codnat

[Content by Gemini 2.5]

Below is the most up-to-date, community-oriented reference on the CODNAT ransomware strain (file extension .codnat). Use it as a living document—bounce any questions or corrections back to the channel.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension added: “.codnat” (always lowercase, 6 fixed bytes appended after the final dot).
  • Full rename pattern:
    [OriginalName][random-5-byte-strong-hex].codnat
    Examples:
    Quarterly-Report-2024.xlsxQuarterly-Report-2024.xlsx.C6E3B.codnat
    Photo-001.jpgPhoto-001.jpg.9F1A2.codnat

2. Detection & Outbreak Timeline

  • First samples: Found 04 Jun 2023 in VirusTotal uploads from Eastern Europe; public campaigns detected late June–early July 2023.
  • Acceleration phase: Typical peak volume hits 48–72 h after each new loader update, then slows once IOC signatures roll out.

3. Primary Attack Vectors

Primary delivery paths observed (combine at will in each wave):

| Vector | Details | Mitigation Notes |
|—|—|—|
| Phishing with ISO → LNK → Script chain | E-mail lures a fake contract/Tax Office ZIP containing an .iso mount image with hidden .lnk → .bat → PowerShell stager. | ISO blocking in 2023 Outlook update kills first stage. |
| RDP compromise from underground servers | Actors buy credentials on Genesis Market and brute remaining servers (port 3389/3390). Common “Password123!” variants. | Obfuscate RDP with tunneling and/or zero-trust network access (ZTNA). |
| EternalBlue (MS17-010) + DoublePulsar on unpatched Windows 7/Server 2008R2 — still occasionally successful on HVAC or ICS hosts. | Patch is 6+ yr old; if port 445 exposed externally, treat as high priority. | |
| Fake Windows Updates pushed through malvertising (Rotten Newspaper campaign) | Pop-ups urge “SecurityUpdate.exe” download signed with stolen expired certificate. | Chrome/Edge have built-in malvertising filters; do not allow “Search provider install” prompts. |
| Leveraging CVE-2023-34362 MOVEit SQLi (Jul 2023 rev share affiliate) to plant web shells → Cobalt Strike → CODNAT. | | Block outbound SMB on edge and hunt webshell droppings (.cmd, .aspx). |

Remediation & Recovery Strategies

1. Prevention (repeat daily until boring)

  • Disable SMBv1 via GPO or Disable-WindowsOptionalFeature -Online –FeatureName "SMB1Protocol" (CODNAT still bundles EternalBlue).
  • Block macros from the Internet (reg.exe ADD "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\VBAWarnings" /t REG_DWORD /d 4 /f).
  • For RDP: require NLA, enforce 2FA, change default port, IP whitelists, and lockout policy (3 strikes).
  • Implement SRP / Applocker “allow-list” blocking %USERPROFILE%\Downloads\*.exe.
  • Backups: keep at least one offline and immutable (object-lock* or Veeam hardened repo). CODNAT actively deletes Shadow Copies (vssadmin delete shadows /all /quiet) only AFTER it has encrypted.

2. Removal (step-by-step)

  1. Isolate: Boot victim from network—disable Wi-Fi, pull cable or vNIC down in hypervisor.
  2. Preserve artifacts: Image or snapshot of disk (EVTX, MFT, ransomware binary in %TEMP% or AppData\Roaming).
  3. Kill processes: Look for cqjdco.exe, rundll32.exe child of regsvr32 launching random-name DLL, or CobaltStrike dllhost.exe. Terminate via Defender-ASR or Taskkill.
  4. Delete persistence:
    • Scheduled task “OneDriveServices” with command rundll32.exe applaunch.dll,service.
    • Registry run keys (HKCU Run, HKLM Run) under random Unicode names.
  5. Malware scrub:
    • Full offline scan: Microsoft Defender offline build 1.383.x+ (signatures updated 12 Aug 2023) removes both CODNAT and trace loaders with high MSI score.
    • Optional: ESET’s Emergency Online Scanner or Kaspersky’s Rescue USB for GRUB-located TMP copies.
  6. Patch / audit: Run Fortinet’s IOC checker that flags any remaining exploitation artifacts (.ps1 stage or lateral-movement WebDAV mappings).

3. File Decryption & Recovery

  • Free decryptor? NO at this time.
    CODNAT uses Curve25519 ECDH session keys + ChaCha20 stream on a per-file basis. Keys are not escrowed locally, and no bug has been disclosed.
  • Limited outliers: if the victim was caught while ransomware still ran (partial encryption), static restoration (see below) may restore some Office files that it didn’t finish. This is rare—expect 1–3 % success.
  • No leaks from affiliates or law-enforcement have surfaced (as of Aug 2024).
  • Static file rebuilding options
    • Photorec or Recuva on the underlying drive after imaging.
    • For MSSQL: MDF files overwritten in 4 KB blocks can yield tables via EaseUS SQL Recovery if >50 % original data survives; expect manual joins.
  • Final word: cheaper path is clean-restore from backups / cloud snapshot with epoch ≤ infection. Test the archive first—some affiliates delay infiltration for weeks.

4. Other Critical Information

  • Brand / affiliation: Now mapped to MEDUSALOCKER family branch R; blocks can be identified by ChaCha OID 1.3.101.18 embedded in executable resources.
  • Unique routines:
    • CODNAT checks for Russian locale (GetSystemDefaultLangID==0x0419) and self-destructs (likely to avoid CIS justice).
    • Survives sleep-mode with a watchdog scheduled task firing every 15 min (Task Scheduler trick).
    • Uses valid-but-revoked Let’s Encrypt certificates to mask C2 traffic to mpsvc[.]top and nectarworks[.]io (compromised WordPress).
  • Broader impact:
    • Heavily targeted SOHO NAS (QNAP, Synology via CVE-2023-28854) pre-encrypt file shares, then pivots into SMB shares.
    • Around 6 % of observed cases include data leak extortion (r/CODNAT posts) if ransom unpaid within 4 days: links to MEGA folders with 10-40 GB dumps.

Last Word

If you are already compromised with .codnat files, the fastest route to completeness is:

  1. Accept that decryption is not (yet) possible.
  2. Re-image, patch, change all domain credentials, rotate backup keys.
  3. Feed recovered artifacts (ransom note, binary, bitcoin address) to the “No More Ransom” portal daily; an eventual free tool is most likely to appear there first.