In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including RagnarLocker ransomware, LokiLocker ransomware, and Humble ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
RagnarLocker Ransomware: What you need to know
The Federal Bureau of Investigation (FBI) first became aware of RagnarLocker in April 2020, and by January 2022, it had identified over 52 entities across 10 critical infrastructure verticals that were affected by this ransomware variant. RagnarLocker happens to be both the name of a ransomware strain and of the criminal group that develops and operates it. The FBI found that these threat actors frequently changed obfuscation techniques to avoid being detected and stopped.
A RagnarLocker compromise is very similar to the attack flow of other ransomware groups. Initial access was obtained by exploiting a software vulnerability in an external facing service. After gaining initial access, the threat actors typically use the folder ‘C:\users\public’ as a staging directory. During the discovery phase, several publicly available and custom tools were executed from this folder.
One of RagnarLocker’s custom tools was a PowerShell script called ‘logs.ps1’, which was used to gather information about remote desktop sessions from Windows Event logs. The script takes a list of computer names (‘name.txt’) to query and performs a search against the System event log (event IDs 7001, 7002) and the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Event log (event IDs 21, 25) for IP addresses and usernames. This information is used by the threat actor to determine which accounts are allowed to perform remote desktop connections and between which systems.
The RagnarLocker threat actors use two legitimate remote administration tools to establish a command-and-control channel and exfiltrate data: Remote Manipulator System (RMS) and AnyDesk. RMS allows the user to carry out a variety of tasks including full control of remote hosts, file transfer, power control, and terminal usage. RagnarLocker threat actors also used the tool ‘HideUL’ (‘Hide from Uninstall List’) as a defense evasion technique. The tool masked the presence of RMS on the compromised servers, by removing it from the ‘Add/Remove Programs’ interface of Windows.
The RagnarLocker ransomware deployment was typically done using PsExec (a lightweight telnet replacement that lets you execute processes on other systems). A batch script named ‘any.bat’ was then executed by PsExec allowing the threat actors to install the remote desktop software AnyDesk on victim machines.
SafeBreach Coverage of RagnarLocker Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against RagnarLocker ransomware.
- #9054 Write RagnarLocker (fc0597) ransomware to disk
- #9055 Pre-execution phase of RagnarLocker (fc0597) ransomware (Windows)
- #9056 Transfer of RagnarLocker (fc0597) ransomware over HTTP/S
- #9057 Transfer of RagnarLocker (fc0597) ransomware over HTTP/S
- #9058 Email RagnarLocker (fc0597) ransomware as a compressed attachment
- #9059 Email RagnarLocker (fc0597) ransomware as a compressed attachment
LokiLocker Ransomware: What you need to know
Initially observed in August 2021, LokiLocker is a new Ransomware-as-a-service (RaaS) variant that has targeted English-speaking victims and Windows® PCs. Researchers from BlackBerry Threat Intelligence revealed that this ransomware may have some “false flag” tactics that potentially reveal the involvement of Iranian threat actors.
LokiLocker encrypts the victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection. This ransomware also includes an optional wiper functionality that can delete all non-system files and have the master boot record (MBR) overwritten if the victims fail to comply and pay the ransom. LokiLocker works as a ransomware-as-a-service scheme that has been offered only to a limited number of affiliates. Each affiliate is identified by a chosen username and assigned a unique chat-ID number. LokiLocker is somewhat unusual for a couple of reasons. Firstly, the ransomware itself is written in .NET and protected with NETGuard using a virtualization plugin called KoiVM – a legitimate commercial protector for .NET apps.
BlackBerry researchers also revealed that while the threat actors targeted victims globally, the primary concentration of victims appears to be in Eastern Europe and Asia.
SafeBreach Coverage of LokiLocker Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the LokiLocker ransomware variant.
- #9066 Write LokiLocker (14a590) ransomware to disk
- #9067 Pre-execution phase of LokiLocker (14a590) ransomware (Windows)
- #9068 Transfer of LokiLocker (14a590) ransomware over HTTP/S
- #9069 Transfer of LokiLocker (14a590) ransomware over HTTP/S
- #9070 Email LokiLocker (14a590) ransomware as a compressed attachment
- #9071 Email LokiLocker (14a590) ransomware as a compressed attachment
Humble Ransomware: What you need to know
Researchers from TrendMicro first came across the Humble ransomware variant in February 2021. Based on their findings, this ransomware is compiled with an executable wrapper (Bat2Exe). They also revealed that there appear to be two Humble ransomware variants:
- Variant 1: This variant threatens victims that their MBR would be overwritten if they restart the machine.
- Variant 2: This variant also threatens victims that their MBR would be overwritten, but only if they do not pay the ransom.
The main thing that sets this ransomware apart from other ransomware families is its ability to utilize a public webhook service from the communication platform Discord to report to its author or publish infection reports from its victims. The Humble ransomware denies explorer.exe from viewing or accessing local storage drives. The first malware variant utilizes certutil.exe, a program that manages Windows certificates, to generate a key from a randomized input. This will then be used by the extd.exe component to encrypt files. Humble ransomware encrypts 104 file types, including files with the following extensions: .exe, .pdf, .mp3, .jpeg, .cc, .java, and .sys. The second variant downloads the component file using PowerShell, certutil.exe, and extd.exe, instead of being encoded within and being automatically dropped from the batch file. If the victims do not pay the $7.99 ransom within five days, the threat actors threaten to delete all files on the victim’s machine.
SafeBreach Coverage of Humble Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this ransomware variant:
- #9100 Write Humble (455d31) ransomware to disk
- #9101 Pre-execution phase of Humble (455d31) ransomware (Windows)
- #9102 Transfer of Humble (455d31) ransomware over HTTP/S
- #9103 Transfer of Humble (455d31) ransomware over HTTP/S
- #9104 Email Humble (455d31) ransomware as a compressed attachment
- #9105 Email Humble (455d31) ransomware as a compressed attachment
Whirlpool Backdoor: What you need to know
The Cybersecurity and Infrastructure Security Agency (CISA) recently discovered a backdoor malware named Whirlpool that was recently used in attacks on Barracuda Email Security Gateway devices. It is believed that the China-based UNC4841 is actively leveraging this backdoor to target multiple private and public sector organizations in over 16 countries.
CISA revealed that Whirlpool established a Transport Layer Security (TLS) reverse shell to the attacker’s command-and-control (C2) server. Malicious traffic in these reverse shells can be hard to detect because the traffic is encrypted and often blends in with normal HTTPS traffic. It is believed that Whirlpool is not a passive backdoor and is being used to provide reverse-shell capabilities for other malware families in the UNC4841 arsenal. Whirlpool is a C-based utility that uses either a single CLI argument that is a given file ppathor two arguments that are a given IP and port.
SafeBreach Coverage of Whirlpool Backdoor
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant:
- #9116 Write WHIRLPOOL (860347) backdoor to disk
- #9117 Transfer of WHIRLPOOL (860347) backdoor over HTTP/S
- #9118 Transfer of WHIRLPOOL (860347) backdoor over HTTP/S
- #9119 Email WHIRLPOOL (860347) backdoor as a compressed attachment
- #9120 Email WHIRLPOOL (860347) backdoor as a compressed attachment
- #9111 Write WHIRLPOOL (60ae9c) trojan to disk
- #9112 Transfer of WHIRLPOOL (60ae9c) trojan over HTTP/S
- #9113 Transfer of WHIRLPOOL (60ae9c) trojan over HTTP/S
- #9114 Email WHIRLPOOL (60ae9c) trojan as a compressed attachment
- #9115 Email WHIRLPOOL (60ae9c) trojan as a compressed attachment
- #9048 Write WHIRLPOOL (ad8ccf) RAT to disk
- #9049 Pre-execution phase of WHIRLPOOL (ad8ccf) RAT (Linux)
- #9050 Transfer of WHIRLPOOL (ad8ccf) RAT over HTTP/S
- #9051 Transfer of WHIRLPOOL (ad8ccf) RAT over HTTP/S
- #9052 Email WHIRLPOOL (ad8ccf) RAT as a compressed attachment
- #9053 Email WHIRLPOOL (ad8ccf) RAT as a compressed attachment
Bumblebee Loader: What you need to know
In March 2022, Google’s Threat Analysis Group discovered a new malware loader called Bumblebee. The malware loader was named Bumblebee due to its unique user agent, “Bumblebee,” which it used during its communications with the command-and-control server.
It is believed that this malware loader is distributed primarily via spearphishing emails, which contain archives with ISO files as attachments or links to download the archive from external sources. Bumblebee operators host malicious websites that implement a drive-by download. To infect the system, an end-user has to first manually decompress the archive containing the ISO file, mount the file, and then execute the Windows shortcut (LNK).
After the initial infection, Bumblebee injects code into multiple processes in order to establish a strong foothold on infected endpoints. The process odbcconf.exe creates local Windows Management Instrumentation (WMI) calls to spawn new processes. Bumblebee uses a User Account Control (UAC) bypass technique to deploy post-exploitation tools with elevated privileges on infected machines. After obtaining system privileges on the infected machine, Bumblebee performs credential theft using one of two techniques – Local Security Authority Subsystem Service (LSASS) memory dump or perform a registry hive extraction using reg.exe. Bumblebee operators process retrieved credentials offline, attempting to extract cleartext passwords.
It is believed that the Bumblebee threat actors leveraged the Cobalt Strike framework throughout the attack. The threat actors use the stolen/harvested credentials to access Active Directory and make a copy of ntds.dit which contains data for the entire Active Directory. They then leverage a domain administrator account to move laterally, create local user accounts, and exfiltrate data using the Rclone software.
SafeBreach Coverage of Bumblebee Loader
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant:
- #9078 Write Bumblebee (9bfd20) loader to disk
- #9079 Transfer of Bumblebee (9bfd20) loader over HTTP/S
- #9080 Transfer of Bumblebee (9bfd20) loader over HTTP/S
- #9081 Email Bumblebee (9bfd20) loader as a compressed attachment
- #9082 Email Bumblebee (9bfd20) loader as a compressed attachment
- #7851 Write Bumblebee loader to disk
- #7852 Transfer of Bumblebee (3651) loader over HTTP/S
- #7853 Transfer of Bumblebee (3651) loader over HTTP/S
- #7854 Email Bumblebee (3651) loader as a compressed attachment
- #7855 Email Bumblebee (3651) loader as a compressed attachment
- #7087 Write BumbleBee downloader to disk
- #7088 Transfer of BumbleBee (386b) downloader over HTTP/S
- #7089 Transfer of BumbleBee (386b) downloader over HTTP/S
- #7090 Email BumbleBee (386b) downloader as a compressed attachment
- #7091 Email BumbleBee (386b) downloader as a compressed attachment
Sponsor Backdoor: What you need to know
ESET researchers have recently discovered a new backdoor named Sponsor deployed by an Iran-associated advanced persistent threat (APT) group named the Ballistic Bobcat group. Also tracked as APT35/APT42 (also known as Charming Kitten, TA453, or PHOSPHORUS), this group often targets education, government, and healthcare organizations, as well as human rights activists and journalists. Its victims are primarily based in Israel, the Middle East, and the U.S. It is believed that the Ballistic Bobcat group primarily engages in cyberespionage and that a significant majority of its 34 victims are based in Israel, primarily in the automotive, manufacturing, engineering, financial services, media, healthcare, technology and telecommunications verticals.
The Sponsor backdoor is one of the several custom applications deployed by Ballistic Bobcat to achieve its nefarious objectives. One of the notable features of the Sponsor backdoor is that it hides its otherwise innocuous configuration files on the victim’s disk so they can be discreetly deployed by malicious batch scripts, successfully evading detection.
Sponsor backdoors are written in C++ with compilation timestamps and Program Database (PDB) paths. The initial execution of Sponsor requires the runtime argument install, without which Sponsor gracefully exits, likely a simple anti-emulation/anti-sandbox technique. If passed, the Sponsor creates a service called “SystemNetwork” or “Update”. It sets the service’s Startup Type to Automatic, and sets it to run its own Sponsor process, and grants it full access. It then starts the service. Sponsor gathers information about the host on which it is running and reports all of the gathered information to the command-and-control server. This includes command and file execution, file download, and updating the list of attacker-controlled servers.
SafeBreach Coverage of Sponsor Backdoor
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the backdoor malware:
- #9149 Write Ballistic Bobcat Sponsor (93267a) backdoor to disk
- #9150 Pre-execution phase of Ballistic Bobcat Sponsor (93267a) backdoor (Windows)
- #9151 Transfer of Ballistic Bobcat Sponsor (93267a) backdoor over HTTP/S
- #9152 Transfer of Ballistic Bobcat Sponsor (93267a) backdoor over HTTP/S
- #9153 Email Ballistic Bobcat Sponsor (93267a) backdoor as a compressed attachment
- #9154 Email Ballistic Bobcat Sponsor (93267a) backdoor as a compressed attachment
Interested In Protecting Against Advanced Ransomware?
SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
- Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
- Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
- Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
- Report: Receive a custom-built report with simulation results and actionable remediation insights.
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.