SpecificityThe folks at Talos recently posted an interesting article, "O
n Conveying Doubt". While some have said that this article discusses "conveying doubt" (which it does), it's really about
specificity of language. Too often in our industry, while there is clarity of thought, there's a lack of specificity in the language we use to convey those thoughts; this includes all manner of communication methods; not only reports, but presentations and blog posts. After all, it doesn't matter how good you or your analysis may be if you cannot communicate your methodology and findings.
RansomwareRansomware is a pretty significant issue in the IT community, particularly over the past 8 months or so. My first real encounter with ransomware, from a DFIR perspective, started last year with a couple of
Samas ransomware cases that came in; from a perspective external to my employer, this resulted in two corporate blog posts, one of which was
written by a colleague/friend, and ended up being one of the most quoted and referenced blog posts published. Interestingly enough, a lot of aspects about ransomware, in general, have continued to evolve since then, at an alarming rate.
Vitali Kremez recently posted an interesting
analysis of the GlobeImposter ".726" ransomware. From an IR perspective, where one has to work directly with clients, output from IDAPro and OllyDbg isn't entirely useful in most cases.
However, in this case, there are some interesting aspects of the ransomware that Vitali shared, specifically in section VI.(b).; that is, the command line that the ransomware executes.
Before I go any further, refer back to Kevin's blog post (linked above) regarding the evolution of the Samas ransomware. At first, the ransomware included a copy of a secure deletion tool in one of it's resource sections, but later versions opted to reduce the overall size of the executable. Apparently, the GlobeImposter ransomware does something similar, relying on tools native to the operating system to run commands that 'clean up' behind itself. From the embedded batch file, we can see that it deletes VSCs, deletes user's Registry keys related to lateral movement via RDP, and then enumerates and clears *all* Windows Event Logs. The batch file also includes the use of "taskill" to stop a number of processes, which is interesting, as several of them (i.e., Outlook, Excel, Word) would immediately alert the user to an issue.
FortiNet
recently published an analysis of a similar variant.
Online research (including following
#globeimposter on Twitter) indicates that the ransomware is JavaScript-based, and that the IIV is via spam email (i.e., "malspam"). If that's the case (and I'm not suggesting that it isn't), why does the embedded command line include deleting Registry keys and files associated with lateral movement via RDP?
Marco Ramilli
took a look at some RaaS ransomware that was apparently distributed as an email attachment. He refers to it as "TOPransomware", due to a misspelling in the ransom note instructions that tell the victim to download a TOP browser, as opposed to a TOR browser. This is interesting, as some of Samas variants I've seen this year include a clear-text misspelling in the HTML ransom note page, setting the font color to "DrakRed".
I also ran across this
analysis of the Shade ransomware, and aside from the analysis itself, I thought that a couple of comments in the post were very interesting. First, "...has been a prominent strand from around 2014." Okay, this one is new to me, but that doesn't really say much. After all, as a consultant, my "keyhole" view is based largely on the clients who call us for assistance. I don't claim to have seen everything and know everything...quite the opposite, in fact. But this does illustrate the differences in perspective.
Second, "...spread like many other ransomware through email attachments..."; this is true, many other ransomware variants are spread as email attachments. The TOPransomware mentioned previously was apparently discovered as a .vbs script attached to an email. However, it is important to note that
NOT ALL ransomware gets in via email. This is an important distinction, as all of the protection mechanisms that you'd employ against email-borne ransomware attacks are completely useless against variants such as Samas and LeChiffre, which do not propagate via email. My point is, if you purchase a solution that only protects you from email-borne attacks, you're still potentially at risk for other ransomware attacks. Further, I've also seen where solutions meant to protect against email-borne ransomware attacks do not work when a user uses Chrome to access their AOL email, and the system/infrastructure gets infected that way.
On August 7,
authorities in the Ukraine arrested a man for distributing the NotPetya malware (not ransomware, I know...) in order to assist tax evaders. According to the article, he isn't thought to be the author of the destructive malware, but was instead found to be distributing a copy of the malware via his social media account so that companies could presumably infect themselves and not pay taxes.
Recently, this
Mamba ransomware analysis was posted; more than anything else, this really highlights one of the visible gaps in this sort of analysis. As the authors found the ransomware through online searches (i.e., OSINT), there's no information as to how this ransomware is distributed. Is it as an email attachment? What sort? Or, is it deployed via more manual means, as has been observed with the Samas and LeChiffre ransomware?
The Grugq recently
posted thoughts as to how ransomware has "changed the rules". I started in the industry, specifically in the private sector, 20 yrs ago this month...and I have to say, many/most of the recommendations as to how to protect yourself against and recover from ransomware were recommendations from that time, as well. What's old is new again, eh?
Cryptocurrency MinersCylance recently posted regarding
cryptocurrency mining malware. Figure 7b of the post provides some very useful information in the way of a high fidelity indicator..."
stratum+tcp". If you're monitoring process creation on endpoints and threat hunting, looking for this will provide an indicator on which you can pivot. Clearly, you'll want to determine how the mining software got there, and performing that root cause analysis (RCA) will direct you to their access method.
Web ShellsThe PAN guys had a fascinating write-up on the
TwoFace web shell, which includes threat actor TTPs. In the work I've done, I've most often found web shells on perimeter systems, and that initial access was exploited to move laterally to other systems within the network infrastructure. I did, however, once see a web shell placed on an internal web server; that web shell was then used to move laterally to an MS SQL server.
Speaking of web shells, there's a fascinating little PHP web shell
right here that you might want to check out.
LiferRetired cop Paul Tew recently released a tool he wrote called "
lifer", which parses LNK files. One of the things that makes tools like this really useful is use cases; Paul comes from an LE background, so he very likely has a completely different usage for such tools, but for me, I've
used my own version of such tools to parse LNK files reportedly sent to victims of spam campaigns.
Want to generate your own malicious LNK files? Give
LNKup a try...
Supply Chain CompromisesSupply chain compromises are those in which a supplier or vendor is compromised in order to reach a target. We've seen compromises such as this for some time, so it's nothing new. Perhaps the most public supply chain compromise was
Target.
More recently, we've recently seen the
NotPetya malware, often incorrectly described as "ransomware". Okay, my last reference to ransomware (for now...honest) comes from i
TWire, in which Maersk was able to estimate the cost of a "ransomware" attack. I didn't include this article in the
Ransomware section above because if you read the article, you'll see that it refers to NotPetya.
Here is an ArsTechnica article that discusses another supply chain compromise, where a backdoor was added to a legitimate server-/network-management product. What's interesting about the article is that it states that covert data collection
could have occurred, which I'm sure is true. The questions are,
did it, and
how would you detect something like this in your infrastructure?
Carving for EVTXSpeaking of NotPetya,
here's an interesting article about carving for EVTX records that came out just days before NotPetya made it's rounds. If you remember, NotPetya included a command line that cleared several Windows Event Log files
The folks who wrote the post also included a link to
their GitHub site for the carver they developed, which includes not only the source code, but pre-compiled binaries (they're written in Go). The site includes a carver (evtxdump) as well as a tool to monitor Windows Event Logs (evtxmon).
