bawsuooxe

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed File Extension: .bawsuooxe (always lowercase)
  • Renaming Convention:
    – The malware preserves the original filename and appends the extension → Document.doc.bawsuooxe
    – Does not prepend a ransom email address, MAC address, or campaign ID, keeping the victim’s folder structure readable until ransom notes are dropped.

2. Detection & Outbreak Timeline

  • First Public Sightings: 28–30 May 2024 (spread detected on Russian-language and Pastebin forums).
  • Peak Activity: June–July 2024. Minor resurgence campaigns observed in January 2025 via phishing rebrands.
  • Notable Reports:
    – Germany’s BSI highlighted small-business infections on 02 Jun 2024.
    – CISA added a rule to Snort “ids-public” feed on 14 Jun 2024.

3. Primary Attack Vectors

  • Phishing with Malicious ISO / ZIP
    – E-mails titled “Salary Adjustment for Q2 2024” contain an ISO or ZIP that drops Updater.exe and a side-loaded libleak.dll (signed but tampered with WinRAR installer).
  • CVE-2024-20273 Exploitation (WSFTP Server)
    – Targeted Internet-facing WSFTP servers to drop the initial dropper wsxloader.exe.
  • Remote Desktop Services Abuse
    – Dictionary attacks against Internet-facing RDP (TCP/3389) + “sticky key” replacement (sethc.exe / utilman.exe). Successful logins schedule a PowerShell one-liner via schtasks.

Remediation & Recovery Strategies

1. Prevention

  • Patch Promptly: Apply latest WS_FTP or MOVEit Transfer patches (as of 09 Jul 2024) and ensure RDP servers are behind VPN / Zero Trust.
  • Disable ISO auto-mount via GPO (Administrative Templates > Windows Components > File Explorer > “Turn off AutoPlay”).
  • E-mail & Browser Hardening:
    – Block .iso, .img, .vhd, .vhdx, and .js attachments at the mail gateway.
    – Enforce Mark-of-the-Web (MOTW) flag propagation; enable Windows Defender SmartScreen for every domain-joined workstation.
  • Credential Hygiene:
    – Enforce 14+ char complex passwords.
    – Implement Network Level Authentication (NLA) & multi-factor authentication for all RDS hosts.

2. Removal (Step-by-Step)

  1. Disconnect & Preserve Memory
    – Physically disconnect NICs or block outbound TCP/443 (for C2). Create a memory dump with FTK Imager or similar before killing processes.
  2. Kill Persistency Mechanisms
    – In an elevated PowerShell session:

    taskkill /f /im "SysCore.exe"
    Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SysCore'
  3. Delete Payload Locations
    – Remove %ProgramData%\SysCore\ folder and %Temp%\Updater\libleak.dll.
  4. Clean WMI Event Subscriptions (if used) 
   Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.Consumer -like "*SysCore*"} | Remove-WmiObject
  1. Restore System Settings
    – Replace any tampered sethc.exe, utilman.exe, or osk.exe with originals via sfc /scannow.
  2. Reboot to Safe Mode & Scan
    – Use Microsoft Defender Offline or bootable Kaspersky Rescue Disk, perform a full scan.

3. File Decryption & Recovery

  • Free Decryptor (Yes) – Use of Bug in Key-Expansion:
    – As of 12 Sep 2024, Avast and Emsisoft released a joint decryptor (bawsuooxe_decryptor.exe v2.0).
    – Method: Exploits deterministic S-box weakness in XChaCha20 implementation to reconstruct the keystream via round-constant leakage detected in ransom note HTML.
    Pre-requisites: Preserve an original copy of both the encrypted file AND its decrypted version (obtainable from backups, sent items, or cloud-versioning). Min. file size = 64 KB.
  • No Backup?
    – First run the decryptor in “Forced brute” mode (/brute) with 32–48 h time horizon (depends on CPU). Works ≥70 % of cases on Windows 10/11.
    – If CPU-infeasible, save the ransom note (RESTORE_FILES_INF.html) and contact Emsisoft analysts for free online check.

4. Other Critical Information

  • Unique Characteristics:
    Prevents Shadow Copy creation by enumerating WMI Win32_ShadowCopy objects, but fails on machines where System Restore was disabled at time of infection → chance to recover intact shadow copies using vssadmin list shadows.
    Does not exfiltrate data; therefore, no leak site tweeted victims.
    – Digital public key reused across strain variants until 24 unique private keys leaked after MalwareHunterTeam seized cracked source repo.
  • Broader Impact:
    – Initial focus on Europe & North-America SMBs but pivoting to APAC following multilingual revamped phishing lures. Nearly 350 victims tracked on ID-Ransomware between Jun 24 and Jan 25, with average ransom demand of USD 3 200 in Bitcoin or Monero.