This report is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.
Success Story of the Month
One of Varonis’ customers, a large European transportation company, experienced a malware infection on several devices.
They called on the Varonis Forensics Team to investigate the infected machines, find the infected files, and help with building a timeline and a report of the malicious activity.
The Forensics Team exported the event log and master file table (MFT) from the infected devices and found several suspicious files.
Some of the suspicious files contained malicious functionality that matched the findings in the customer’s environment:
- The sample we found is a variant of Dridex, which uses benign-looking executable files.
- The malware used 2 malicious files – one DLL that contained the malicious payload and one executable used to activate the functionality in the DLL
- To maintain persistency, the malware uses a scheduled task, a registry value, and a link in the Windows startup folder.
Our team helped the customer by:
- Providing indicators of compromise (IOCs) of the malicious files to be implemented across the organization’s security solutions
- Reverse-engineering a sample of the malware and providing a full and comprehensive malware report, including explanations about all the malware’s capabilities and functionality
- Utilizing the Varonis web UI to investigate Varonis alerts together with the customer, to verify no spots were missed
- Correlate the known parts of the attack to the events showing in Varonis
Tackling Egregor Ransomware with Varonis
In February, several people who are suspected of being operators of variants of Egregor ransomware, were arrested in a combined effort of Ukrainian and French law enforcement forces. It was reported that ransom payments were traced and lead to the arrested suspects. [i]
Nevertheless, Egregor is still active and being used as a payload in campaigns all over the world, as we have seen in the past couple of months. For example, a British estate agency was hit by a variant of Egregor, and personal customers’ data, such as credit card information, was discovered on the dark web. In another example, an American logistics company received threats from a hacker group suspected to have ties to Egregor regarding exposing sensitive data that belonged to the company.[ii]
What is Egregor ransomware?
Egregor is a ransomware threat group that has gained a lot of traction in recent months. Despite being relatively new, it earned a lot of its reputation in a very short time due to its strategy of using two methods of extortion on the victims.[iii] Egregor is a phrase in Western Magic, which refers to the collective energy of a group of people who share a common purpose.[iv]
It is believed that Egregor ransomware is the successor to Maze ransomware, the notorious cybercrime group, which had its operations shut down in October 2020. The latter’s attack attempts often had a wide range of influences, and that probably gave rise and solid ground to some of Egregor’s ambitions. Egregor ransomware is a modification of both Sekhmet ransomware and Maze ransomware. There are certain code similarities between all three malware and they also all seem to target the same type of victim organizations.
Egregor works in a model called “Ransomware as a Service” (RaaS). This means that criminal affiliates of the creators of the ransomware can use specific variants of the malware, developed specifically for them or specifically for an attack on a certain organization, and they, in turn, share the profits from the attack with the creators.
As mentioned, the ransomware leverages two different assets to extort the victim. The Egregor group breaches the organization’s network and encrypts data that it finds available so that it cannot be accessed by the victim. In addition, the attacker exfiltrates data that is found on the compromised devices and servers and threatens to publish this data. They also usually publish a subset of the exfiltrated data on their website (which is hosted on the dark web) as proof that they managed to get the data.
The victim is given an ultimatum, to pay within a certain period, or else the ransom will increase.
One of Egregor’s first successful attack attempts was against Barnes & Noble, a widely known book retail store chain, in October 2020. In this attack, the attackers caused a temporary denial of services to the company and claimed to have obtained financial information of the company, although this claim was denied by the victim.
Other large-scale attacks that happened in that month were on the two-game development companies Crytek and Ubisoft. The attackers posted alleged pieces of games’ source code to their website and threatened to publish unreleased games.
In December of 2020, Egregor claimed the Dutch HR company Randstad as another victim. The attacker released what they claim to be 1% of the stolen data, which consisted of financial documents, mostly Excel spreadsheets and PDF files.
Delivery and execution
One of the methods of delivery for Egregor is Cobalt Strike. Victim organizations are initially compromised through various means (RDP brute-force attacks, phishing) and once the Cobalt Strike beacon payload is executed, it is then used to deliver and launch the Egregor payloads.[v]
For example, when Egregor is delivered by phishing emails, the attack usually consists of 2 stages. First, a crafted phishing email is opened by the victim and loads a first-stage malware, such as Qakbot, followed by the actual Egregor ransomware. The Egregor payload is usually deployed by the attackers themselves after they leverage the initial compromise.
Cobalt Strike allows the attack to shift into an interactive operation for the hackers. The attackers use tools to scan the AD environment in order to move laterally and escalate their privileges and eventually take control over a domain admin account.[vi]
Putting the malware under the magnifying glass
The Varonis Forensics team analyzed a sample of Egregor following a request from a customer. In this specific case, the malware was delivered by a PowerShell script, which downloaded the malicious DLL, placed it in the “Pictures” directory under the user’s public folder, ran it by supplying it as a parameter to “rundll32.exe”, and used specific functions inside the DLL.
The PS script looks for a McAfee-related executable in order to uninstall the product. This disabled a potentially important defense tool that could prevent the ransomware from activating. The malware then sleeps for 60 seconds.
The same PS script downloads a payload DLL from a malicious IP address, stores it under the path “C:\Users\Public\Pictures” and activates it by supplying it as a parameter to the executable “rundll32.exe”, and by running specific functions inside the payload DLL, with the string “passegregor10” as a parameter. This is basically a key meant for anti-forensics – meaning, the malware cannot run, and therefore cannot be analyzed if this exact key is not supplied.
Using several encryption-related libraries, including ones in the Microsoft DLL CRYPTSP.DLL that is found under the path “C:\Windows\System32”, the malware encrypts files it finds on the victim’s device and appends a pseudo-random extension to each encrypted file. The malware then creates a ransom note on each folder it encrypted files on, with instructions on how to pay the ransom and decrypt the files.
Varonis’ threat detection products have several built-in threat models that can identify the malware variants mentioned during different stages of their activity:
- “Crypto activity detected”: detects the creation of ransom notes on a file server.
- “Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server without relying on known ransomware file names or extensions, enabling detection of new ransomware/data destroyer variants.
- “Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain, by examining the amount of the information sent.
- “Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
- “Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
- “Potential malicious file download was detected”: detects the download of a potentially malicious file.
- “Potential malware infection: dropper identified”: detects the potential infection of the environment by a dropper malware, which can be used to download the next stages of malware.
New Variants Analyzed in February
|Variant name||Popularity||Data-centric IOCs|
|Ranzy Locker Ransomware||2||.RANZYLOCKED|
|STOP Djvu Ransomware||3||.ribd|
|Help You Ransomware||1||.IQ_IQ|