1. Cryptography’s Dark Side: How Hackers Weaponize RC4, AES and Blowfish
1.1 RC4: The Hacker’s Favorite Cipher – From KSA to Keystream Chaos
Working of RC4: How Malware Like Dharma And WannaCry Exploit RC4’s Speed for Evil
1.2. AES Unmasked: Hunting Encryption Ghosts in Malware Code
1.3. Blowfish: The Malware Developer’s Best-Kept Secret
2. Conclusion
Cryptographic algorithms were developed to protect our digital communications, preserve user privacy, and secure financial transactions. They serve as invisible guardians behind secure websites, databases, and emails. But hackers have turned these invisible guardians against us, and they are used for credential theft, ransomware, and hiding command-and-control channels.
The reason for the inversion of these cryptographic algorithms from invisible guardians to enablers of cybercrime is that security tools become weapons when they come into the wrong hands. So understanding how hackers are using these algorithms to attack our system is now essential. Whether these cryptographic algorithms serve as a guardian or a threat depends on who is controlling the keys.
1. Cryptography’s Dark Side: How Hackers Weaponize RC4, AES, and Blowfish
1.1 RC4: The Hacker’s Favorite Cipher – From KSA to Keystream Chaos
Ron Rivest introduced RC4, or Rivest Cipher 4. This is a widely used cipher for the encryption of data, but this is not insecure because it is vulnerable to attack by hackers. It is fast and lightweight. It is best for C2 traffic encryption and payload obfuscation. TrickBot, Dridex, GandCrab, and WannaCry use it.
Working of RC4: How Malware Like Dharma And WannaCry Exploit RC4’s Speed for Evil
- Key Scheduling Algorithm (KSA)
In this state array is initialized, and a 256-byte state array (S) is prepared by KSA. This is done by filling the S with values from zero to 255, and then S is scrambled using the secret key.
S = [0, 1, 2, …, 255]
j = (j + S[i] + key[i % key_length]) % 256
swap(S[i], S[j])
- Pseudo-Random Generation Algorithm (PRGA)
In PRGA, a sequence of pseudorandom bytes or a keystream is produced by updating, swapping, and extracting keystream bytes.
i = (i + 1) % 256
j = (j + S[i]) % 256
swap(S[i], S[j])
keystream_byte = S[(S[i] + S[j]) % 256]
- XOR Operation
In the XOR operation, a plaintext is combined with a keystream.
RC4 in Dharma malware Dharma ransomware variant decrypts the library names and API using the RC4 algorithm after it is installed on the victim’s computer.
1.2. AES Unmasked: Hunting Encryption Ghosts in Malware Code
The AES encryption algorithm can be easily detected if you check for telltale lookup tables like T-Tables or S-Boxes while analyzing malware. For this, many tools are used by security researchers. One of these tools is known as Find-Crypt. It is an IDA Python plugin used for the detection of encryption patterns. It detects automatically once set up, so that the investigation can be done quickly.
REvil Ransomware Code Analysis:
Detection of strings like Rijndael_inv_sbox is also a good clue in the malware’s components. These all markers clearly indicate the usage of AES encryption.
1.3. Blowfish: The Malware Developer’s Best-Kept Secret
Blowfish starts its process of encryption by initializing key components through a number of steps in a specific sequence that are also symmetric algorithms. Firstly, the P-array is prepared by running two loops 18 times. After this, another loop is used by both algorithms, which is run four times. It contains smaller loops that each time set up S-boxes by going through 256 steps. S-boxes are used for scrambling the data. As both algorithms share similar steps, they share a similar foundation or base before they initialize data encryption.
2. Conclusion
Cryptography was supposed to be our guardian, but it has turned to be the hacker’s sword. Cryptographic tools like RC4, Blowfish, AES, and other cryptography algorithms are sources of all kinds of ransomware. It is high time we fight back by cracking obfuscated code faster, spotting cryptographic fingerprints in malware, and out-innovating attackers at their own game.
