[Windows Xp Professional Sp3 Loader 86x By Daz Zipl
Sharif Garmon
U.S. and European law enforcement agencies revealed new seizures and arrests this week involving the REvil ransomware group, underscoring the intense interest and outrage following in the wake of these malicious campaigns. These developments also highlight the immediate need for security professionals to fully understand the inner workings of this group and the associated malware family, to better protect their organizations and stakeholders. This blog dives deep into REvil's latest tactics, techniques, and procedures (TTPs), drawing insights from a recent incident handled by the BlackBerry Incident Response Team.
Notice the setting of electric [4438089] = third, which sets the next function to run after returning to the calling while loop. In this fashion, we find multiple assignments of functions to various array positions within the electric [ ] array. After another attempted sleep (commented out above), the indicate function sets the knew variable, which is later decoded.
To avoid the consistent iterations of the while loop and speed up analysis, the round ( ) function can be modified to make its calls directly, rather than waiting for the loop to continue incrementing the race value as such:
If this key does not exist, it is created. Next, we see another set of obfuscated code that is decoded via a call to multiply ( ). By setting a breakpoint on the return for the multiply ( ) function, we see the final bit of deobfuscated code:
While the general layout of the loader was analyzed, BlackBerry was unable to obtain a copy of the exact JavaScript that would have been downloaded in this particular example of the final phase. Threat intelligence was used to find similar code, but the exact code was unavailable.
After gaining access to multiple highly privileged accounts, the threat actor began pivoting to other hosts on the network via Remote Desktop Protocol (RDP). From there, the PsExec tool was also used to pivot to other hosts to shut down Windows Defender services.
The threat actor utilized two methods of installing Cobalt Strike command-and-control (C2) within memory. The first and simplest method was utilizing a simple encoded PowerShell command to execute a Cobalt Strike stager. Below is a snippet from the discovered Cobalt Strike stager:
The BlackBerry Incident Response Team also discovered a PowerShell command used to stage Cobalt Strike within the registry key: HKLM:\SOFTWARE\Microsoft\PowerShell\info. The threat actor ran the PowerShell via a remote service which executed the following:
The contents of the registry key were extracted for further analysis. Unfortunately, the PowerShell code executed on the system contained undefined variables, such as pdqnas. As such, it did not appear to be decodable as-is.
However, other .vbs and .js implementations by the REvil group were available that use the same technique and means of execution. Decoding the registry key was possible using another equivalent JavaScript loader:
The JavaScript loader was used to decode the registry key and retrieve the Cobalt Strike Beacon details. Upon execution, the Beacon was configured to spawn the legitimate Microsoft gpupdate.exe binary with injected code, which was configured to reach out to the following IP over port 443:
The REvil group is known to exfiltrate data prior to deploying ransomware. In identifying any potential exfiltration activity, the BlackBerry Incident Response Team searched across a number of forensic artifacts to identify common exfiltration tools, or enumeration of sensitive folders or file shares. The threat actor used the PowerSploit PowerShell module to discover file servers on the network that may contain sensitive data for exfiltration:
Prior to deploying ransomware across the environment, the threat actor once again attempted to disable the Windows Defender feature via Powershell and Scheduled Tasks. Rather than deploying ransomware across the entire environment, the group was more selective, instead targeting the Hyper-V hosts, and more specifically the Cluster Shared Volumes (CSVs) containing the virtual machines (VMs). VMs and Hyper-V services were stopped via PowerShell just prior to deploying ransomware to the CSVs.
REvil/Sodinokibi ransomware includes a configuration that is used to determine parameters, such as which file extensions to target for encryption, which processes to kill prior to beginning the encryption routine, and which directories or extensions to exclude to avoid causing damage to the target operating system. The Sodinokibi ransomware is well-documented in the following article by the BlackBerry Threat Research team:
Codi Starks has more than twelve years of IT, cybersecurity, and incident response experience. During his time in the field he has supported and led difficult incident response engagements for Fortune 500 companies spanning multiple continents.
He currently holds several certifications and achievements, including an M.S. in Information Security and Assurance, as well as the OSCP and SANS GCFE certifications. He has won multiple cybersecurity competitions, including OpenSOC, SANS DFIR Netwars, and SOCX.
795a8134c1