Co-authored by Marc RiveroLopez
Initial Discovery
This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and how it appears to be customized specifically against its victims.
In general, ransomware attacks are mass-spread attacks where adversaries try to infect many victims at the same time and cash out quickly. However, this has significantly changed over the past two years where more and more ransomware attacks are targeting high-value targets in all kinds of sectors.
Victims are infected with a different type of malware before the actual ransomware attack takes place. It looks like adversaries are using the infection base to select or purchase the most promising victims for further exploitation and ransomware, in a similar way to how the sale of Remote Desktop Access on underground forums or private Telegram channels is being used for victim selection for ransomware attacks.
In the following paragraphs, we will take you step by step through the modus operandi of the attack stages and most important techniques used and mapped against the MITRE ATT&CK Framework.
The overall techniques observed in the campaign and flow visualization:
Technical Analysis
The overall campaign is well known in the industry and the crew behind it came back to the scene reusing some of the TTPs observed one year ago and adding new ones like: privilege escalation, lateral movement and internal reconnaissance.
Patient 0 – T1189 Drive-by Compromise
The entry point for these types of campaigns starts with a URL that points the user to a fake website (in case the website is compromised) or a legitimate page (in case they decided to use a pay-per-install service) using social engineering techniques; the user gets tricked to download the desired application that will use frameworks like Empire or similar software to download and install next stage malware which, in this case, is Dridex.
First infection – T1090 Connection Proxy
These types of attacks are not limited to one type of malware; we have observed it being used by:
- Azorult
- Chthonic
- Dridex
It is currently unclear why one would select one malware family above the other, but these tools allow for remote access into a victim’s network. This access can then be used by the actor as a launchpad to further exploit the victim’s network with additional malware, post-exploitation frameworks or the access can be sold online.
For quite some time now, Dridex’s behavior has changed from its original form. Less Dridex installs are linked to stealing banking info and more Dridex infections are becoming a precursor to a targeted ransomware attack.
This change or adaptation is something we have observed with other malware families as well.
For this campaign, the Dridex botnet used was 199:
Information Harvesting – T1003 Credential Dumping
From the infection, one or multiple machines are infected, and the next step is to collect as many credentials as they can to perform lateral movement. We observed the use of Mimikatz to collect (high privileged) credentials and re-use them internally to execute additional software in the Active Directory servers or other machines inside the network.
The use of Mimikatz is quite popular, having been observed in the modus operandi of more than 20 different threat actors.
Lateral Movement – T1086 PowerShell
The use of PowerShell helps attackers to automate certain things once they are in a network. In this case, we observed how Empire was used for different sock proxy PowerShell scripts to pivot inside the network:
Extracting information about the IP found in the investigation, we observed that the infrastructure for the Dridex C2 panels and this proxy sock was shared.
PowerShell was also used to find specific folders inside the infected systems:
A reason for an attacker to use a PowerShell based framework like Empire, is the use of different modules, like invoke-psexec or invoke-mimikatz, that can execute remote processes on other systems, or get credentials from any of the systems where it can run Mimikatz. When deployed right, these modules can significantly increase the speed of exploitation.
Once the attackers collected enough high privileged accounts and got complete control over the Active Directory, they would then distribute and execute ransomware on the complete network as the next step of their attack, in this case BitPaymer.
Ransomware Detonation – T1486 Data Encrypted for Impact
BitPaymer seemed to be the final objective of this attack. The actors behind BitPaymer invest time to know their victims and build a custom binary for each which includes the leet-speek name of the victim as the file extension for the encrypted files, i.e. “financials.<name_of_victim>”.
In the ransomware note, we observed the use of the company name too:
Observations
- One of the remote proxy servers used in the operation shares the same infrastructure as one of the C2 panels used by Dridex.
- We observed how a Dridex infection served as a launch point for an extensive compromise and BitPaymer ransomware infection.
- Each binary of Bitpaymer is specially prepared for every single target, including the extension name and using the company name in the ransomware note.
- Certain Dridex botnet IDs are seen in combination with targeted BitPaymer infections.
- Companies must not ignore indicators of activity from malware like Dridex, Azorult or NetSupport; they could be a first indicator of other malicious activity to follow.
- It is still unclear how the fake update link arrived at the users but in similar operations, SPAM campaigns were most likely used to deliver the first stage.
McAfee Coverage
Based on the indicators of compromise found, we successfully detect them with the following signatures:
- RDN/Generic.hbg
- Trojan-FRGC!7618CB3013C3
- RDN/Generic.dx
The C2 IPs are tagged as a malicious in our GTI.
McAfee ATD Sandbox Detonation
Advanced Threat Detection (ATD) is a specialized appliance that identifies sophisticated and difficult to detect threats by executing suspicious malware in an isolated space, analyzing its behavior and assessing the impact it can have on an endpoint and on a network.
For this specific case, the ATD sandbox showcases the activity of Bitpaymer in a system:
We observe the use of icacls and takeown to change permissions inside the system and the living off the land techniques are commonly used by different type of malware.
ATD Sandbox extracted behavior signatures observing Bitpaymer detonation in the isolated environment:
Having the opportunity to detonate malware in this environment could give indicators about the threat types and their capabilities.
McAfee Real Protect
Analysis into the samples garnered from this campaign would have been detected by Real Protect. Real Protect is designed to detect zero-day malware in near real time by classifying it based on behavior and static analysis. Real Protect uses machine learning to automate classification and is a signature-less, small client footprint while supporting both offline mode and online mode of classification. Real Protect improves detection by up to 30% on top of .DAT and McAfee Global Threat Intelligence detections, while producing actionable threat intelligence.
YARA RULE
We have a YARA rule available on our ATR GitHub repository to detect some of the versions of BitPaymer ransomware.
IOCs
- 3ab42ca8ce81f9df0c4f7cd807528c5dd0fb5108
- 4862fbb188285586218cd96e69a2e4436827d2fe
- c1ad6c3ab06fc527c048cd15c6fc701b5a74a900
- 1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05
- 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c
- bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f
- 0f630aaf8b5c4e958445ec0c2d5ec47e
- 9b982fa4b42813279426449ddd6a1dbe
- c46ad4159c90bc11d6d94a28458553d7
A special thanks to John Fokker and Christiaan Beek for their assistance with this blog.