Bluesky V1

[Eboni Kleifgen]

Inour analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the Conti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it.

According to research done by CloudSEK, PowerShell scripting is used to drop and download BlueSky ransomware from a fake website to encrypt data. After successful encryption, BlueSky Ransomware renames the encrypted files with the file extension .bluesky and drops a ransom note file named # DECRYPT FILES BLUESKY #.txt and # DECRYPT FILES BLUESKY #.html.

Palo Alto Networks customers receive protections from BlueSky ransomware and other types of ransomware through Cortex XDR, the Next-Generation Firewall and cloud-delivered security services including WildFire. The Advanced URL Filtering subscription provides real-time URL analysis and malware prevention for BlueSky ransomware.

If you think you may have been impacted by a cyber incident, the Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting any of our cyber risk management services.

As shown in Figure 1, BlueSky ransomware is initially dropped by the PowerShell script start.ps1, which is hosted at hxxps://kmsauto[.]us/someone/start.ps1. The initial dropper is Base64-encoded and then DEFLATE-compressed, which is common behavior observed among PowerShell droppers.

Before downloading additional payloads to perform local privilege escalation, the PowerShell script, stage.ps1, determines if it is being executed as a privileged user. If so, it moves to the next step and downloads and executes the ransomware payload. If not, it uses the following techniques to escalate local privileges, depending on the version of the host operating system. If the version of the host operating system is earlier than Windows 10, such as Windows 7, 8 or XP, then the script will download and execute a modified version of the local privilege escalation tool called JuicyPotato. If the host is running Windows 10 or later, then the script will download and execute ghost.exe and spooler.exe to exploit local privilege escalation vulnerabilities CVE-2020-0796 and CVE-2021-1732 respectively.

After gaining additional privileges, stage.ps1 downloads the final BlueSky ransomware payload from hxxps://kmsauto[.]us/someone/l.exe and saves it locally to the filesystem as javaw.exe, attempting to masquerade as a legitimate Windows application. Eventually, the sample executes from the file path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\javaw.exe.

BlueSky drops the ransom note as a text file named # DECRYPT FILES BLUESKY #.txt and an HTML file named # DECRYPT FILES BLUESKY #.html in a local directory where it has encrypted files successfully and renamed them with the file extension .bluesky. The content of # DECRYPT FILES BLUESKY #.html is shown in Figure 3.

BlueSky implements multiple anti-analysis techniques, including string encryption, API obfuscation and anti-debugging mechanisms, allowing it to obfuscate Windows API function names and use indirect calls for resolving APIs. Additionally, BlueSky encodes API names using DJB hashing functions as shown in Figure 4, hindering malware analysis.

BlueSky generates a unique user ID by computing the MD5 hash over the combined Volume Information, Machine GUID, Product ID and Install Date values, as shown in Figure 5. Furthermore, it uses the same ID for generating the mutex Global\.

It creates the registry key HKCU\Software\ to store registry entries completed, RECOVERY BLOB and x25519_public to fingerprint its ransomware operations. Once the encryption process is completed, the registry entry completed is set with a value of 1. RECOVERY BLOB is a fingerprint identifier for the compromised organization, which is encrypted by the ChaCha20 encryption algorithm. The structure of the RECOVERY BLOB is shown in Table 1.

All samples we observed related to BlueSky ransomware were hosted at an active domain named kmsauto[.]us. When hunting for more samples related to BlueSky ransomware, we observed that several malware samples associated with the RedLine infostealer were hosted on the same domain. Although we did not find any code overlap between RedLine and BlueSky ransomware, similarities in the initial stages were observed, as both these families use a PowerShell downloader as the initial vector.

Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses. BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst.

Palo Alto Networks customers with Cortex XDR, the Next-Generation Firewall and Advanced URL Filtering benefit from protections against the attacks discussed in this article. Additionally, the malicious indicators (domains, URLs and hashes) can be prevented with our DNS Security and WildFire services.

If you have cyber insurance, you can request Unit 42 by name. You can also take preventative steps by requesting any of our cyber risk management services, such as our Ransomware Readiness Assessment.

A few weeks ago, the Bluesky website vanished. I have been unable to find any recent traces on the Internet of either Gordon Lee, who seems to have been the only person left at Bluesky (or, at any rate, its only interface with the public), or of its founder, Barry Smith.

Although Textures had long lost their leading role in bringing TeX to MacOS, Gordon Lee appeared to be working on Textures until late 2012 - recoding their application in cocoa and releasing private upgrades or bug fixes to people that were still using Textures and hoping for an eventual release of a full OSX version - but that was the last I knew.

It would be a great shame if all the work they did invest in this project was lost. I still prefer Textures over more recent Mac OS implementations for a number of reasons, and wonder whether there's any chance of salvaging whatever was left.

shortly thereafter, a notice was posted on the bluesky web site, but a catastrophic crash at the server level disrupted that link. (the site name has now been reassigned to someone else, unrelated to textures.) some site history is still available from archive.org with the oldest snapshot in 2011: ://blueskytex.com/

update: reminded of this post by a recent upvote, i can point to more recent information regarding an effort to resuscitate textures. the web site [link temporarily removed as the website is currently compromised, see the revision history for the link] reports the current status of the work, and states that a further announcement will appear on 1 july 2015.

update (9 sep 2016) -- WARNING:earlier today i received a phone call from someone who, in attempting to find outthe current status of this project, clicked on the link to the blueskytexwebsite, only to be faced with a red screen and a notice that his computer hadbeen locked and all the information there had been stolen. a phone number for"technical support" was given, but you can be sure he did not call it.

update (28 May 2019):Unfortunately, attempts to resuscitate Textures have come to naught. The web site is now in the hands of a totally unrelated entity, and will not likely be restored toanything related to typesetting.A sad end to a much appreciated enterprise.

Gordon Lee suffered a heart attack shortly after my husband died. Unfortunately it left him unable to work and retired to a health care community. A great loss after an even greater one not just for me, but for those who enjoyed using Textures and letting him know when there was a problem or sharing other things. It has been very hard because they were so close to finish an app. to port Textures to the iPad and that gave them both a great deal of joy.

At this time I have not decided what will happen with Textures, Warren Leach and I have some discussions but it is too soon to make any decisions. As soon as we can, we will put the site back for those who need some answers that may be found there.

To anyone still interested on the progress to bring back the site, we are working now piecing together what we have been able to rescue from the server and I have hired a tech quite versed on the way to port one site to another making sure all files and codes are in the proper place. www.bluesky.com is not longer available. The new website address is www.blueskytex.com and my new address in case anyone has any questions for which I may have the answer is [email protected]

I wish I could. it is difficult at best to give a time estimate, since the tech person who is working on has to put together the pieces of the puzzle - a puzzle neither he nor I are sure will produce the expected results, right now our main concern is to make sure that even in the event of another failure we would be able to be back up almost immediately without losing any data.

I would estimate that our first test can come as soon as 4 weeks and maybe even sooner. However, please do not hold me to this time table as a promise. I like to give an e.t.a when I am certain I can do it, but until we have the site up and running safely I would not tell you when it would be viable other than as an estimate. We are working constantly and while I understand the urgent need some of our Textures users have, I hope they understand that if there was any way at all for me to speed the process, I would done that already.

As for the suggestion in another list that was forwarded to me by a Textures user who was outraged at the suggestion offered by another Textures user, let me assure everyone that Textures copyright is intact, and ownership by Blue Sky is still being asserted according to my attorney who has advised me that proper legal action will be taken against any person, group, organization or anyone who attempts to reverse engineer the product by disabling the copy protection mechanism.

3a8082e126