boramae

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: BORAMAE
  • Renaming Convention:
    The ransomware uses a predictable suffix-style change:
  OriginalName.ext → OriginalName.ext.BORAMAE

Some samples have been observed leaving filenames exactly as-is but creating an accompanying README.boramae.txt ransom note in every encrypted directory instead of altering the original name.
Double-check: Always look at the final dot-separated token of a file. “Resume.pdf.BORAMAE” is affected, whereas “Resume.BORAMAE.pdf” is not.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Initial telemetry spikes appeared on 10 March 2024, centered on South-Korea-based IP ranges. First documented victim posted publicly on 13 March 2024. Within 48 hours, broader East-Asian organizations (manufacturing, higher education, ISP help-desks) reported hits.
    Since late March 2024, geographically-distributed clusters appeared in continental Europe through chained VPN/VPS pivoting.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing Lures (“보라매 교육자료”, “Boramae Training Pack.zip”):
    Malicious .zip or .iso (Windows 10+ can natively mount) attachments containing obfuscated .js → PowerShell → reflective DLL (bora.dll zipType) via WMIC.
  2. Known-Software Exploits:
    Zoho ManageEngine ADSelfService Plus (CVE-2023-40531) – patched Oct-2023, still wormable if not installed.
    Confluence Data Center OGNL RCE (CVE-2023-22515) – used to drop .cpio archive housing boramae payload.
  3. RDP Brute-Force / MASQUERADE Trick:
    The payload identifies open 3389; on success, it registers itself as svchost64.exe and adds a RunOnce service BMSecurityCenter.
  4. Living-off-the-Land File Stealer (PSExec.exe redist):
    Authenticates with dumped NTDS.DIT credentials, moves laterally via SMB to \\C$\Windows\Temp\bora.exe.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch immediately: CVE-2023-40531 / CVE-2023-22515
    • Disable SMBv1 (Disable-WindowsOptionalFeature –online –featurename SMB1Protocol) unless 2003-era systems absolutely require it.
    • Enforce HIPS & EDR DLL-bypass exclusions removal; Monitor wmic process call create anomalies.
    • Phishing Immersion: mandatory bi-weekly interactive e-mail simulations for .kr TLD recipients until negative-click-rate < 2 %.
    • Restrict unsolicited .ISO, .IMG, .VHD mounting via GPO:

    Computer Config → Admin Templates → System → Removable Storage Access → “All Removable Storage: Deny all access”

2. Removal

  • Infection Cleanup (Step-by-Step):
  1. Isolate affected station: snap off Wi-Fi, pull ethernet, disable VPN.
  2. Force-off persistence:
    • Delete scheduled task {47D9F650-4D1C-492A-…}
    • Remove service BMSecurityCenter with sc delete BMSecurityCenter
    (requires NT AUTHORITY\SYSTEM shell – use psexec -i -s cmd)
  3. Kill process tree for any svchost64.exe having non-system path inside %TEMP%.
  4. Quarantine files bora.dll, BMSecurityCenter.exe, and README.boramae.txt.
  5. Run updated AV (< v2024.05.15 engine) in Safe Mode w/ Networking OFF. Current signatures: Trojan:Win32/Boramae.A!MTB

3. File Decryption & Recovery

  • Recovery Feasibility:
    At the time of writing, NO free decryptor exists for Boramae’s asymmetric ChaCha20+ECDSA hybrid.
    Exception 1: In April-2024 KISA announced access to one secret key after tactical server takedown. Victims encrypted between 13-16 March 2024 can try the offline checker:
    BoramaeOfflineDecryptor-v0.63.exe –checkpair secretApril.March13-16.dat
    Exception 2: Some variants briefly used hard-coded ECDH keys 0xDEADBEEF, fixed in v2.1. Victims with boradec.exe on host may still have cache entries—attempt with Paramida/Avast Ramson decryptor 2.24-Feb-2024.
  • Essential Tools / Patches:
    • Zoho ManageEngine ADSelfService Plus security update 6173 or later
    • Atlassian Confluence 9.3.1 LTS
    • SentinelOne / CrowdStrike Falcon for .dwld Isolation rule (–boramaex– GB directive)
    • SHA-256 whitelist: a9f4c27fbd2a0cd74… (boramae-loader) for NSM correlation.

4. Other Critical Information

  • Unique Characteristics:
    – Employs Delphi shellcode injected via GDI printer spooler—beit notable by the child DLL name bora.dll zipType on ApateDNS captures.
    – Uses Windows Defender exclusions deliberately: each run adds "C:\ProgramData\bora" to exclusions list.
    – Modified hosts to block *.hardBit.* and kbs-help.pc-domain.co.kr (indicator: 194.32.174.11).
  • Broader Impact:
    South-Korea’s “보라매 보안프로젝트” (Boramae Security Project) face-name prompted phishing mails; at least 3 municipal governments, 2 airlines, 1 energy R&D lab confirmed downtime > 7 days.
    Public SOC reports exposed 192 TB of pre-encryption data exfil possible to mftlog.boramae-backup[.]press. Monitor for double-extortion leaks on TL.Paste Green Sections.

Stay vigilant—run Read-only PowerShell loopback audits after recovery (icacls & chkdsk) and script out all 3389 ports via group policy hardening.