Cb Connect 2018 | Power of You | Register Now

Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools

dharma_ranswomare_cb_TAU
JaredMyers-128x128
July 10, 2018 / Jared Myers

In June of 2018, an organization contacted the Carbon Black Threat Analysis Unit (TAU) about a ransomware attack they were currently investigating. TAU team members worked with the firm investigating the incident. After the initial analysis was completed, it became apparent that this network had been compromised prior to the June ransomware attack.

Artifacts indicated that, as far back as October 2017, unknown actors were leveraging RDP to connect to a system from an IP originating from Russia. However the majority of the activity related to this attack started one week prior to the ransomware attack and focused on a second system on the network. There were a series of RDP connections over a seven day period, with little other malicious related activity. It is surmised that this activity is from the attackers testing their access via compromised credentials on a daily basis prior to selling or leveraging the compromised system. On the day of the ransomware attack, one last RDP connection was initiated from Russia, approximately 20 minutes later a RDP connection from Sweden was made to a system on the network. After the connection is established, approximately 30 seconds later, the attacker began downloading several files onto the system. Within minutes the attacker commenced their reconnaissance and ransomware attack.

It should be noted that this attack scenario has become very common over the last 12 – 18 months, and continues to be successful and profitable for groups selling access to compromised systems, as well as attackers leveraging the ransomware portion. Traditionally, campaigns like this have targeted small to mid size utility or energy companies, municipalities, and hospitals. In this latest variant, a ransomware family referred to as Dharma or Crysis is being leveraged.

This report is being released to highlight the ransomware campaign. These types of campaigns continue to grow in popularity, and can typically be detected before attackers cause any damage or encrypt data. The details are intended to help practitioners understand how campaigns, like this one, transpire and to help defenders start thinking about improvements they can implement in their current security deployment. Unsurprisingly, attackers are continuing to leverage open source or freely available programs to assist them in their network reconnaissance and preparations before launching the ransomware portion of their attacks. Files that were used in this attack revealed a repository containing numerous tools that were leveraged by the attacker. These tools highlight how attackers are utilizing off the shelf programs to conduct network reconnaissance and install secondary backdoors.

Technical Details

On June 25, 2018 at 9:02:08 a.m. (all times listed are GMT unless otherwise noted) an incoming RDP connection from 92.63.193.136, out of Russia, was established with a system. This IP address has been associated with other RDP brute forcing attempts. It should be noted that the credentials used to authenticate appear to have been compromised well before this date. It is unclear, from the artifacts available, if the credentials were compromised from brute force attempts or another manner. On that same date at 9:23:44 a.m., an incoming RDP connection from 178.73.220.28, out of Sweden, was established with the same system. After the connection was established from Sweden, six files were downloaded to system2 between 9:24:11 and 9:24:43 a.m.. The two primary files are listed in the table below. The complete list of files can be reviewed in the IOC section.

Attacker Files

File Name       : 2fin.bat

File Size       : 28,099 bytes

MD5             : 8df69b03e08ebfb1145ad1cadb6813cc

SHA256          : 1fce87ccbf198f5b7c4062532e9380525f1d9b2a87db1f05a67c8cd815049122

Fuzzy           : 768:E6HZ9RdNLE3y8avWTLc9uHJJkPI7+Bvg0DKAkZHfYD:E6HZ9lG1kWJl7+Bvg0DKq

Magic           : ASCII text, with CRLF line terminators

File Name       : 11.exe

File Size       : 94,720 bytes

MD5             : 64a1fbb51ab62f1aa012172b45c8ca15

SHA256          : b9cd0b8222058e1e96043a56a44422d620d8fa6dc530a8a221f27be8cb5d21d1

Fuzzy           : 1536:mBwl+KXpsqN5vlwWYyhY9S4ALtFSNqzJWIfTUj02oH3TNZYIR6:Qw+asqN5aW/hLoEzJWPw2e3TI

Compiled Time   : Thu Mar 02 23:49:06 2017 UTC

PE Sections (3) : Name       Size MD5

                 .text 40,448    fbdfbbcd720021a23c9e78b5511496b0

                 .rdata 10,240    bbeae82a2350eeb7334fa155ebec76d2

                 .data 43,008    d7961e6368e7b4aa8cd041c98fb80b56

Magic           : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Table 1: Attacker Files

11.exe

The 11.exe file is a ransomware variant of the Dharma or Crysis family and this sample has been observed in the wild since May of 2018. The sample uses an implementation of AES to encrypt files. The encryptor sample will invoke cmd.exe to delete Volume Shadow Copies, using the command vssadmin  delete shadows /all /quiet. The sample will start  with mapped drives before moving onto the root of the OS drive (presumably C:) and encrypt files that are not in the %windir%\System32 folder. The encrypted files will have a id-[generated ID #].[zara2018@cock.li].bip extension. The generated identification number is used to identify the system. The image below is a copy of an example of a ransomware note presented to the user.


Figure 1: Ransom note

This variant will decrypt strings as necessary from the .data resource section. Initially the entire .data section is decrypted using the RC4 algorithm and a 128 byte key stored at the beginning of the data block itself (highlighted in red in the image below). The decrypted data contains a second 128 byte key. This key is used to decrypt additional strings of varying length as needed in the overall execution of the program (an example is highlighted in green). The sample will decrypt the API names it needs carry out the encryption process, which are then loaded (highlighted in blue).

Figure 2: Resource decryption process

In addition to API names that need to be loaded there are file extension list, attacker email addresses,  the encrypted file extension, the ransom note, commands used to delete shadow copies, and other various strings that are also decrypted. The image below depicts overall decryption process.  


Figure 3: String decryption overview

2fin.bat

The 2fin.bat file is the most versatile sample downloaded by the attacker. The file will initially attempt to delete several files from the system, which were not present on the  targeted system in this attack (highlighted in yellow in the image below). This indicates that the batch file was not specifically crafted for this attack, but is rather a reused tool from other or previous attacks. The batch file will create several internal variables (highlighted in red) and then concatenate and redirect Base64 encoded strings to the file “file.b64”, which will be written to the system (highlighted in green). It should be noted that the Base64 encoded strings are located between a BEGIN and END certificate declaration. The Base64 encoded data is not a certificate, and these strings are ignored when the data is decoded in the next step. Once the file.b64 file has been created the batch script will invoke certutil.exe to decode that file saving it to the system as 2sys.ps1. The batch file will then invoke powershell.exe calling the 2sys.ps1 script. The batch file will then attempt to delete itself from the system (these steps are highlighted in blue in the image below).


Figure 4: 2fin.bat

2sys.ps1

The metadata for the 2sys.ps1 file is listed in the table below.

File Name       : 2sys.ps1

File Size       : 17,736 bytes

MD5             : 5ec82a7129a13221b5a05e04565450fe

SHA256          : 70490a50dc2098db4c24889ba4fbc9df5cd5d3bc2c5fde95e4af5b66db8b51b8

Fuzzy           : 192:49sU90IZ1KY2fr4t8DC3K2Kw9u+bTlZXlX51m+S7ASGu4DvxVdDe:IsUYbrXC6t8xm7ASGu4FbDe

Magic           : ASCII English text

Table 2: 2sys.ps1 metadata

This PowerShell script is approximately 630 lines of code that can perform numerous reconnaissance type functions, that work in conjunction to compromise additional credentials and search for other systems where RDP is available. The script will then clean up after itself attempting to remove traces or artifacts of it running on the system. The functions are run in a series and listed below:

  • The script will redirect the output of the ipconfig command to the file ipc.txt.

  • That file is then parsed for IP addresses that are written to the file ip.txt.

  • The script will then take the IP addresses in the ip.txt file and for each IP scan the /24 subset range (ex. 10.0.0.1/24) and write the different IP addresses to a file, which will later be used for scanning.

  • The IP addresses will be scanned looking for systems that are online and accepting incoming RDP connections. The results will then be used later in this process.

  • The script will then download Mimikatz, an open source project to dump plain text credentials. Mimikatz will then be run against the local system, dumping any stored credentials that may be cached on that system.

  • These credentials are then used with the list of any IP Addresses that are listening for incoming RDP connections, to see if the dumped credentials can authenticate  on the remote systems. The attacker leverages NLBrute (version 1.2) to attempt the brute force of RDP connections, with the dumped credentials. For any successful connections the IP address and credentials are then output to the console window. These are then presumably copied or saved off by the attacker and exfiltrated from the system.

  • The PowerShell script will then download additional scripts from the attacker’s remote tool repository, hard coded into the script (secded[.]xyz).

    • The script will download the acc.bat file will which creates the following user (with associated password) on the system, and then adds the account to the Admin and RDP groups.

  • Username:wmicserv
  • Password:Killadozer13

  • The acc.bat file will also make registry modifications that ensures the current system accepts RDP connections as well as altering the Connection and Idle times.

  • The script will then download and install bcd.exe from the tool repository site.

bcd.exe

The bcd.exe file is a self-extracting (SFX) archive that will create a NSIS installer on the system. That file will then create temporary files and an installer, which will create rutserv.exe. This file is a component of the TekTonIT RMS tool (https://rmansys.ru/). This is a remote administration suite that allows users to access a system running the host component. The tools can be downloaded and free instances can be registered. The settings files that was extracted during analysis shows that this instance was registered with the email address snoudenerik@yandex.ru. This host component is configured to use the RMS servers as a proxy. This tool is popular in Russian hacker forums and has been used by criminal groups before, which was documented in reports by DigitalDefenders, ProofPoint, and LookingGlass. The screenshot below shows the NSIS install script that is created and used to decode the rutserv.exe file as well as entrench the file on the system.

Figure 5: bcd.exe install commands for RMS component

Tool Repository

Based off of the hard coded attacker tool repository URLs listed in the 2sys.ps1 script, TAU researchers were able to obtain all of the tools being stored on the site, at that time. It should be noted that most of the tools present have not been updated since May of 2018, and that the site is not up at this time of this post.

The following table highlights the relevant attacker files that were located on the tool repository site. The metadata for each of these files are listed in the IOC section.

/secded.xyz

├── css

├── fonts

├── images

├── index.html

├── js

└── sft

   ├── 1fin.bat

   ├── 2fin.bat

   ├── acc.bat

   ├── bcd.exe

   ├── prc.exe

   ├── pup.bat

   ├── sys.ps1

   └── unl.exe

Table 3: Tool Repository Overview

1fin.bat and 2fin.bat

The 1fin.bat and 2fin.bat scripts utilize different approaches to achieve the same end result of network reconnaissance, credential dumping, and identifying other systems on the network segments where compromised credentials are used. Both batch files will echo Base64 encoded strings to a file on the system (hard coded as the names sys.ps1 and 2sys.ps1 respectively), use certutil.exe to decode that file, and PowerShell to execute the result. Both PowerShell scripts will utilize ipconfig command to get the IP Address(es) associated the current system, and then build a list of neighboring IP Addresses, followed by downloading additional tools from the tool repo, like mimikatz, to dump cached credentials. The two script diverge in that sys.ps1 (created by 1fin.bat) contains code that indicates that the attackers also used hydra, an open source project to attempt to bruteforce RDP connections, in addition to the NLBrute method. Both scripts will output successful connections and attempt to remove forensics artifacts, pertaining to the script running, from the system.

acc.bat

The acc.bat file, as previously mentioned, is used to add an attacker specific account to the system, adding that account to the Admin and RDP groups. Allowing the attacker to leverage the account and RDP (assuming is has not been disabled) to enter the network, even if a password reset has been required for previously compromised accounts. A screenshot depicting the script is below:


Figure 6: acc.bat

bcd.exe

The bcd.exe file as previously detailed in the 2fin.bat section above. This file is a series of SFX and  installer files, which will create rutserv.exe. This file is a component of the TekTonIT RMS tool (https://rmansys.ru/).

prc.exe

The prc.exe file is the installer for the Process Hacker (version 2.39) application. This tool has many legitimate purposes, but could be used maliciously because of the capabilities modify processes and services.

pup.bat

The pup.bat file will decode a set of Base64 strings in the same manner that was described above, saving the output to a PowerShell files. That resulting file (p1up.ps1) is then executed by invoking PowerShell. The image below is an overview the of the commands in the batch file, it should be noted that the Base64 code has been truncated for easier viewing.


Figure 7: pup.bat

p1up.ps1

The p1up.ps1 file, created by pup.bat, is used to download additional files the tool repository, which are Base64 decoded using certutil.exe. The decoded scripts, which are privilege escalation modules from the PowerShell Mafia framework, are used to look for Windows privilege escalation vectors that commonly are due to misconfigurations on the system.


Figure 8: p1up.ps1

unl.exe

The unl.exe file is the IObit Unlocker software program. This program could be used by the attacker to close handles to files being targeted by the ransomware portion of this attack.

Indicators of Compromise

IOC and Type

Note

5.188.86.140

IPv4 Address

RDP connection from RU

92.63.193.136

IPv4 Address

RDP connection from RU

178.73.220.28

IPv4 Address

RDP connection from SE

secded.xyz

URL

Attacker tool repository hardcoded in 2sys.ps1

b9cd0b8222058e1e96043a56a44422d620d8fa6dc530a8a221f27be8cb5d21d1

SHA256 Hash

11.exe

64a1fbb51ab62f1aa012172b45c8ca15

MD5 Hash

f3ad7f8f00ffe7efce17f6b5b8667ef82c6df2c655bbafa9b637657465403a85

SHA256 Hash

Mouse Lock_v22.exe

fc9c80e1767e1266056b1b2c89a74ce5

MD5 Hash

3da3b704547f6f4a1497107e78856d434a408306b92ba7c6e270c7c9790aa576

SHA256 Hash

NS.exe

869420f42c9448924f935e5c1e2d9949

MD5 Hash

f6b233988738f0aa65d2b44588a47213c445fa284e6a25c3d413b8891a93676d

SHA256 Hash

processhacker-2.39-setup.exe

0646d1da4bac6a86bb420a5025842d84

MD5 Hash

1fce87ccbf198f5b7c4062532e9380525f1d9b2a87db1f05a67c8cd815049122

SHA256 Hash

2fin.bat

8df69b03e08ebfb1145ad1cadb6813cc

MD5 Hash

3aa95a18ccaca04b14f45da4a9f8ca18e579e8300b4986dfd46112f979e353f5

SHA256 Hash

unlocker-setup (1).exe

4f7fdd8534df4a515ad312a8bc1f27c0

MD5 Hash

70490a50dc2098db4c24889ba4fbc9df5cd5d3bc2c5fde95e4af5b66db8b51b8

SHA256 Hash

2sys.ps1

5ec82a7129a13221b5a05e04565450fe

MD5 Hash

375e69749bd906d94c2888cf518cd2c1c936bb7995dbf423619fe3fe5f52c306

SHA256 Hash

1fin.bat

9c98c897857f77bd60f8c5f6a9d9bfc3

MD5 Hash

3aa95a18ccaca04b14f45da4a9f8ca18e579e8300b4986dfd46112f979e353f5

SHA256 Hash

sys.ps1

72be429f3261cf85953bbdae48da76cd

MD5 Hash

cd2ec4d64748b9a53dbdf09255da84d123626f3cbdbcb1cc94dc88715430a06e

SHA256 Hash

acc.bat

45a67419df13f21ec3b6e904280a1257

MD5 Hash

0d8ff1f5234333086fdd19edfee9064e878bfaeb17a8ca504d4e9d78f96a9307

SHA256 Hash

bcd.exe

d441851f71e7c9a464ab2dbb107febc0

MD5 Hash

cad2a39d7570ba48a5fa4fa3fda176c86a4a1aefaf66d016795d0de03870c29f

SHA256 Hash

rutserv.exe

6c8232c921dfbd380880e861fd99001b

MD5 Hash

f6b233988738f0aa65d2b44588a47213c445fa284e6a25c3d413b8891a93676d

SHA256 Hash

prc.exe

0646d1da4bac6a86bb420a5025842d84

MD5 Hash

2b0cd44a49d2c82013a9851d6681d928a0f0fc4ba014ffb4bee573f57f1fe257

SHA256 Hash

pup.bat

6ec62097926ad1e762af235c7c739069

MD5 Hash

073a7b881bfb5ae7eddf29a75e13e07ff363403e22f338b3c02f216cbc2f7b0b

SHA256 Hash

p1up.ps1

ecba2877fae7edbd46bae3e36589d294

MD5 Hash

3aa95a18ccaca04b14f45da4a9f8ca18e579e8300b4986dfd46112f979e353f5

SHA256 Hash

unl.exe

4f7fdd8534df4a515ad312a8bc1f27c0

MD5 Hash

 

Timeline Overview

TIMELINE OVERVIEW

GMT TZ

System

Notes

Associated Notes

10/24/17 18:35

system1.company_name.com

RDP Connection from 5.188.86.140 (RU)

 

3/27/18 22:24

system2.company_name.com

RDP Connection From st56.zingurrani.org (RU)

 

6/18/18 17:47

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/18/18 19:39

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/19/18 7:50

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/20/18 10:25

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/21/18 0:34

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/21/18 5:01

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/21/18 7:58

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/21/18 22:04

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/22/18 6:17

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/23/18 9:02

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/24/18 11:46

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/25/18 2:10

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/25/18 9:02

system2.company_name.com

RDP Connection From 92.63.193.136 (RU)

 

6/25/18 9:23

system2.company_name.com

RDP Connection From 178.73.220.28 (Sweden)

 

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\11.exe created

Ransomware Encryptor – Dharma Ransomware Variant

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\Mouse Lock_v22.exe created

tool to lock mouse position on screen

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\NS.exe created

tool to mount network shares

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\processhacker-2.39-setup.exe created

process manager tool

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\2fin.bat created

Reconnaissance Script – multiple capabilities

6/25/18 9:24

system2.company_name.com

C:\Users\user1\Downloads\unlocker-setup (1).exe created

tool to release locked file handles

TAGS: Carbon Black / Carbon Black TAU / Dharma / ransomware