Babylon RAT Raises the Bar in Malware Multi-tasking

CISO SUMMARY 

Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. 

Full Details

Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is encrypted, allows for dynamic domains, and can turn a client into a reverse SOCKS proxy for further obfuscation. This weaponized RAT has many real-time client interaction methods and is capable of information theft. The administration panel has features that can allow for lateral propagation across end points on a network. This tool has enough features that, if used correctly, could devastate any organization.  

Babylon RAT’s client code is written in C# and is dependent on .NET 4.5. The administration panel (shown in Figure 1) is written in C++, and provides the functionality to manage multiple server configuration options. One option is the port number in which the administration panel will open and listen in when the server is started. Another option is a network key for authentication of the infection to the administration panel. Lastly the configurations allow for the setting of the IP version in which it will connect. The File drop down at the top provides access to the server, configurations, and the payload builder. 

Figure 1: The administration panel and the management tabs for Babylon RAT 

C2 Details 

The initial C2 connection the client binary makes after being executed is hardcoded into the binary when it is built. The building process suggests dynamic domains so that the IP address can be changed without interruption to the communication. This connection is encoded and contains fingerprinting information about the infected host. This information includes IP address, Country, Username, PC name, Operating System (OS) details, and which program window is active for the end user. After initial communication with the C2, the infected endpoint will update the administration panel every 5 seconds by default. The check-in notice sent to the server from the client consists of very small network packets, only about 4-8 bytes in size. Figure 2 shows the administration panel with the details listed above. 

Figure 2: The administration panel and the fingerprinted information as listed above for Babylon RAT 

Babylon RAT has the ability to turn an infected machine into a SOCKS proxy, specifying between version 4 or 5. The main difference in the versions: version 5 provides authentication from the client to the proxy, which helps negate abuse from unwanted parties. By creating a SOCKS proxy, the threat actors create an encrypted tunnel and can have all of the infected hosts use it as a gateway, which allows for network capturing. This can also allow for a threat actor to need only one exit point within a network, while maintaining the infection of multiple machines. Meaning, if a threat actor can maintain communication with one endpoint in a network, he can then propagate laterally and have all the traffic from the infected clients C2 network flow back out the one endpoint. With access to the command prompt and stolen credentials, this would be trivial to do. This technique would also bypass email and URL filtering of unwanted binaries. Figure 3 shows the SOCKS proxy endpoint details and the amount of traffic flowing through it. 

Figure 3: The SOCKS proxy tab and the details associated 

The client builder gives the option to use two different C2 domains for redundancy. When combining the ability to use multiple dynamic domains with a proxy server, a threat actor could effectively create layers of obfuscated traffic between the endpoint and the client through multiple channels.  

Figure 4: The surveillance options that are available to the operator 

Notice in Figure 4 the option for password recovery. The password recovery module looks through applications, including web browsers, and harvests credentials but does not gather the OS user credentials. Although one could surmise that with the username above and a couple of passwords harvested, the OS user credentials could be compromised. If the OS user credentials are compromised, it would be easy for the operator to open the remote command prompt and attempt to log in to other network machines using those credentials. If successful at logging into another machine, it is then possible for the operator to have the second machine download/execute another payload. This would need to be automated, but it does reflect a propagation method for the RAT. Figure 5 shows the system options including the remote command prompt option. 

Figure 5: The system options that allow for further interaction and detail of the infected system 

Weaponized 

Adding to its already long list of functions, Babylon RAT has the ability to produce Denial of Service (DoS) attacks to targets from the infected hosts. The DoS feature can be set to a hostname or IP range and allows for multiple protocols to be initiated. The protocols all have thread and socket parameters that are adjustable. A threat actor can select to have the attack come from an individual protocol or all of the protocols available. Once this command is sent to a single host, the operator can easily replicate the command to the other infected hosts, effectively creating a larger Distributed Denial of Service (DDoS) attack. Figure 6 shows the configuration for the DoS attack and Figure 7 shows the machines status change to DoS. 

Figure 6: The parameters available for the DoS attack

Figure 7: The administration panel and the multiple infected hosts carrying out a DDoS attack 

In the End 

Babylon RAT is an open-source platform that allows for various misdeeds. The encrypted traffic and the ability to create SOCKS proxies can help negate network security measures. The client builder allows for Anti-Virus bypassing which helps the binary get to the endpoint safely. The processes allowing for network propagation means an infection is not limited to one endpoint. Combined with the ability to perform a DoS attack, Babylon RAT can be highly effective in the proper environment. Babylon RAT campaigns can be avoided with proper technology in place and by educating end users to recognize and report suspicious emails.  

To stay ahead of emerging phishing and malware threats, sign up for free Cofense Threat Alerts. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

CISO Summary

Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan.

Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns.

Technical controls can help combat this threat, for example, blocking connections to TOR nodes and inspecting network traffic for connections attempts. More proactively, educate end users on evolving phishing tactics.

Full Details

Cofense IntelligenceTM has analyzed a phishing campaign delivering a banking trojan and targeting Russia and neighboring countries. Read The Manual (RTM) Bot is created by a cyber group known by the same name. The RTM group is targeting the financial departments within different industry sectors. This modular banking trojan has many unique features, such as stealing data from accounting software and harvesting smart card information. This newest version uses The Onion Router (TOR) communication protocol. These campaigns are typically written in Cyrillic and use the Monthly Payment lure. Figure 1 shows an email associated with this campaign.

Figure 1: An email associated with this phishing campaign

RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine. Figure 2 shows the accounting software strings found in the memory of this sample.

Figure 2: Strings associated with accounting software

Some accounting software requires the use of a smart card to authenticate to the software and access data associated with it. RTM Bot attempts to locate these smart card readers by scanning the registry and attached devices. If a smart card is found, the banking trojan then interacts with the Winscard API function to harvest information. The harvested information is then held within the memory buffer until it is sent to the C2. Figure 3 shows some memory strings associated with the smart card search and API interaction.

Figure 3: Memory strings associated with the smart card search and API interaction

Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine. Figure 4 shows the GET request.

Figure 4: The GET request for the external IP of the machine

Other values collected by RTM Bot during the fingerprinting of the machine include:

  • Username
  • Machine name
  • Logged on user privileges
  • OS version
  • Anti-virus installed
  • Time zone
  • Default language

Previous iterations of this malware used Blockchain Domain Name Services (BDNS) for its C2 infrastructure. The biggest change in the new version is the switch to using The Onion Router (TOR) communication protocol for its C2 infrastructure. Note that RTM Bot does not install a TOR client. Instead it uses the onion libraries, which are often called TOR SOCKS. By not installing a client onto the machine, RTM Bot minimizes its chances of being detected by anti-virus manipulating the Operating System (OS). Figure 5 shows memory strings associated with the TOR C2 infrastructure.

Figure 5: Memory strings associated with the TOR C2 infrastructure

Using the TOR protocol for communication helps threat operators in many ways. The first is that the communication is encrypted at the application layer of the OSI model, which adds an extra layer of encryption to the traffic. Another reason is the privacy that the TOR network affords the threat actors. This is done by passing the data through a network of relay points using layers of encryption. Each relay point decrypts a layer that reveals the next destination and routes the packet respectively. The relay point, however, does not know the next destination or the final destination the packet should reach. This routing scheme helps eliminate eavesdropping, because the router doesn’t know the end to end connections created, as well as the obfuscation by multiple layers of encryption.

RTM Bot has many of the common capabilities of banking trojans, including keylogging and screen captures. The malware can be pre-compiled with modules or it can download and execute the modules as instructed by the C2. The RTM cyber group focuses on financial departments within business in specific countries but can very easily shift its aim.

The newest version using the TOR communication protocol shows the group is actively developing this banking trojan for the future. Blocking connections to TOR nodes and inspecting network traffic for connection attempts will help mitigate the exfiltration of information. However, educating end users about phishing campaign threats and maintaining the threat knowledge base is the key to avoiding these threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

CISO Summary

Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot.

Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to educate employees by simulating phishing emails containing diverse malware threats.

Full Details

Cofense IntelligenceTM analyzed a phishing campaign that delivered an all-in-one ransomware/cryptominer/stealer/worm/keylogger called Lime Remote Administration Tool (RAT). Lime RAT’s code is written in C# and is dependent on .NET 4.0. Lime RAT is part of a malware library which includes Lime_Miner, Lime_Crypter, and Lime_USB. This malware is open source and touts itself as a teaching tool for .NET malware. But being feature-rich and well-documented, Lime RAT can also be used for nefarious actions by malicious operators.

An interesting feature of this malware family is the use of multiple ports for communication, which establishes redundancy for the communication channels. The initial setup of the Lime RAT building platform and panel needs only two things: port numbers and an AES (Advanced Encryption Standard) 128-bit encryption key. The port number is used to open a port to listen on the server. The AES key is used to encrypt all communication between the client and the server. Figure 1 shows the initial setup pane with the ports and AES key as discussed above.

Figure 1: Setup process for Lime RAT

The builder for the payloads is simply comprised of checkboxes and text input fields that even the most novice operators can use to produce effective, malicious binaries. This panel allows you to customize the payload with different features and icons. It also allows you to set the Command and Control (C2) infrastructure and the location for the persistent drop file on the targeted machine. Figure 2 shows the features available to customize each payload, including the anti-virtual machine option.

Figure 2: Features available to the Lime RAT payloads

When the Lime RAT payload has been created, sent to and executed on a target machine, the binary connects to the panel. When the client connects, it sends information to the control panel and includes details about the operating system, CPU, user, country, and more. The control panel gives the option to automatically assign a task for the client, for example, downloading and executing a specific file. Figure 3 shows the control panel populated with information from the connected client, while Figure 4 shows the ‘OnConnect’ automatic tasking panel.

Figure 3: Control panel view of an infected client machine connected to the C2 infrastructure

Figure 4: ‘OnConnect’ automatic tasking options

The control panel allows the operator to manipulate the target by right-clicking on the selected machine and choosing a command. This is where the operator can specify the method of attack: initiate the encryption for ransomware, drop a Monero miner, enable Remote Desktop Protocol (RDP), steal information/cryptocurrency, and more. Figures 5 and 6 show the options available to the operator for a given target.

Figure 5: Ransomware and other plugins for the target machine

Figure 6: Keylogging and persistence options for the targeted machine

The ransomware feature lets you customize the message as well as the image displayed. When the targeted host is encrypted with the ransomware aspect of this RAT, the file extensions are turned to ‘.Lime’. Figure 7 shows the customizable message and default image that displays to the client after the encryption has been initiated.

Figure 7: Lime RAT’s default ransomware message

The keylogging feature is not very advanced in what it collects. It can only collect what is entered by the keyboard and not what is auto-filled or added from the clipboard. The keylogger output does show a timestamp and which application the text was written in. Figure 8 shows the control panel output of a running keylogger module on a client infected with Lime RAT.

Figure 8: Collection of text from the keylogger module

As shown earlier in Figure 2, Lime RAT can spread like a worm. When the payload is built, the operator can specify the ‘USB spreading’ and ‘pinned task bar application spreading’ features be included within the payload. The USB spreading feature looks for any connected type 2 device and then attempts to replace any file with an executable version of Lime RAT. When doing this, Lime RAT will keep the original icon for the file that has now been infected. The spreading through the pinned task bar applications takes it one step further by replacing the shortcut path to which those icons are linked.

The ‘Thumbnail’ tab (Figure 9) within the control panel of Lime RAT is a screengrab of the infected machine. This screengrab can be turned on or off and has a timer that defaults to 5 seconds between screen grabs.

Figure 9: ‘Thumbnail’ tab that holds the screen grabs of the infected machines

Logging in Lime RAT is not nearly as advanced as we’ve seen in other RATs. As shown in the Figure 10, the ‘Logs’ tab only logs timestamps and IPs of connections and disconnections.

Figure 10: ‘Logs’ tab and the connections made

Lime RAT is an open source, well documented, .NET framework malware suite with multiple features that make it devastating when properly used. The ability for this malware to steal a wide range of valuable information, encrypt for ransom, and/or turn the target host into a bot with basic capabilities, mixed with an intuitive control panel display, makes it a likely choice for novice operators. The anti-virus evasion, anti-virtual machine feature, the small footprint, and encrypted communications would appeal to threat actors across the capability spectrum. The number one way to keep multivariate threats like Lime RAT from infecting a machine via a phishing campaign is to educate the end user on suspicious emails and attachments.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Vjw0rm Malware Does It All. Here’s What to Watch For.

CISO Summary 

It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

CISO Summary

Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation).

Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables.

While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure hosted in Cloudflare CDNs (figures 2-4 below). Last month, Cofense Intelligence reported that Cloudflare domains were being abused by threat actors to launch malware attacks on finance departments.

Why is this a problem?

If part of your cyber defense strategy is using a web gateway to prevent employees from visiting non-categorized sites, or blocking based on a threat intelligence feed of known C2 hosts, you can’t practically block access to a CDN without disrupting Internet-reliant business processes.

CISOs should make sure their SOCs are aware of the problem when reviewing suspicious emails reported by employees. While we wait for traditional cyber perimeter controls to catch up to this threat, a phishing training and reporting program (see Cofense PhishMeTM and Cofense ReporterTM), plus a phishing-specific response capability (see Cofense TriageTM and Cofense VisionTM) is the last line of defense.

Full Details

Malware operators continue to use domain fronting to bypass security measures and reach their command and control (C2) infrastructure hosted on content delivery networks (CDN). This C2 communication technique is difficult to defend against due to the large overhead required and strong reliance on CDNs. Certain CDN providers have recently changed their network schemes and policies in response to this threat, however, domain fronting is still possible through some of the minor CDN hosts.

Domain fronting is the exploitation of an encrypted connection to a CDN to gather web resources otherwise blocked by network security measures.

  • First, the client initiates a connection to a legitimate domain (front domain) via HTTP.
  • Second, the originating connection request is read in the clear and is inspected by network security measures.
  • Third, an HTTPS connection is created when the connection is encrypted with an SSL layer, allowing the contents of the traffic to bypass inspection.
  • Finally, The HTTP Host header is read by the server for the resources needed.

The HTTP host header, for this technique, is manipulated to gather resources from a nefarious site on the same CDN. The connection to the manipulated HTTP host header inside the encrypted traffic bypasses network security measures that don’t decrypt the traffic.

For domain fronting to work, the nefarious site and the legitimate site must both be hosted by the same CDN. The ability to pull resources from other sites works because of the inner networking of the CDN and the routing access availability to other parts of their hosting environment. This technique is also utilized with The Onion Router (TOR) node bridges and the meek protocol. The Russian hacker group that breached the Democratic National Committee in 2016, APT29, also known as Cozy Bear, used the TOR meek protocol for their C2 infrastructure communication. Figure 1 gives an overview of this technique.

Figure 1 Technique of domain fronting to bypass inspection.

Google and Amazon CDNs mitigated this technique by preventing any routing from one owner’s site to another. This is done by matching the HTTP host header with the original server name indication (SNI) request, implemented in late April and early May 2018. Since then, Cofense Intelligence has seen an increase in the number of phishing campaigns delivering malware in which the C2 was hosted by Cloudflare.

Figure 2 shows the contrast in Cloudflare C2 seen used by malware before and after May 2018, when Google and Amazon imposed barriers to such activity on their CDNs.

Figure 2 Analyzed C2’s hosted on Cloudflare before and after May 2018.

Figure 3 shows the breakdown of malware families that have used Cloudflare for C2 infrastructure after May of this year.

Figure 3 Malware families utilizing C2’s hosted by Cloudflare since May 2018.

Figure 4 shows the number of different hosts hosted by Cloudflare to which each malware family connects.

Figure 4 Number of C2’s hosted by Cloudflare for each malware family.

Domain fronting has been used by hacktivists and threat actors like APT29 to conceal their malicious activity. CDNs are starting to take the necessary steps to mitigate domain fronting by negating routing from one owner’s site to another, but this ability still persists because it allows for routing to take place among a single owner’s sites.

Defending against this type of communication is a heavy lift for the information technology team. Stopping a malicious email campaign within the email security stack before it gets to the end user’s inbox, and training users to identify phish that do reach their inboxes, are keys to helping mitigate this evasive exfiltration techniques like domain fronting.

Learn more about how Cofense stops active phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

Phishing Emails with .COM Extensions Are Hitting Finance Departments

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized.

The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.) within the DOS stub. The subject lines and email contents of the phishing emails (Figure 1) suggest that the threat actor is targeting financial service departments. The .iso file attachment mentioned in the email contents is an archive containing a .com1 executable.

Figure 1: Email Content Suggests Targeting of Financial Services Department

If you’re a Cofense PhishMe™ customer, you can use this same lure in your phishing simulations. Look for the template we’ve created, “Overdue Invoice – LokiBot.” It conditions employees to report phishes trying to deliver the Loki Bot information stealer malware. (More on Loki Bot and other malware below).

The two most popular subject line themes we’re seeing use the lures “payment” and “purchase order.” Threat actors are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaigns’ payloads.

Figure 2: Subject Line Categories used in .COM Campaigns

Our analyses showed that the email subject lines were specific to the malware payloads they delivered. For example, the “payment” subject-emails delivered more AZORult information stealer, while the “purchase order” subject-emails most often delivered the Loki Bot information stealer and the Hawkeye keylogger. It is possible that different actors are distributing the unique malware families via .com files. Or, perhaps the same group is responsible and assesses which lures are most appropriate for different malware and the information they target.

Most commonly, .com payloads are directly attached to a phishing email without any intermediary delivery mechanism. However, some campaigns did include an attachment that contained such an intermediary dropper: often the attachment was weaponized to exploit a CVE or a malicious macro, which would deploy a .com payload onto the endpoint. As network defenders become increasingly aware of this direct-attachment delivery, Cofense Intelligence expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.

Figure 3: Malware Families Delivered using .com Extensions.

Loki Bot, AZORult and Hawkeye made up the far majority of malware delivered in the campaigns we analyzed, whereas Pony accounted for a very small percentage. The combination section refers to the attachment utilizing a vulnerability within a document to deploy a .com payload on the endpoint as mentioned above.

The malware families delivered with the .com extension also revealed a trend with their Command and Control (C2) communication. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. Cloudflare was also the predominant host for Loki Bot with over 75% of its C2 domains hosted with that service. It is likely that Cloudflare is not hosting the actual C2, but in fact being used as a domain front. “Domain fronting” is a technique that allows for the connection to appear to go to one domain when it is actually going to another. This is achieved by connecting securely to one domain and then passing in the target domain via the HTTP host header value. By using Cloudflare, which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.

Figure 4 below shows the C2’s for Loki Bot, AZORult, and Pony that were hosted on Cloudflare compared to every other domain hosting service provider. Hawkeye keylogger stood apart in communicating with unique email domains.

Cofense Intelligence estimates that we’ll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.

To stay ahead of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

  1. Filename: overdue payment.com MD5 hash: 8e6f9c6a1bde78b5053ccab208fae8fd

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases to improve the ransomware’s capabilities.

The email-borne campaign bearing GandCrab v4.4 (analyzed by Cofense Intelligence) did not follow the usual trends of being delivered via Microsoft Office Macro attachment. The lures employed during these previous campaigns were typically enticing recipients to download an infected resume or subpoena. The emails were written in German and had an attached .zip archive that contained an executable sample of GandCrab v4.4. The email body follows previous campaign narratives and is depicted in Figures 1 & 2.

Figure 1: The email body written in German.

Figure 2: The email body translated to English.

Once executed, the GandCrab sample will then collect information about the machine and determine if it is a viable candidate for encryption. If the machine has been deemed acceptable, files that meet specific criteria are then encrypted. After encryption, GandCrab then drops the ransom note in each directory via a .txt file. Figure 3 is a ransom note example.

Figure 3: A GandCrab ransom note example.

The fourth version of GandCrab was released in July, only six months after the first sighting of GandCrab in the wild. This latest version is a drastic change from its predecessors. Focusing on speed of encryption, this version switches from using RSA-2048 to the Salsa20 encryption algorithm. Prior to the fourth version of GandCrab the sample would need to successfully check in with its Command and Control (C2) structure before beginning the encryption process. Figure 4 documents strings found in GandCrab. referencing the developer of the Salsa20 algorithm.

Figure 4: The creator of Salsa20 algorithm is shown in the memory strings.

Versions 4 and 4.1 saw the introduction of a mechanism designed to prevent GandCrab running on undesirable machines. These specific versions would create a hex string .lock file based on specific information being present on the machine and place it in the C:\ProgramData directory. The .lock file would be queried and, if it found the binary, would terminate itself without encrypting the endpoint. Another GandCrab kill-switch is triggered when the sample looks at the language packs installed on the machine. If GandCrab finds a Russian language pack or former Soviet Union language packs, it will terminate itself without encrypting the endpoint.

Another upgrade that came with versions 4 and 4.1 was the ability to encrypt file shares and attached devices. This is done through interaction with the System Volume Manager to detect these resources. This is a big update in weaponry because it gives this ransomware the ability to engulf a network with encrypted files. This version’s ability to encrypt file shares puts a greater emphasis on the mitigation and response techniques needed within a network. The encrypted files also get a new extension and are then appended with .KRAB, as well as the ransom notes being renamed to KRAB-DECRYPT.txt. Figure 5 shows the encrypted file system, as well as the ransom note placed on the Desktop.

Figure 5: The GandCrab ransom note placement and the .KRAB extensions.

GandCrab v4.1 had also shown new network traffic not previously seen with the older versions. This version will use a custom Domain Generation Algorithm (DGA) to create URLs and POST the information collected from the machine to the DGA created URL. These POSTs are not to a GandCrab C2 infrastructure, rather they are legitimate domains. However, some researchers have theorized that these POSTs might be the Proof-of-Concept (PoC) for a future feature yet to be fully utilized. Other researchers believe that these POSTs are meant to fill the network with false positive C2s. Figure 6 shows the multiple POSTs to DGA created URLs.

Figure 6: The network POSTs to the DGA created URLs.

Version 4.1.2 was created out of necessity because of the work done by AhnLab, Inc. and their vaccine software. AhnLab found that the .lock file could be impersonated and placed on the machine beforehand. By doing this, the GandCrab sample would find the .lock file and terminate itself, thus preventing it from successfully encrypting the machine. The vaccine provided by AhnLab was negated within four days by the ransomware developers by utilizing the Salsa20 encryption algorithm to create the .lock file. Less than one day later, AhnLab provided v2.0 of the vaccine. Two days later, a new variant of GandCrab was spotted which checked for a mutex instead. GandCrab v4.1.2 also added anti-sandbox techniques, such as checking the allocated memory and registry for indicators of a virtual environment.

The updated version 4.1.2 became the basis for v4.2+ and brought about a PoC weapon aimed at AhnLab. This PoC is source code that claims it can cause a Denial of Service (DoS) attack on the AhnLab anti-virus solution used on endpoints. The PoC claims that this can cause a Blue Screen of Death (BSOD) on the targeted system. GandCrab’s anti-sandbox techniques, as discussed above, were also removed in v4.2.1. Figure 7 shows the link to the PoC within the running memory.

Figure 7: The BSOD PoC link in the memory strings.

Version 4.3 was simply a re-compile and re-organization of the code as well as adding anti-disassembly techniques. Version 4.4, the latest version, was built upon previous versions with a few new features of its own. The latest version comes with a stealth mode which, when enabled, queries the information gathered. It then determines if any processes on the endpoint need to be terminated before GandCrab starts its infection. Most of the processes targeted for termination are anti-virus products and those which may hold handles to important files (such as database files) which GandCrab intends to encrypt. This allows for the sample to have a non-disruptive and stealth-like file encryption process. The latest version also comes with a self-kill switch. This version can create the .lock file and place it in the %ProgramData% directory before infection as a nod to AhnLab’s vaccine. If the .lock file is found, the sample then sleeps in the background indefinitely. Figure 8 shows the stealth mode strings in memory.

Figure 8: Stealth mode in the memory strings.

What You Can Do

As with any ransomware, especially GandCrab v4.4, you need to have the proper mitigation in place in case an endpoint on the network becomes encrypted. Proper mitigation involves having up-to-date software from the manufacturer; network segmentation from resources that are considered critical; re-occurring and tested backups of all business-critical data; an email security stack that can sanitize emails as they arrive to the end user; and a response plan that has been practiced and refined. Having these things in place can help you withstand a ransomware incident.

GandCrab blasted onto the scene in early 2018, and since then has made great strides in staying relevant in the shifting landscape. The latest rendition employs tactics, like offline encryption, that had not yet been seen by prior iterations. GandCrab v4 has been able to change and adapt to the mitigation tactics of the cyber security community within the span of two months. The developers of GandCrab have been able to quickly evolve their malware based on anti-virus research analysis, which allows for more effective and lasting infections for the ransomware operators. This rapid development cycle of ransomware is a new trend that could likely lead to more malware developers taking research analysis as constructive criticism, then making their samples more robust in the future.

To stay abreast of developments in malware and phishing attacks, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

AZORult Malware Finds a New Ride with Recent Stealer Phishing Campaign

Cofense Intelligence™ has uncovered a recent AZORult stealer phishing campaign that delivers the malware via malicious attachments. Older versions of AZORult stealer have been delivered via intermediary loaders, typically Seamless or Rammnit malware. In this latest campaign, the attached documents use multiple techniques to download and execute an AZORult sample, indicating a shift by the threat actors behind the campaign to adopt more evasive delivery techniques.