Pro-Russian hacker group Killnet has been found dropping a note, after the execution of an attack, which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.
“The Telegram group has more than 90,000 subscribers, and the group chats mostly contain social media posts and news related to the conflict in Ukraine and asks subscribers to support the threat actor. The following figure shows the Telegram page containing propaganda,” said an advisory issued by threat researchers at Cyble Research and Intelligence Labs (CRIL).
The rise of Killnet
The pro-Russia hacker group is known for its DoS (denial of service) and DDoS (distributed denial of service) attacks towards government institutions and private companies in several countries during the 2022 Russian invasion of Ukraine. The group, thought to have been formed sometime around March 2022, uses a data-destroying ransomware, which is a version of the older Chaos ransomware, notes Cyble researchers.
Researchers have spotted variants of the customizable Chaos ransomware such as Yashma infecting devices. The ransomware finds its way into the target’s device by exploiting cracked software, phishing links, or using already hacked accounts. The 32-bit Killnet ransomware can offer admin privileges to perform various malicious functions such as checking if it’s already running in the system and terminating itself if an instance is found running in the background. Admin rights are procured using ProcessStartInfo and changing the Verb property of the startInfo object to run as shown in the figure below:
The Killnet ransomware achieves persistence by adding itself to C:\Users\<username>\AppData\Roaming folder and saving it as cmd.exe. It then adds a link to its shortcut in the StartUp folder. The malicious cmd.exe file runs once the system restarts. Following this Killnet stops data recovery activities and starts encrypting the documents. However, it has not been found to be making a ransom demand so far. Other malicious activities that ransomware performs include:
- Deleting shadow copy
- Disabling future data recovery attempts
- Deleting backup catalog
- Encrypting documents
- Manipulating the system
The encryption of the files is done by Killnet by matching the existing hardcoded list of files with the over 200 file extensions the ransomware contains. Some of the hardcoded extensions were .txt, .xls, .png, .sql, .html, and .doc among others.
A list of files accessed by the ransomware was found from the desktop, documents, OneDrive, videos, contacts, pictures, application data, and downloads among others. In the end, the Killnet ransomware leaves a note dropped by the group:
The Telegram Channel
The Telegram channel of Killnet had over 90,000 subscribers, 30 pinned group chats, social media posts, Russo-Ukrainian news, and messages from purported hacktivists helping Russia against its adversaries. Some of the translated messages from the channel contained BTC addresses or bitcoin wallet addresses and contact information of the cyber criminals. One post read, “Return of the DDoS tsunami around the world?” while others were also pertaining to seeking money from the people, officials, and businesses of the Russian Federation for donations in Bitcoin, Ethereum, and Tether.
Other chants and messages were also found on the Killnet Telegram channel that read, “Nazis from Ukraine collect millions of dollars to commit their crimes. And Killnet participants take loans from banks to protect the information field of Russia.”
