TFlower (Malware Family)

TFlower

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

References

2021-03-03 ⋅ SYGNIA ⋅ Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower

2019-09-20 ⋅ Canadian Centre for Cyber Security ⋅ Canadian Centre for Cyber Security
TFlower Ransomware Campaign
TFlower

2019-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TFlower Ransomware - The Latest Attack Targeting Businesses
TFlower

Yara Rules

[TLP:WHITE] win_tflower_auto (20230125 | Detects win.tflower.)

rule win_tflower_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.tflower."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 74e9 8a0e 0fb6c1 0fbe8038e14f00 85c0 7510 }
            // n = 6, score = 200
            //   74e9                 | or                  al, 5
            //   8a0e                 | add                 byte ptr [esp + ecx], bh
            //   0fb6c1               | add                 eax, 0x50c4e00
            //   0fbe8038e14f00       | add                 byte ptr [edx], bl
            //   85c0                 | lodsd               eax, dword ptr [esi]
            //   7510                 | or                  eax, dword ptr [eax]

        $sequence_1 = { 0001 7708 00f3 7608 }
            // n = 4, score = 200
            //   0001                 | jne                 0x16
            //   7708                 | cmp                 dword ptr [ebx + 0xfc], edi
            //   00f3                 | je                  0x36
            //   7608                 | dec                 eax

        $sequence_2 = { 0002 7408 00f7 7308 }
            // n = 4, score = 200
            //   0002                 | add                 byte ptr [ecx], al
            //   7408                 | ja                  0xc
            //   00f7                 | add                 bl, dh
            //   7308                 | jbe                 0xc

        $sequence_3 = { 8b4c2414 0fb6c9 c1e104 33b1486f4f00 33b9446f4f00 8b4c2410 c1e908 }
            // n = 7, score = 200
            //   8b4c2414             | je                  0x11
            //   0fb6c9               | add                 byte ptr [eax], dl
            //   c1e104               | je                  0xd
            //   33b1486f4f00         | add                 byte ptr [ecx], ah
            //   33b9446f4f00         | je                  0x11
            //   8b4c2410             | add                 byte ptr [edx + 0x74], ah
            //   c1e908               | add                 byte ptr [edx], bl

        $sequence_4 = { 0000 4885ff 7514 39bbfc000000 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   4885ff               | dec                 eax
            //   7514                 | test                edi, edi
            //   39bbfc000000         | jne                 0x16

        $sequence_5 = { 001a 0c05 003c0c 05004e0c05 }
            // n = 4, score = 200
            //   001a                 | add                 byte ptr [ecx], ah
            //   0c05                 | je                  0x11
            //   003c0c               | add                 byte ptr [eax], dl
            //   05004e0c05           | je                  0xd

        $sequence_6 = { 000f 7708 0001 7708 }
            // n = 4, score = 200
            //   000f                 | add                 byte ptr [eax - 0x7b], bh
            //   7708                 | add                 eax, 0x5867800
            //   0001                 | add                 byte ptr [ebx + 0x78000585], bl
            //   7708                 | add                 byte ptr [ebx], cl

        $sequence_7 = { 000b 8605???????? 007885 0500788605 }
            // n = 4, score = 200
            //   000b                 | add                 byte ptr [eax], cl
            //   8605????????         |                     
            //   007885               | je                  0xa
            //   0500788605           | add                 byte ptr [edx], al

        $sequence_8 = { 0820 e8???????? 8bd1 7757 f6f3 }
            // n = 5, score = 200
            //   0820                 | mov                 ecx, dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   8bd1                 | shr                 ecx, 8
            //   7757                 | je                  0xffffffeb
            //   f6f3                 | mov                 cl, byte ptr [esi]

        $sequence_9 = { 0010 740b 0021 740b }
            // n = 4, score = 200
            //   0010                 | add                 byte ptr [edi], cl
            //   740b                 | ja                  0xa
            //   0021                 | add                 byte ptr [ecx], al
            //   740b                 | ja                  0xe

        $sequence_10 = { 333485105f4f00 0fb6c2 8b542410 33348510634f00 }
            // n = 4, score = 200
            //   333485105f4f00       | xor                 ebp, ebp
            //   0fb6c2               | mov                 ecx, dword ptr [ecx*4 + 0x4efa48]
            //   8b542410             | xor                 ebp, edi
            //   33348510634f00       | xor                 ecx, ebx

        $sequence_11 = { 83fa08 7408 84820fb84f00 7528 d92d???????? 891424 }
            // n = 6, score = 200
            //   83fa08               | lea                 eax, [ecx + 1]
            //   7408                 | push                eax
            //   84820fb84f00         | lea                 eax, [esp + 0x454]
            //   7528                 | push                eax
            //   d92d????????         |                     
            //   891424               | or                  byte ptr [eax], ah

        $sequence_12 = { 0008 7408 0002 7408 }
            // n = 4, score = 200
            //   0008                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa
            //   0002                 | add                 bh, dh
            //   7408                 | jae                 0xe

        $sequence_13 = { 8bf0 d1fe 8b0cb530ea4b00 8d04b530ea4b00 89442434 }
            // n = 5, score = 200
            //   8bf0                 | mov                 edx, ecx
            //   d1fe                 | ja                  0x5b
            //   8b0cb530ea4b00       | div                 bl
            //   8d04b530ea4b00       | shr                 ebp, 4
            //   89442434             | or                  edx, ebp

        $sequence_14 = { c1ed04 0bd5 33ed 8b0c8d48fa4e00 33ef 33cb }
            // n = 6, score = 200
            //   c1ed04               | movzx               eax, cl
            //   0bd5                 | movsx               eax, byte ptr [eax + 0x4fe138]
            //   33ed                 | test                eax, eax
            //   8b0c8d48fa4e00       | jne                 0x20
            //   33ef                 | jne                 0xfffffffb
            //   33cb                 | sub                 ecx, edx

        $sequence_15 = { 75f9 2bca 8d4101 50 8d842454040000 50 }
            // n = 6, score = 200
            //   75f9                 | ja                  0xffffffb1
            //   2bca                 | mov                 ecx, dword ptr [esp + 0x14]
            //   8d4101               | movzx               ecx, cl
            //   50                   | shl                 ecx, 4
            //   8d842454040000       | xor                 esi, dword ptr [ecx + 0x4f6f48]
            //   50                   | xor                 edi, dword ptr [ecx + 0x4f6f44]

    condition:
        7 of them and filesize < 6578176
}

Download all Yara Rules

TFlower Propose Change

References

Yara Rules

TFlower