firmabilgileri

[Content by Gemini 2.5]

Ransomware Resource Sheet – “firmabilgileri”

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .firmabilgileri (lowercase, appended as a second extension)
  • Renaming convention:
    Original file → <original_name>.<original_ext>.firmabilgileri
    Example: Annual_Report.xlsxAnnual_Report.xlsx.firmabilgileri
    In some runs the malware also drops the original filename completely and replaces it with an uppercase random string, e.g., KJ17B2A9.xlsx.firmabilgileri.

2. Detection & Outbreak Timeline

  • First public submission: 2023-11-14 (Turkey-centric campaigns)
  • Spike activity: Mid-Dec 2023 → early-Jan 2024, with renewed waves each quarter.
  • Latest variant (v2.1) observed: 2024-04-02 (minor code recompile, no crypto changes).

3. Primary Attack Vectors

  1. Phishing with ISO/IMG attachments containing a BAT→PowerShell stager (most common).
  2. Smishing (SMS) links redirecting to fake “Turkish Revenue Administration” PDFs that drop the same stager.
  3. Exploitation of vulnerable ASP.NET web apps (CVE-2023-36899) to deploy a minimal .NET dropper that reflects “firmabilgileri” payload in memory.
  4. RDP brute-force → manual deployment of rs8.exe (primary loader) together with backupper.bat that clears event logs.
  5. Malvertising via Turkish file-sharing forums pushing bogus “income-tax helper” tools.

Remediation & Recovery Strategies

1. Prevention – Proactive Measures

  • Disable ISO/IMG auto-mount via GPO; strip dual-extension mails at the gateway.
  • Patch public-facing ASP.NET (KB5029923) and enforce 2FA for RD Gateway / VPN.
  • Apply outbound firewall rule: block tor2web & *.onion.ly – C2 discovery relies on them.
  • Activate Windows AMSI + PowerShell CL to catch the stager’s heavily obfuscated “[System.Reflection.Assembly]::Load()” pattern.
  • Segment local networks; this strain spreads via SMB + sharp.exe (open-source lateral-movement toolkit) but respects only /24, so a /23 subnet often halts it.

2. Removal – Infection Cleanup

  1. Isolate host from LAN (pull cable / disable Wi-Fi).
  2. Boot into Safe Mode + Network OR Kaspersky Rescue Disk / Bitdefender Rescue CD.
  3. Delete persistence items:
  • Scheduled Task \Microsoft\Windows\DateTime\DateTimeSync (XML hidden in %PROGDATA%)
  • Service WSearchPro pointing to %WINDIR%\System32\svcss.exe (misspelled).
  1. Remove dropped binaries:
  • %TEMP%\rs8.exe
  • %APPDATA%\Sharp\sharp.exe
  • %PUBLIC%\backupper.bat
  1. Clean registry value:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run → WSearchPro
  2. Clear Volume-Shadow undo: vssadmin delete shadows /all is executed by the malware—re-run after disinfection to be sure no hidden copies remain.
  3. Install latest OS cumulative update + AV signatures, then perform a FULL scan (Windows Defender detects it as Ransom:Win32/Firmabil.A since 1.401.92.0).

3. File Decryption & Recovery

  • Feasible? NO – uses ChaCha20 with per-file 256-bit keys, RSA-2048 public-key wrap. No flaws uncovered so far; brute-forcing individual ChaCha keys is computationally infeasible.
  • Available decryptor: None (as of 2024-05-15). bleepingcomputer.com, NoMoreRansom, CERT-Turkey all confirm.
  • Recovery paths therefore are:
    a) restore from volume-shadow copies (usually deleted, but malware sometimes fails on large drives—worth checking: ShadowExplorer or vssadmin list shadows)
    b) pull untouched-original files from offline / cloud backups (OneDrive FSRM blocks the extension and can self-restore)
    c) leverage application-specific auto-save folders (AutoCAD .sv$, Excel .xlsb temp, Outlook OST cache) that the ransomware misses if file size < 50 kB.
  • “firmabilgileri” v2.1 has a bug: it skips mapped drives whose label starts with “BACKUP_” – create such a mapped label in future prevention.

4. Essential Tools / Patches

  • Patch: MS/CVE-2023-36899 (KB5029923) – stops web-delivery chain.
  • Tool: TrendMicro Ransomware File Decryptor – include it in your response kit to handle other variants but do NOT expect it to crack firmabilgileri.
  • Tool: RST-CheckShadow (CERT-Turkey) – quickly inventories surviving VSS.
  • Tool: Sysinternal SigCheck – verify OS components; the loader often drops patched svcss.exe with invalid signature.

Other Critical Information

  • Unique characteristics / OPSEC:
    – Hard-coded Turkish ransom note (TIFF_BILGI_MESAJI.txt) citing “Finansman Bilgi Sistemleri Birimi” to scare SMEs into thinking it’s a government audit tool.
    – Before encryption it queries https://www.mevzuat.gov.tr/iptal.mvc – if unreachable (path whitelisting), it exits. This behaviour can be weaponised as an inoculation (block path at proxy = kills switch).
    – Drops a “no encrypt” list containing Turkish accounting apps (Logo, Mikro, Zirve) – accountants are pressured to pay fast.
  • Broader impact: Over 80 % of public infections reported in Turkey, but the latest April-24 wave hit Germany & Netherlands subsidiaries via shared SAP support portals, indicating the group is now aiming for EU paying victims. Turkish National Cyber Incident Response Center (USOM) assigned it Alert-ID 2023-12/973 – treat any lateral movement to domain controllers as critical.

Stay patched, stay backed-up, and never let .firmabilgileri be your company’s “firm information” leak.