"\u00a0

Another demand was also displayed on the machine\u2019s desktop:

\"\"\u00a0

To achieve this, the following files were dropped onto the user\u2019s system:\u00a0

C:\\users\\<User-name>\\Appdata\\Local\\Temp

C:\\users\\<User-name>\\Appdata\\Local\\Temp\\Tor

\"\"

\"\"

\"\"\u00a0

Below is a list of indicators of compromise (IOCs):

IP Addresses:<\/strong>

212.83.154.33

86.59.21.38

185.100.86.128

148.251.14.214

131.188.40.188

176.158.236.102

134.19.177.109

216.58.197.78

85.248.227.164

199.254.238.52

178.62.197.82

188.40.128.246

176.158.236.102

71.248.178.98

5.189.153.185

Domains:<\/strong>

6vas[.]com

usr2u2f5be2tty3ihzhl[.]com

zjuwaw35xhml5h2nvjrud[.]com

7xly4htpe2p2yjxfgs[.]com

51ptvhkd5kguelg373slgjqx5[.]com

Dropped file locations:<\/strong>

C:\\users\\<User-name>\\Appdata\\Local\\Temp

C:\\users\\<User-name>\\Appdata\\Local\\Temp\\Tor

MD5 hashes:<\/strong>

51c7fff87a2fc5d62a31990643a5083c

bc301e7d26c4ed498e9f966996fc4370

Here is where I\u2019d usually list the specific steps one can take to mitigate their exposure to Karo, but I\u2019ve just about run out of ways to say \u201cdon\u2019t open suspicious emails, keep your software up-to-date, and back up your files\u201d. Instead, here is a list of things named \u2018Karo\u2019:

\u2022\u00a0\u00a0 \u00a0Ethnic groups in Ethiopa and Indonesia

\u2022\u00a0\u00a0 \u00a0A radio station in Oregon

\u2022\u00a0\u00a0 \u00a0A sweet syrup made of corn

\u2022\u00a0\u00a0 \u00a0A native New Zealand shrub

\u2022\u00a0\u00a0 \u00a0Highly-ranked samurai officials in feudal Japan<\/p>\n","protected":false},"excerpt":{"rendered":"

While the recent Petya (NotPetya?) pandemic made the world recognise just how devastating ransomware can be, another variant slipped largely under the radar.    This variant, dubbed ‘Karo’, may not have shut down hospitals and other critical services, but it’s still worth examining because it’s essentially a mash up of several other successful strains.  Karo […]<\/p>\n","protected":false},"author":1,"featured_media":2578,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2553"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2553\/revisions"}],"predecessor-version":[{"id":4265,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2553\/revisions\/4265"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2578"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}