This report is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.
Malware Overview – Ryuk
[1] Ryuk is a strain of ransomware that was discovered in August 2018. It is different from other types of ransomware variants, such as WannaCry, in that it is used mostly in targeted attacks. Ryuk is designed in a way that forces the attacker to give each victim individual attention.
Well-known variants of Ryuk have 2 main methods of infection: using specially crafted spear-phishing emails, usually aimed at specific personnel inside an organization, and using pre-acquired credentials to access devices inside environments via remote desktop.
[2] Ryuk has recently been observed using the Zerologon exploit (CVE-2020-1472), which allows the cybercriminals to escalate their privileges much faster than they can via other methods. As a result, it is common to see the attacker use the password of the primary domain controller to move laterally to the rest of the domain controllers and using them to spread the ransomware across the network.
Malware Overview – Silent Librarian APT
[3] Silent Librarian, AKA COBALT DICKENS or TA407, is a threat actor that uses spear phishing techniques to attack universities, mostly in the United States but also in other parts of the world. It specifically targets university staff and students, as the goal of these attacks is stealing academic research data.
Based in Iran and most likely funded by the Iranian government, Silent Librarian represents Iran’s intentions and interests to keep up with the world’s scientific development despite the severe sanctions the country faces.
In order to get the victims to fall in their trap, Silent Librarian uses domain names very similar to the university’s real domain name, except that they swap the top-level domain name for another.
For example, the domain of “Western University Canada” is “login.proxy1.lib.uwo.ca”, and the attackers use the domain “login.proxy1.lib.uwo.ca.sftt.cf”. For “The University of Adelaide Library”, the real domain name is “library.adelaide.edu.au”, while the attacker used the domain “library.adelaide.crev.me”.
This is what the phishing site looked like:
Silent Librarian uses Cloudflare’s service to hide the hosting origin, as the attackers tend to use infrastructure based in their own country, most likely due to their inability to acquire infrastructure in different countries.
Malware Overview – Mekotio
Mekotio is a banking trojan that was first seen in the wild on 2015. Banking trojans became increasingly popular in the last years, due to how profitable they can be as a payload of a successful attack.
[4] In order to remain undetected by AV and EDR solutions, banking trojans need to constantly change and evolve, and the Latin-American trojan Mekotio is an excellent example of that – not only does its feature set change often, but it is also believed that multiple variants of Mekotio are developed simultaneously at all times. Mekotio is mostly delivered via spam emails and uses several stages of loaders.
In its attacks, Mekotio tends to use specially crafted pop-up windows, carefully designed to target Latin-American banks, to collect sensitive information. Mekotio has advanced recon capabilities to identify firewall configurations, Windows version, which security solutions are installed, and whether the current user holds of administrative privileges. It also uses standard techniques to achieve persistence, by using registry keys or the Windows startup folder.
It contains several interesting capabilities, in addition to usual ones like keylogging and screenshotting, such as exfiltrating credentials stored in the Google Chrome browser, stealing crypto-currency by replacing strings in the clipboard, and partial destruction of data by removing files and folders in system-related directories.
Due to the difference in the banking systems in different countries, banking trojans variants tend to be location-specific. Mekotio is no different. While its primary target is Latin-American banks, it is also known to target dozens of victims, mainly Brazil, Chile, Mexico, and Peru.
Varonis Detections
Varonis DatAlert has have several threat models that can identify the malware variants mentioned, on different stages of their activity:
- “Crypto activity detected”: detects the creation of ransom notes on a file server or cloud data store.
- “Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server, without relying on known ransomware file names or extensions, thus allows detection of new ransomware/data destroyer variants.
- “Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain, by examining the amount of the information sent.
- “Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
- “Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
Success story of the month
One of Varonis’ customers – a company in the US with thousands of employees, had an incident involving NetWalker ransomware.
The forensics team proactively reached out to the customer when our threat hunting systems indicated they might be experiencing a stealthy ransomware attack.
During an investigation session, it became clear that the customer had a compromised user in O365, which the attacker used to gain access to the on-premise network.
Inside the network, the attacker managed to compromise a service account, which was used to run both Cobalt Strike and NetWalker ransomware.
Our team helped the customer by:
- Utilizing Varonis to investigate the alerts together with the customer and verify that all bases were covered
- Correlating the known phases of the attack to the granular events in Varonis
- Providing IOCs of the NetWalker variant so the customer could perform forensics in their other security solutions
- Providing a full and comprehensive malware report, including explanations of the NetWalker variant’s capabilities by reverse-engineering the sample found in their environment
New Variants Analyzed in October
| Variant name | Popularity | Data-centric IOCs |
| mechu ransomware | 1 | Extension: .mechu4Po |
| Babaxed Ransomware | 2 | Extension: .babaxed |
| Dharma ransomware | 3 | Extension:.WSHLP |
| EasyRansom ransomware | 1 | Ransom note: easyransom_readme.txt
Extension: .easyransom |
| STOP ransomware | 3 | Extension: .lyli |
| Dharma ransomware | 3 | Extension: .fresh |
| Mame VSE Ransomware | 1 | Extension: .mame vse |
| Dharma ransomware | 3 | Extension: .homer |
| Dharma ransomware | 3 | Extension: .flyu |
| Babaxed Ransomware | 2 | Extension: .osnoed |
| STOP Djvu ransomware | 3 | Extension: .moss |
| SantaCrypt Ransomware | 2 | Ransom note: HOW_TO_RECOVER_MY_FILES.TXT
Extension: .$anta |
| Curator ransomware | 1 | Extension: .CURATOR |
| WoodRat ransomware | 1 | Extension: .woodrat |
| Cyber_Splitter | 1 | Extension: .Dcry |
| Dharma ransomware | 3 | Extension: .gtsc |
| Snatch Ransomware | 1 | Extension: .clhmotjdxp |
| Nibiru Ransomware | 1 | Extension: .Nibiru |
| Geneve Ransomware | 1 | Extension: .fezmm |
| Ranzy Locker Ransomware | 1 | Extension: .RNZ |
| Matrix Ransomware | 3 | Ransom note: J91D_README.rtf
Extension: .J91D |
| Matrix Ransomware | 3 | Ransom note: S996_INFO.rtf
Extension: .S996 |
| Matrix Ransomware | 3 | Ransom note: FDFK22_INFO.rtf
Extension: .FDFK22 |
| Consciousness Ransomware | 1 | Ransom note: Consciousness Ransomware Text Message.txt |
| AIDS_NT Ransomware | 1 | Ransom note: AIDS_NT_Instructions.txt |
| Xorist ransomware | 2 | Extension: .emilisub |
| ThunderX | 1 | Extension: .tx_locked |
| Xorist ransomware | 2 | Extension: .hnx911 |
| MedusaLocker | 2 | Extension: .networkmaze |
| OGDO STOP | 1 | Extension: .ogdo |
| Flamingo Ransomware | 1 | Extension: .FLAMINGO |
| Dharma Ransomware | 3 | Extension: .eur |
| Dharma Ransomware | 3 | Extension: .blm |
| XMRLocker | 1 | Extension: .[XMRLocker] |
Top Attack Vectors Observed in October 2020
Bibliography
[1] – https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/ryuk-ransomware/
[2] – https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/
[3] – https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
