This report is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.
Malware Overview – EvilQuest
EvilQuest, AKA ThiefQuest, and Mac.Ransom.K, is ransomware that aims to encrypt macOS devices, which are typically less affected by the ransomware threati.
EvilQuest is the third ransomware variant for macOS devices found in the wild.
Another unusual detail about EvilQuest that stands out compared to other ransomware variants is that it uses symmetric encryption all the way, instead of using an asymmetric key in at least one stage of the encryption.
This means that the key that was used to encrypt the file can be used to decrypt it, thus making the challenge of decrypting the files a lot easier.
The ransomware also includes data exfiltration functionality, using three external python scripts that can send out HTTP post requests:
The ransomware includes additional functionality that many ransomware variants do not normally have. For example, it looks for SSH keys that might allow the attacker to interactively logon into a victim’s device. It also looks for trusted certificates, which can allow the attacker to access sites without causing security warnings.
We can also find hints of key-logging functionality in parts of the code calling API functions that aim to find low-level hardware events, with names that include “klgr” and print out strings like “started logging”:
We can find evidence that the ransomware is still being developed and is not yet in its final form. The decryption functionality, for example, is not completely implemented. Because the decryption routine is not called anywhere inside the code, victims will surely not be able to decrypt their files, even if they pay the ransom.
Malware Overview – Agent Tesla
Agent Tesla is a spyware/keylogger that’s used to exfiltrate data harvested from victim devicesii. It targets mostly Indian victims and ISPs. It was first observed in 2014 and was known to be distributed to many threat actors as “malware as a service.” Threat actors can purchase a subscription license to the malware from its official website.
Traditionally, Agent Tesla was spread mostly by phishing emails in order to steal data from the compromised devices. Newer versions of the malware target stored credentials, focusing on passwords for VPN and email services. This may indicate a rise in the demand for this data, which might originate from the increased usage in the past year caused by remote work.
The new version also abuses seemingly legitimate and trusted services, such as Telegram, as platforms to exfiltrate data through. Using Telegram Messenger could potentially evade traditional network-based detections.
The dropper executable, written in Auto-IT, contains process injection functionality, which allows the malware to inject its shellcode into a process and pass the control to a program called “RegSvcs.exe”iii.
This program (written in .NET), contains the functionality of collecting the saved credentials from installed software on the victim device (for example, popular browsers, as seen in the screenshot), and sending this data to the C&C server:
Malware Overview – Foudre APT
“Foudre” is the name given to an Iranian APT that was discovered in 2017iv. It has ancestors that go back as early as 2007 (Infy AKA “Prince of Persia”). It’s mainly used to stealthily exfiltrate data from organizations and VIP individuals.
The APT, which was mostly but not exclusively used against targets in Europe and North America, consists of several stages. The first stage includes the victim opening a crafted document that contains macro code, which self-extracts archives with “Foudre” components. Example of the document that was sent to the victims:
The second stage includes a connection to a C2 server over HTTP, both with the intention to validate itself and to download “Tonnerre” – a malware that is used in the third stage.
During the third stage, “Tonnerre” is executed and has two responsibilities: updating itself using HTTP communication to the C2 server, and exfiltrating data over FTP protocol.
The domain name and the IP address of the C2 server were not available as a string in the malware itself, as it uses domain generating algorithms (DGA) to find the domain – a technique that generates and tries to communicate with many domain names, while only one of them is the real C2 server domain name. This technique potentially allows the attacker both to hide his identity and to keep the C2 server’s reputation clean for a longer period of time.
Malware Overview – Drovorub
Drovorub is a malware that attacks Linux OS, created by the Russian threat actor “Fancy Bear” aka “APT28” and “Stronium”, as attributed by the FBI and NSAv.
The malware is built by combining three different utilities – a rootkit for the OS kernel, a port forwarding, and file transfer component, and a C2 communication utility.
The kernel rootkit’s purpose is to hide the malware’s activity by hiding processes from system calls and the file system, hiding files by using specific functions that allow it, filtering out network sockets from different views, and employing different techniques to hide packets.
“Fancy Bear” is also said to be behind several other campaigns, such as attacks against embassies and ministries in Asia and Europe which were uncovered in August 2019, and an attack against a variety of sports-related organizations the following September. While both attacks included phishing attempts, the first attack also employed several stages of downloaders; some of them are written in niche programming languages.
Another operation attributed to this group lasted about a year and a half, between December 2018 and May 2020, in which several US government institutions had their mail servers and VPN services compromised.
Malware Overview – StrongPity
StrongPity aka APT-C-41 and “Promethium” is a backdoor that was created by a Turkish APT group, which specifically targets financial, industrial, and educational organizations in Europe, with the intention of spying on themvi. The malware was first seen in the wild in 2012, and its last recorded activity was in November 2020.
The malware spreads using a technique called watering hole, in which it attaches itself to a normally legitimate software, such as WinRAR or TrueCrypt, by running websites that claim to offer these tools, but it delivers the trojanized versions vii.
The malware has several stages in its execution flow. It begins by infecting the victim using the watering hole technique. Then, it drops files that contain the malware’s configuration under the path %temp%\ndaData
It then looks for files that it is configured to look for, like files with specific extensions for example, by using a file searcher functionality. The type of files that are searched for is embedded in the malware’s payload.
The found files are then compressed into a ZIP file, which is then encrypted, split into several parts, and marked as hidden. These split files are then sent over to the attacker by using web POST requests to the C2 server. This technique is meant to help the attacker evade detection, as a POST request with a small payload is a normal activity in most organizations.
After the split files are sent, they are deleted from the victim’s disk.
Varonis’ threat detection products have several built-in threat models that can identify the malware variants mentioned during different stages of their activity:
- “Crypto activity detected”: detects the creation of ransom notes on a file server.
- “Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server without relying on known ransomware file names or extensions, enabling detection of new ransomware/data destroyer variants.
- “Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain, by examining the amount of the information sent.
- “Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
- “Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
- “Potential malicious file download was detected”: detects the download of a potentially malicious file.
- “Potential malware infection: dropper identified”: detects the potential infection of the environment by a dropper malware, which can be used to download the next stages of malware.
- “Domain Generation Algorithm (DGA) identified”: detects malware variants that generate domain names and communicate with the DNS server to resolve their names, in the attempt to find its C2 server.
Success Story of the Month
During the last few weeks, we have seen a surge in ransomware attacks mainly against healthcare organizations.
We identified APTs using CobaltStrike as their main C2 and collecting data across several endpoints while exploiting, for example, contractor accounts access without MFA.
One of Varonis’ customers in the healthcare sector experienced a malware infection on several servers.
They called on the Varonis Forensics Team to investigate the infected servers, find the infected files, and help with building a timeline and a report of the malicious activity.
The Forensics Team found several suspicious files and exported the USN ReadJournal and Master file table (MFT) from the infected servers.
They discovered that some of the suspicious files contained malicious functionality:
- The malware used two malicious files – one executable used to communicate with a C2 server, and one configuration file.
- The configuration file masked itself as a “wav” audio file and even had the appropriate headers.
- To execute, the malware required two parameters – the configuration file and a second executable which could be found by default on the victim device.
- It then used “rundll32.exe” to run its malicious code and try to communicate with the C2 server.
- Using the USN ReadJournal we were able to find that the attackers deleted some of the malicious files used throughout the attack to cover their tracks.
Our team helped the customer by:
- Providing indicators of compromise (IOCs) of the malicious files to be implemented across the organization’s security solutions.
- Reverse-engineering a sample of the malware and providing a full and comprehensive malware report, including explanations about all the malware’s capabilities and functionality
- Utilizing the Varonis web UI to investigate Varonis alerts together with the customer to verify no spots were missed
- Correlate the known parts of the attack to the events showing in Varonis
New Variants Analyzed in February
|Variant name||Popularity||Data-centric IOCs|
|JohnBorn Ransomware||3||Extension: .johnborn@cock_li|
|Xorist Ransomware||2||Extension: .@LyDarkr|
|Xorist Ransomware||2||Extension: .ZoToN|
|Xorist Ransomware||2||Extension: .CryptPethya|
|Xorist Ransomware||2||Extension: .zaplat.za klic
|Xorist Ransomware||2||Extension: .EnCryp13d|
|Namaste Ransomware||3||Extension: ._enc|
|POLA STOP Ransomware||3||Extension: .pola|
|Paradise Ransomware||2||Extension: .Cukiesi|
|SUMMON Ransomware||2||Extension: .SUMMON|
|0l0lqq Ransomware||3||Extension: .0l0lqq|
|Cring Ransomware||3||Extension: .cring
|PAYMENT Ransomware||3||Extension: .PAYMENT|
|DEcovid19bot Ransomware||3||Extension: .covid19|
|DeroHE Ransomware||3||Extension: .DeroHE|
|Matrix Ransomware||1||Extension: .JJLF
|Scarab Ransomware||1||Extension: .nginxhole|
|Snatch Ransomware||2||Extension: .aulmhwpbpz|
|Bonsoir Ransomware||3||Extension: .bonsoir|
|Xorist Ransomware||2||Extension: .lockerxxs|
|Solaso Ransomware||3||Extension: .solaso
|Matrix Ransomware||1||Extension: .CTRM
|HiddenTear Ransomware||1||Extension: .ZIEBF_4561drgf|
Top Attack Vectors Observed in February 2021