概要
The Play ransomware, also known as PlayCrypt, is a ransomware that first emerged in June 2022. The ransomware has been targeting industries such as healthcare and telecommunication as well as a wide range of regions such as Latin America, Europe, and North America. The Play ransomware is known for gaining access to networks through compromised valid accounts or by exploiting specific vulnerabilities. Once inside the network, it uses a big pool of known post-exploitation tools to continue its attack. Tools like Bloodhound, PsExec, Mimikatz, and AdFind are some examples of tools previously used in attacks involving this ransomware.
Another aspect of the malware that makes it famous is the amount of anti-analysis techniques it uses in its payloads such as abusing SEH and using ROP to redirect the execution flow. By employing techniques to slow down the reverse engineering process, threat actors make detection and prevention of the malware more difficult.
Back in 2022, other researchers published an excellent blog post analyzing the malware itself and some of the anti-analysis techniques it used. In this blog post, we’ll revisit the anti-analysis techniques employed by recent variants of Play ransomware, explaining how they work and also how we can defeat some of them using automation scripts.
Return-oriented programming (ROP)
When reverse engineering malware, making sure that the control flow is not obfuscated is one of the first things we need to do in order to properly understand the malware.
As an attempt to obfuscate its control flow, the Play ransomware often uses an ROP technique in its payload. It does so by calling over a hundred functions that patch the value on the top of the stack and then redirects the execution flow to it. Before we talk about how the malware does this exactly, let’s take a look at how the CALL and RET assembly instructions work in general.
When a CALL happens (a near call in this case to be more specific), the processor pushes the value of the instruction pointer register (EIP in this case) on the stack and then branches to the address specified by the call target operand, which in this case is an offset relative to the instruction pointer. The address in the instruction pointer, plus this offset, will result in the address of the function to be called.
The RET instruction on the other hand indicates the end of a function call. This instruction is responsible for transferring the program control flow to the address on the top of the stack. And yes, this is exactly the address initially pushed by the call instruction!
Considering what was mentioned, in an ideal scenario the highlighted address in the image below would be the next instruction to be executed after a call to the target function (sub_42a4b9):