Introduction

A recent report [1] from the Cybersecurity and Infrastructure and Security Agency (CISA) has alerted the public about possible forthcoming ransomware attacks that target the health industry.
This report has raised concerns [2] especially because of the current pandemic, which has strained the resources of hospitals and care centers. As a consequence, a ransomware attack, in addition to crippling a healthcare provider’s infrastructure, might actually put at risk the lives of patients.

The advisory describes in detail the tactics, techniques, and procedures (TTPs) followed by the malicious actors who, at the moment, seem to be associated with Russian crime groups.
The attack uses a number of malware components, such as TrickBot, BazarLoader, Ryuk, and Cobalt Strike, in order to compromise networks, create bridgeheads, and then move laterally so that, eventually, a ransomware attack can be successfully carried out.

In the rest of this report, we present the characteristics of the various components of the attacks. We look at both the actual malware components (i.e., the code that performs the malicious actions), as well as the network evidence associated with their actions. Even though a number of these components (as well as similar ones) have been covered previously by our threat intelligence group [3] [4] and recently by other researchers [5], it is useful to see how this particular attack plays out and how it can be detected.

Artifact Analysis

In most cases, the initial steps of the attack are social engineering attacks that trick users into downloading and executing downloaders (TrickBot and BazarLoader), which, in turn, download the ransomware (Ryuk).
In this analysis, we cover TrickBot, BazarLoader, and Ryuk in more detail.

All three malware samples are successfully identified as malicious by our artifact analysis sandbox, by relaying on the extracted malicious behaviors.

TrickBot

TrickBot was initially devised as a banking Trojan, and, since its inception, has evolved in a number of different ways, adding new modules that provide different types of functionality.
In the attacks that have been observed recently, TrickBot has been mainly used as a conduit to drop additional malware, and, in this particular case, the Ryuk ransomware.
An interesting aspect of TrickBot is the recent introduction of a DNS tunneling component, called Anchor DNS, which allows the malware to establish a command-and-control channel with

an outside host. DNS tunneling is often leveraged because outgoing TCP connections might be blocked or receive unwanted attention, while, instead, DNS requests to outside hosts are usually allowed as they are necessary for the normal operation of the network. An interesting aspect of this DNS tunnel is the use of a simple obfuscation technique (i.e., XOR-ing the content with a single byte) to avoid immediate detection. Some example of this kind of behavior were detected and blocked on our customers’ networks as early as August 2020.

We were able to collect a number of TrickBot samples and we used our sandbox analysis systems to extract the behavior of the samples. Error! Reference source not found. below shows the results of the analysis of one of the samples.

TrickBot Ransomware Sample

Table 1: One of the TrickBot samples collected.

In the following figure, we can see the full behavioral analysis when analyzing the sample dynamically.

Behavioral Analysis When Analyzing Sample Dynamically

Figure 1: Analysis overview for the sample shown in Table 1.

In addition to the TrickBot samples discussed above, we also identified some specific instances of the Anchor DNS module. Figure 2 shows the detection timeline of Anchor DNS by VMware NSX. Interestingly, the detonations go as far back as late August 2020, showing that the threat was active since then.

Figure 2: Detection timeline of Anchor DNS by VMware NSX.

The most peculiar aspect of Anchor DNS is its ability to communicate to the C2 servers over DNS in an obfuscated fashion [6]. Emerging Threat describes both protocol and signatures in a recent report [7]. Figure below shows how the network activity produced by analyzing dynamically the sample 942701c5dc21bd6af902181fa673d8459683479b in the VMware NSX sandbox.

Analysis Overview of an Anchor DNS Sample

Figure 3: Analysis overview of an Anchor DNS sample.

BazarLoader

BazarLoader is another malware downloader similar to TrickBot, often used as a precursor of a ransomware attack that involves Ryuk.
Usually BazarLoader is delivered through social engineering, by luring an unsuspecting user into clicking on an email link.

The link often points to a file on Google Drive that appears to be a PDF file, which, in turn, contains a URL that points to the malware payload [8].
Below (see Figure 4) there is an analysis of a BazarLoader sample that was associated with the “Text_Report.exe” file name, which is one of the IoCs described in the recent advisory [1]. See Figure 5 for the PCAP analysis of the generated network traffic.

Analysis Overview for a BazarLoader Sample

Figure 4: Analysis overview for a BazarLoader sample.

PCAP Analysis Detecting Resolution of the Bazar Domain

Figure 5: PCAP analysis detecting resolution of the bazar domain.

Ryuk

Ryuk is a ransomware that uses a number of techniques to spread through a network and encrypt files [9]. Ryuk is believed to be an evolution of the HERMES ransomware, which appeared first in 2017 [10].

Ryuk relies on both Cobalt Strike and PowerShell Empire, as well as “live off the land” tools, such as RDP, in order to move laterally through the network, using a combination of scanning techniques and credentials harvesting.
Similar to other ransomware threats, once the target has been profiled, the ransomware encrypts the files, and attempts to delete any backup and shadow copies.

Ryuk Ransomware Samples

Table 2: One of the Ryuk samples collected.

Ryuk Ransomware Sample in VMware NSX Sandbox

Figure 6: Analysis overview for a Ryuk sample in VMware NSX sandbox.

Network Evidence

Our solution provides a number of signatures to detect various aspects of the network behavior of the malware components described in the previous section.
More precisely the following table shows the currently deployed network signatures that target these threats.

Network Signatures That Target Threats
Network Signatures for Threats Under Analysis

Table 3: Network signatures for the threats under analysis.

As shown in the figure below, our threat intelligence sensors have been detecting malicious network activity originating from the IP addresses included in the CISA report [1] in the month of October.

Detection Timeline of Malicious Network Activities

Figure 7: Detection timeline of malicious network activities from the IP addresses in [1].

While 5% of all the detection is related to education, 95% of all detections targeted the Healthcare sector, and involved the IP address 38.89.106[.]69.

In-depth Analysis

In the following, we provide an in-depth analysis that focuses on the following samples:

Bazar Loader (EXE)

  • c361742189a14d011847080f6becd024
  • 1e30713681e7439b059ea95431be132a [11]
  • 704dea93ef129b6c10b5b02433b51ec2
  • 45ed8898bead32070cf1eb25640b414cRyuk (DLL)• 890206F0C506366D480E02FC9FED988A Ryuk (EXE)• 85057B3F1210043CE7821E249AC96B29

The chain of attack starts with a phishing email. The user clicks on the link in the email, which downloads an executable and runs it. The executable is a BazarLoader, which downloads and runs the Bazar Backdoor. The backdoor runs Cobalt Strike and eventually starts the Ryuk ransomware (for a more detailed analysis of this kill chain see [11]).

BazarLoader’s main tactic is to use as many legitimate services as possible, namely:

  • Google Docs links in emails
  • Signed executables with correct signatures
  • EmerDNS (decentralized blockchain DNS) for communication with C&C server -using .bazar domains

All samples are trying to reach a C&C via a normal domain name to download and run the Bazar

Backdoor.

EXE (1e30713681e7439b059ea95431be132a)

BazarLoader runs a shellcode similarly to Ryuk’s EXEs and DLLs (see below). The shellcode is almost the same one which is used in Ryuk (see below) except for the constants that the code loads into the registers:

Ryuk rasadhlp EXE (85057B3F1210043CE7821E249AC96B29)

Even though this file is an EXE file (not a DLL), it mimics rasadhlp.dll:

Ryuk Ransomware Mimics rasdhlp.dll

Figure 8: Ryuk mimics rasdhlp.dll.

This component is signed by MADAS d.o.o.:

Ryuk Ransomware rasdhlp.dll Certificate

Figure 9: The Ryuk rasdhlp.dll certificate.

The executable is a matryoshka-style malware:

EXE

WinMain:

1. There is a shellcode in EXE’s resources;
2. The shellcode contains a DLL;
3. The DLL contains another DLL stored in the .data section, where the main functionality is.

  1. EXE exports a function called “CSBhvSWCvFRvfCfAoJdoFuAUmK” that contains the main functionality. GetProcAddress helps getting its address.
  2. Calls CSBhvSWCvFRvfCfAoJdoFuAUmK
  3. Creates a hidden window with class name “SBhvSWCvFRvfCfAoJdoFuAUmK” and windowname “PNG Demo V1.00“: CreateWindowExA, ShowWindow, UpdateWindow
  4. Performs standard windows message loop: GetMessageA, TranslateMessage,DispatchMessageA

CSBhvSWCvFRvfCfAoJdoFuAUmK runs the next stage – the shellcode:

1. Calls GetProcAddress to get the address of VirtualAlloc
2. Loads resource 888\8895 with help of: FindResourceA, LoadResource, SizeofResource 3. Allocates 0x4461E bytes of RWX memory with VirtualAlloc
4. Copies the shellcode into the allocated memory, then decrypt it
5. Calls the beginning of the allocated memory

Shellcode

The purpose of the shellcode is to map the next stage DLL into memory and then transfer execution:

  1. By manually parsing the TEB, PEB, etc., it retrieves pointers to: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, ZwFlushInstructionCache, GetNativeSystemInfo. It then stores and calculates hashes of function names.
  2. Maps sections into memory, fixes imports by parsing them ,and then finds addresses via LoadLibraryA and GetProcAddress
  3. Transfers execution to the first DLL

Beginning of the shellcode:

First DLL Message: Shellcode

First DLL

This is not a sophisticated component: with the help of VirtualAlloc, LoadLibraryA and GetProcAddress it maps the second DLL into memory, fixes imports, and then, with the help of GetProcAddress, finds a function called “StartFunc”, which the second DLLs exports. It calls that StartFunc and then calls ExitProcess.

Second DLL

The DLL is lightly obfuscated. StartFunc starts by setting up a timer for 60 seconds with SetTimer call and then waits for the signal calling GetMessageA and DispatchMessageA in a cycle. Even though it is importing a significant amount of normal-looking APIs, it retrieves pointers to the most interesting ones manually:

Second DLL Message

Winsock functions as well:

Winsock Functions

Before the DLL performs anything malicious, it makes sure it is not running on a Russian system:

  1. Decrypts the word “Russia”
  2. Calls GetLocaleInfoA to retrieve current country and language setting
  3. Calls wnsprintfA to form a string “country_language”, e.g., “United States_English“
  4. Immediately exits if StrStrA finds “Russia” in that string

Ryuk implements HTTPS with help of CryptXxx functions from advapi32.dll and CertXxx functions from crypt32.dll. The Winsock functions from ws2_32.dll mentioned above are used for data transfer.

This is the first message sent out by the DLL:

First Message Sent Out by the DLL

Ryuk PluginSample.dll (890206F0C506366D480E02FC9FED988A)

Attackers run this DLL manually (according to [12], [13]):

rundll32 C:\\PerfLogs\\socks64.dll, rundll

Despite the name used, it is not a SOCKS library. This DLL acts similarly to EXE described above:

1. Loads a shellcode from resources;
2. The shellcode maps and runs the first DLL;
3. The first DLL maps and runs second DLL, where the main functionality is.

PluginSample.dll

The most important functions exported by the DLL are called “rundll” and “SGeruIUrgVdfMaxMccIKRh”. rundll is the starting point, which must be executed manually. It finds the address of SGeruIUrgVdfMaxMccIKRh in the exports, and then calls it. SGeruIUrgVdfMaxMccIKRh loads the shellcode in a similar way to CSBhvSWCvFRvfCfAoJdoFuAUmK (as described above).

Afterwards the sample adds itself to autorun:

1. Calls StringFromGUID2 to get “{9E683E3F-9A8E-4109-B067-0CD924DB653E}”
2. Calls GetModuleFileNameW to get its full path
3. Calls a series of RegCreateKeyExW+RegSetValueExW+RegCloseKey calls to create this

hierarchy (assuming that “C:\\share\\socks64.dll” is DLL’s full path):

[HKEY_CLASSES_ROOT\CLSID\{9E683E3F-9A8E-4109-B067-0CD924DB653E}]

@=”Read-Only Photo Acquire Plugin”

[HKEY_CLASSES_ROOT\CLSID\{9E683E3F-9A8E-4109-B067-0CD924DB653E}\InprocServer32]

@=”C:\\share\\socks64.dll”

“ThreadingModel”=”Apartment”

4. And then this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PhotoAcquisition]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Photo

Acquisition\Plugins]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Photo

Acquisition\Plugins\{9E683E3F-9A8E-4109-B067-0CD924DB653E}]

“DisplayName”=”@C:\\share\\socks64.dll,-1”

Shellcode

The shellcode is identical to the one found in EXE (see above).

First DLL

The technique used to run the second DLL is identical to the one found in EXE (see above).

Second DLL

This DLL contains the main functionality. Before it does anything malicious it needs to reach its C&C server. All interesting strings (such as IP addresses) are encrypted. It decrypts them on the fly, holding decrypted strings on the stack for the time of use. It does not perform any further actions until it establishes connection with a server. It does so repetitively:

10

If the connection succeeds, then the sample:

  • Calls interesting APIs (GetVolumeInformationA)
  • Connects to https://api.ipify.org/ and https://ip4.seeip.org/
  • Uses Tor. The sample contains hardcoded IP address of Tor nodes as well as some strings from the Tor Rendezvous Specification:
Hardcoded IP Address of Tor nodes and Tor Rendezvous Specification
  • Runs PowerShell scripts with – WindowStyle Hidden -ep bypass -file

Conclusions

The combination of the TrickBot and BazarLoader downloaders with the Ryuk ransomware represents a notable threat.
These malware samples can be detected by performing behavioral analysis (i.e., executing the artifacts in a sandbox) or by building models (both signatures and anomaly detectors) that identify both malicious and suspicious network activity.

VMware NSX, by composing network analysis with program analysis, provides complete visibility into this threat.

Bibliography

[1]  CISA, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” 28 October 2020. [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa20-302a.

[2]  NPR, “U.S. Hospitals Targeted In Rising Wave Of Ransomware Attacks, Federal Agencies Say,” 29 October 2020. [Online]. Available: https://www.npr.org/2020/10/29/928979988/u-s-hospitals-targeted-in-rising-wave-of- ransomware-attacks-federal-agencies-say.

[3]  R. Henderson, “Ryuk: Defending Against This Increasingly Busy Ransomware Family,” 27 February 2020. [Online]. Available: https://www.lastline.com/blog/threat-intelligence- bulletin-week-ending-feb-7-2/.

[4]  S. Ortolani and J. Haughom, “Evolution of Excel 4.0 Macro Weaponization,” 2 June 2020. [Online]. Available: https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro- weaponization/.

[5]  Sophos, “They’re back: inside a new Ryuk ransomware attack,” 14 October 2020. [Online]. Available: https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware- attack/.

[6]  Cybereason, “Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware,” 11 December 2019. [Online]. Available: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the- discovery-of-the-anchor-malware.

[7]  NTT, “TrickBot variant “Anchor_DNS” communicating over DNS,” [Online]. Available: https://hello.global.ntt/insights/blog/trickbot-variant-communicating-over-dns.

[8]  FireEye, “Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser,” 28 October 2020. [Online]. Available: https://www.fireeye.com/blog/threat- research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html.

[9]  Crowdstrike, “Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware,” 10 January 2019. [Online]. Available: https://www.crowdstrike.com/blog/big-game-hunting- with-ryuk-another-lucrative-targeted-ransomware/.

[10]  TrendMicro, “Examining Ryuk Ransomware Through the Lens of Managed Detection and Response,” 14 March 2019. [Online]. Available: https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital- threats/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and- response.

[11]  R. Marshanski and V. Kremez, “”Front Door” into BazarBackdoor: Stealthy Cybercrime Weapon,” 12 October 2020. [Online]. Available: https://www.advanced- intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon.

[12]  The DFIR Report, “Ryuk in 5 Hours,” 18 October 2020. [Online]. Available: https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/.

[13]  The DIFR Report, “Ryuk’s Return,” 8 October 2020. [Online]. Available: https://thedfirreport.com/2020/10/08/ryuks-return/