Thursday March 7th 2019
This week we’re focusing on ransomware. Let’s take a look at two new pieces of ransomware, a ransomware infrastructure service, how ransomware is distributed, and what you can do about it. Spoiler, if you don’t already have plans to secure backups of your mission critical data, you’re going to make some after this week’s threat report.
Last week I predicted a GandCrab variant would be released on a specific underground, and looky here. There is a new Ransomware-as-a-Service (RaaS) being offered that originally marketed itself as GandCrab v2.
“Jokeroo RaaS” was recently discovered and is being promoted on underground forums and via Twitter. The program allows affiliates to gain access to fully functional ransomware and payment server. A Ransomware-as-a-Service is an online service that allows affiliates to sign up and distribute the ransomware. Chatter shows that the Jokeroo RaaS began promoting itself as a GandCrab ransomware RaaS but changed their name to Jokeroo RaaS.
To become an affiliate, would-be criminals pay to join with membership packages ranging from $90 up to $600 USD. This is another example of how the security marketplace and the threat marketplace are maturing together. We get Security-as-a-Service. They get Ransomware-as-a-Service.
A new variant of ransomware has been discovered by researchers. Clop Ransomware which appends the “. CLOP” extension to the encrypted files is targeting your entire network, not a single computer. Clop Ransomware is being distributed via code signed executables with a digital certificate to appear more legitimate and may help to bypass security software detections. In an analysis performed by the researchers, the malware will create a batch file named “clearnetworkdns_11-22-33.bat.”
Once executed, the malware terminates numerous Windows services and processes to disable running antivirus software on the computer to encrypt a potential victim file. Then, the final stage of the attack is the victim will receive a ransom note containing the emails “email@example.com”, “firstname.lastname@example.org”, and “email@example.com” that can be used to contact the attackers for payment instructions.
One of the primary distribution methods for ransomware is through email campaigns that include a link to a malicious file or attach a malicious file. The trick to having a good link lure is to have a reputable looking site. Dark Web services make it easy for attackers to setup legitimate looking infrastructure like registering domains, SSL certificates, and setting up e-commerce sites. Additionally, it can all be bundled with ransomware for a discount. This shared infrastructure and software makes attribution harder for researchers by providing threat actors with cover in the form of shared threat indicators.
One of the premier underground marketplaces for this infrastructure and identity service is DreamMarket. According to researchers, “This package of products and services allows attackers to credibly present themselves as a trusted US or UK company for less than $2,000.”
On the email attachment side of spreading ransomware, attackers need to make sure that their attachments won’t be detected as suspicious in transit or when executed. A common file format for malspam or spear phishing is a Windows office document.
Speaking of threaty threats, Windows documents have been evading detection; the Equation editor exploit popped back up by chaining in an unknown vulnerability. This exploit chain allows it to stealth past some native Windows security controls.
According to researchers, they “spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format. The group was able to exploit this vulnerability to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.”
With new ransomware, ransomware infrastructure services, and 0-day vulnerabilities that bypass security controls you can see that the focus is coming back to Ransomware. Attackers are able to extract more money from ransomware than from cryptocurrency mining. Not all campaigns are asset aware and know the value of the data they have compromised. Once attackers mature in this area, they will deploy cryptocurrency miners when the asset they land on is not worth ransoming. I predict we’ll have some malware that can deploy either or, depending on a scan of the file system and open connections.
The most important thing that you can do to make sure your organization is protected from ransomware is to create secure backups that attackers will not be able to erase/encrypt. That may mean storing backups outside of IT’s normal span of control.
Not all infections are the result of lateral movement from infected end users. In a recent threat report we covered the Docker RunC vulnerability CVE-2019-5736.
CVE-2019-5736 allows the attacker to gain root access from a Docker container by overwriting the host runC binary as root. According to researchers, “3,822 Docker hosts with the remote API exposed publicly. The exposed Docker remote API has already been abused by attackers using the compromised hosts to mine cryptocurrency.” Researchers reported that the exposed Docker remote API IPs are running Monero cryptocurrency miners.
Although these Docker hosts were used to mine cryptocurrency, it would have been just as easy for the attackers to deploy ransomware. Since this was likely just a large scan of the Web and not a targeted campaign, the attackers had no idea if the assets had valuable data.
Oh yeah, RSA was this week and the NSA released an open source reverse engineering tool called Ghidra (and it has its own song). This sounds very cool and I like to see powerful tools made open source so we can get more people involved in solving problems. But I immediately reached for my tin foil hat.
Could it be that the NSA has released a reverse engineering tool that backdoors security researchers? Or, maybe it collects and ships home binaries and debug data to crowd source 0-day discovery? Luckily, researchers have already started looking into the source code.
Hacker Fantastic realized that when in debug mode Ghidra binds to all network interfaces on port 18001 and allows for remote code execution through Java Debug Wire Protocol (JDWP). While it’s not atypical to have a debug access like this, the docs don’t make it clear that this is happening, and it should not be binding to all interfaces as a default behavior. Ideally, Ghidra would default to localhost. The issue is being discussed on the NSA Ghidra repo. As a bonus to the bonus here is a JDWP shellifier.