Rapid Ransomware Analysis

Again a new ransomware attack “aka Rapid Ransomware” has been surfaced. Similar to previous variants, Rapid Ransomware will scan the system for data files and encrypt them. This variant will append “.rapid” as extension to the encrypted file's name.

Once done with encrypting the system it will open "recovery.txt" ransom notes in Notepad.  These ransom notes tell the victim to send an email to "frenkmoddy@tuta.io" to receive further instructions on restoring files and payment.

This post is an overview of the analysis been made by BluSapphire.

ANALYZED SAMPLE:

MD5: 46f5092fcedc2fee4bfbd572dd2a8f6f

BEHAVIORAL ANALYSIS:

Upon execution of the sample, it deletes the existing shadow copies within the infected machine making it almost impossible to recover.

Attacker used windows utility "bcdedit.exe" and disabled windows automatic repair mode. Also executed "taskkill.exe" commands to kill any running database processes if they exists.

RR05.jpg

Noticed that the malware places a file named "info.exe" in folder "%APPDATA%/Roaming/" and configures itself to auto-run on every login by setting a new registry entry under key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\". 

With the ability to run on every logon, it appears that the malware is capable of checking for newly created files and encrypt them. 

RR06.jpg

Unfortunately, As of this writing we haven't come across any methods that could help us decrypt the files encrypted by Rapid Ransomware.


Dissecting Olympic Destroyer Malware

Pyeongchang Winter Olympics that took place in South Korea was disrupted by cyber attack, which took down most of the systems including ticketing, WI-FI devices, televisions, and media rooms in the stadium during the opening ceremony.

It was identified to be wiper malware named “Olympic Destroyer” that was built with focus on taking down the systems and wiping out the data. “Olympic Destroyer” is weaponized to delete/wipe out all the files, shadow copies and event logs making the system unusable even for recovery.

Similar to Not-Petya and BadRabbit that were surfaced in 2017, “Olympic Destroyer” uses windows features Psexec and WMI for lateral moments and named-pipes as a channel for communication between itself for execution.

Last week one of our sensors has collected the sample and this post is an overview of the analysis been made by BluSapphire.

 

ANALYZED SAMPLE:

MD5 Hash: cfdd16225e67471f5ef54cab9b3a5558

 

Behavioral analysis:

 To make it almost impossible to recover or repair, attacker has used windows "bcdedit.exe" utility, which is used for  managing Boot Configuration Data (BCD)

To make it almost impossible to recover or repair, attacker has used windows "bcdedit.exe" utility, which is used for managing Boot Configuration Data (BCD)

 In order to to cover their tracks, attacker used windows utility " wevtutil.exe " for deleting Security and System windows event log.

In order to to cover their tracks, attacker used windows utility "wevtutil.exe" for deleting Security and System windows event log.

 During the execution, the sample drops two different files in "%temp%" directory that were used during lateral moment and uses named-pipes as a channel for communication for propagation around the network.

During the execution, the sample drops two different files in "%temp%" directory that were used during lateral moment and uses named-pipes as a channel for communication for propagation around the network.

 With an intension of wiping out all the data, attacker has used "vssadmin.exe" to delete all the available shadow copies make it difficult for recovery.

With an intension of wiping out all the data, attacker has used "vssadmin.exe" to delete all the available shadow copies make it difficult for recovery.


ZeroDay Detection with Machine Learning(ML) BluSapphire

Year 2016 & 2017 has witnessed the rise in cyber attacks targeting various sectors like banking, industrial, etc. New variants and types (fileless/in-memory) of malware families are being surfacing each day (wannacry, Petya/NotPetya/Nyetya/Goldeneye, BadRabbit, etc) which a traditional antivirus engine couldn’t detect without a signature.

With advancement in today’s cybercrime, there’s being advancement in detection of such potential threats, which brings me to Machine Learning (ML). According to wiki, Machine Learning (ML) is a field of computer science that gives computers the ability to learn without being explicitly programmed. In other words, computer trained to learn and identify malicious threats on its own.

BluSapphire is being integrated with Machine Learning (ML) engine that is capable of detecting any potential threats the moment they enter the network, making it easy to detect such sophisticated threats.

Last week one of our sensors has collected a file, which was flagged malicious by our Machine Learning (ML) engine. Being a zero-day, at that point in time, it has not triggered any AV flags. This post is an overview of the analysis made by BluSapphire ML engine.

Analyzed sample:

MD5 Hash :              9d55d1c81605209fc2b537e74af9c91c

Analysis:

We observed that the file was being downloaded from url “.pigcherrytoky.download”

0day01.jpg

Machine learning (ML) engine has flagged the file malicious and the file is loaded with some Anti-Debug techniques, making it difficult for debugging.

0day02.jpg

Being a zero-day, it has not triggered any AV flags, but the code within was matched over 176 known trojan malwares samples.

0day03.jpg

Malware being multipartite, it has refused to execute in pieces.

0day04.jpg

Abuse use of APIs:

GetCommandLineA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
VirtualFree
VirtualAlloc
TlsDetValue

Right after few hours the same PUP has being flagged malicious by multiple AV’s.

0day05.jpg

BadRabbit Analysis using BluSapphire

Since the outbreak of Petya/NotPetya which was surfaced in the month of June, again last week a new ransomware attack “aka BadRabbit” is making the headlines effecting machines in Ukraine, Russia, Turkey and Bulgaria.

Initial Attack Vector:

Unlike Petya/NotPetya that use SMB (Eternal Blue) as the initial vector, this variant uses drive-by-download type of attack to deliver the malware (BadRabbit) that spreads via malicious websites.

BadRabbit utilizes:

  1. Diskcryptor to encrypt the files with selected extensions
  2. SCmanager, schtasks and rundll32.exe to invoke other components
  3. For lateral movement, it scans the local networks for SMB shares and spread via SMB
  4. Mimikatz for credential harvesting on compromised machine

Analyzed samples:

MD5 Hash Description
fbbdc39af1139aebba4da004475e8839 Adobe_Flash_Update – Dropper
1d724f95c61f1055f0d02c2154bbccd3 infpub.dat – Main DLL
b4e6d97dafd9224ed9a547d52c26ce02 cscc.dat – Driver for Encryption
b14d8faf7f0cbcfad051cefe5f39645f dispci.exe – DiskCryptor Client

Behavioral analysis:

Once downloaded, the executable dropper pretending to an Adobe Flash Update convincing the victim to install it

bad00.jpg

Upon execution it drops the main module DLL “infpub.dat” in “C:\Windows” directory that is further initiated by rundll.exe with arguments.

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

Executes the command “schtasks /Delete /F /TN rhaegal” to delete any existing tasks with name “rhaegal”.

During the execution of main DLL “infpub.dat” other components (cscc.dat, dispci.exe) responsible for encrypting are being dropped.

To launch the newly dropped components of diskcryptor “dispci.exe” on the startup, a new task is scheduled with name “rhaegal”.

bad04.jpg

New service named “cscc” is created for DiskCryptor Driver “cscc.dat”.

ServiceName=cscc,DisplayName=Windows Client Side Caching DDriver, BinaryPathName=cscc.dat
bad05.jpg

Schedules a task named “drogon” to forcefully reboot the machine at 04:46hrs, it appears that a reboot is required to install the DiskCryptor drivers.

bad06.jpg
bad000.jpg

BadRabbit encrypts only selected file extension as below and displays a ransom note.

3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip

Abuse use of APIs:

CloseHandle
CreateFileW
CreateProcessW
ExitProcess
GetCommandLineW
GetCurrentProcess
GetFileSize
GetModuleFileNameW
GetModuleHandleW
GetSystemDirectoryW
HeapAlloc
ReadFile
TerminateProcess
UnhandledExceptionFilter
WriteFile

URL Found:

http://rb.symcb.com/rb.crl0W
http://s.symcb.com/universal-root.crl0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
http://rb.symcb.com/rb.crt0
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
https://d.symcb.com/cps0%
http://s.symcd.com06
http://crl.verisign.com/pca3-g5.crl04
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0@
https://d.symcb.com/rpa0
https://www.verisign.com/cps0
https://d.symcb.com/rpa06
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://s.symcd.com0
http://ocsp.thawte.com0
https://d.symcb.com/rpa0.
http://rb.symcd.com0&
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://sf.symcb.com/sf.crt0
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://logo.verisign.com/vslogo.gif04
http://sf.symcd.com0&
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://sf.symcb.com/sf.crl0W
http://ts-ocsp.ws.symantec.com07

Lateral Movement:

To perform credential harvesting, it creates and loads mimikatz to a file with extension “.tmp” (xxxx.tmp) in “C:\Windows\” and initiates a new process from the temp file “495E.tmp” with pipe.

bad08.jpg

Notice that the malware scans the local network for ports 139, 445 and spreads via SMB shares with credentials harvested using mimikatz.

bad10.jpg

- Praveen Kolanuvada

NY State DFS - Cyber Security Requirements for Financial Services

New York State Department of Financial Services has released its proposed Cyber Security requirements for Financial Services. It is applicable to any entity that is operating under or required to operate under a license, registration, charter, certificate, permit, accreditation under the Banking law, Insurance law or the Financial Services law. Its open for public comments until Nov 14' 2016.

DFS believes the purpose of this law is to ensure Financial Services businesses operating under its jurisdiction, have robust cyber security measures in place. These requirements are not in conflict with Gramm-Leach-Bliley Act, and are put forth to address, improve and include institutions that currently do not fall under GLB. DFS has proposed some limited exemptions to small business operating with less than $5M in gross annual revenue.

DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk.

Some Financial Institutions that are regulated under SEC, may already be in part be compliant with these requirements. Again, as emphasized by the security community and DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk. Another note-worthy requirement is the use of Multi-Factor authentication for all remote access, 3rd party access, trusted databases with Non-Public information.

An executive summary of the requirements is as below:

1.Maintain an active cyber security program that

  • Identifies and addresses internal and external risks, identifies technology, policy and process controls required for mitigation
  • Addresses Detection, Mitigation, Response and Recover process

2. Implement a Cyber Security Policy / Information Security Policy that addresses

  • Cyber Security Technology (system & network) controls, Access Controls & Identity Management
  • Application Security & Secure Development practices for in-house & external applications
  • Data Governance, Data Classification, Data Privacy (customer)
  • Systems Operations, Capacity, Performance, Availability, Disaster Recovery and Business Continuity
  • Continuous Security Monitoring, Risk Assessments and Incident Response
  • Third Party risk identification & minimum cyber security requirements

3. Establish an Incident Response Plan that at a minimum addresses

  • process for responding to events - playbooks
  • roles & responsibilities, specially document levels of decision making authority.
  • Communications - external and internal
  • Revision process for addressing any failures

4. Encryption of Non Public Information in transit and at rest. Document compensating controls where this is not possible.

5. Appoint / Designate a Chief Information Security Officer (CISO). CISO shall be responsible managing the cyber security program, cyber security policy, Incident Response Plan. He is responsible for reviewing and updating the policies and procedures as required, at least once annually. Any exceptions and compensating controls have to approved by the CISO.

6. Perform a Penetration Test of IT systems annually, and a Vulnerability Assessment at least Quarterly

7. Cyber Risk Assessments should be performed at least annually

8. Provide adequate levels of Cyber Security Awareness training. DFS also recommends training cyber security personnel be trained with updated skills at least annually.

9. DFS requires mandatory notification of a material breach to the Superintendent within 72 hours.

10. DFS requires filing of a written statement of compliance by Jan 15 each year.

These requirements will be effective Jan ' 2017. Entities that fall under the purview of these requirements will be required to prepare and submit a Certificate of Compliance with NY State Department of Financial Services annually, by Jan 15.

______________________________________________________________________

Kiran Vangaveti is the Founder of BluSapphire Technologies that provides Managed Security Asset Management, Continuous Security Monitoring, Risk Assessments and Compliance assistance to Small & Medium Enterprises in Financial and Health Care industries. He is the thought leader behind BluSapphire Intelligent Cyber Defense, security tool providing unrivaled visibility into Advanced Persistent Threats (APT) and malicious activity on client's infrastructure, operating across the entire Cyber Defense stack, utilizing Advanced Behavioral Analytics, Multi-layered Anomaly Detection.

Keeping Kids Safe on Social Media

cyberaware

October is Cyber Security Awareness Month. During the course of this month we will share cyber security tips and resources, that will empower you and your family to understand and take preventative measures against Cyber Threats. These tips will focus on and explain a specific topic with steps you can take to protect yourself, your family and workplace.

 

“ Keeping Kids Safe on Social Media”

 

You’ve probably heard the names – FacebookInstagram, Twitter etc., These are some of the top social networking websites, that have become an online craze for teens and for many adults. You’ve probably also heard some stories about how pedophiles are surfing these pages for their next targets, or how teens are having their identities stolen after posting too much information online. The good news is that young people can protect themselves and their personal information easily, if they know how.

"Make sure your kids understand that you won’t blame them or ban them from Internet. Encourage them to report anything that makes them uncomfortable."

None of this technology is inherently dangerous, and if used safely, can be a great creative outlet for young people and a way to get them excited about technology. However, many young people are sharing too much personal information online and aren’t aware that anyone with an Internet connection can view it - even pedophiles, identity thieves, employers, teachers, their school nemesis, and you. As a parent, you can teach your children how to safely use social networking websites and make sure that they do. Below are some ways that you can protect your children and their personal information online.

 

Talk to your kids about the risks.

·         Explain that online information and images can live forever. It can be very hard and sometimes impossible to take down information that is posted, and photos and information may already have been copied and posted elsewhere.

·         Tell your children not to post any identifying information online. This includes their cell phone number, address, hometown, school name, and anything else that a stranger could use to locate them.

·         Explain that anyone in the world can access what they post online. Inform your children that many college admissions boards and employers are checking social networking sites before they admit students or hire people.

·         Remind your children never to give out their passwords to anyone – not even their friends. Explain that if someone has their password, they could post embarrassing and unsafe information about them on their personal pages and even pose as your children to talk to other people.

·         Make sure that children understand that some people they meet online may not be who they say they are. Explain that on the Internet many people are not truthful about their identity and may even pretend to be someone else.

Protect them from dangers.

·         Most social networking websites require that young people be at least 13-years old, and sometimes even 18, to create an account. Don’t let younger children pretend to be older to use these websites.

·         Social networking websites let users set their profiles to private so that only their friends – usually defined as people that know their full name or email address – can contact them. Make sure younger teens’ profiles are set to private.

·         Go online with your children and have them show you all of their personal profiles. Ask to see some of their friends’ profiles too. If they have a blog or share photos online, ask to see them too.

·         Treat your children’s online activities like you do their offline ones. Ask questions about what they do, who their friends are, and if they have made any new friends.

·         Set clear rules that you can all agree on regarding what your children are allowed to do online. Make sure you decide if your children are allowed to post photos of themselves and open accounts without your permission.

How you can help them

·         Have your children tell you if they ever see anything online that makes them uncomfortable. Make sure they understand that you won’t blame them.

·         Ask them to come to you if anything happens online that hurts or scares them. Tell them that you won’t punish them by banning them from the Internet – this is a big reason why many kids don’t talk to their parents about their online problems.

 

Report any cases of possible child sexual exploitation, no matter how small, to the Cyber Tip Line at https://report.cybertip.org.