Search This Blog

Showing posts with label DoppelPaymer. Show all posts

NRA Reacts to Allegations of a Ransomware Campaign


Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.

Entropy Ransomware Connected to Dridex Malware, as per Sophos


The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

DoppelPaymer Searches for and Terminates Windows Processes


Crowdstrike Intelligence claimed in a July 2019 blog post on DoppelPaymer that ProcessHacker was being hijacked to terminate a list of targeted processes and obtain access, providing a "critical hit." DoppelPaymer is a descendant of the BitPaymer ransomware and a member of the Dridex malware family. It's presently being delivered in a variety of ways, including phishing or spam emails with attachments containing malicious code - either JavaScript or VBScript. 

DoppelPaymer places the ProcessHacker executable, the KProcessHacker driver, and the malicious stager DLL under a subdirectory of %APPDATA% to start ProcessHacker. The subdirectory name, as well as the executable and driver file names, are all a unique string of alphanumeric characters. Following the creation of those two files, one of the DLLs loaded by ProcessHacker must be hijacked using a technique known as "DLL search order hijacking."

DoppelPaymer sends the ProcessHacker process two arguments: the name of the KProcessHacker.sys driver and an integer that will be used for inter-process communication (IPC) between the DoppelPaymer and ProcessHacker processes.

DoppelPaymer, like Dridex, exploits DLL search order hijacking to exploit the DLL loading behavior of Windows programs. When the operating system PE loader loads a binary, it must also load the DLL files needed for the PE to function. When seeking for DLL files to load, MS Windows takes a certain path by default. Before checking the Windows system directories, Windows looks for Windows system DLLs in the same directory as the target program. In this situation, DoppelPaymer, a malicious process, can drop a malicious version of a DLL in that directory, which will be loaded by the target application. 

DoppelPaymer searches the module name list in the ProcessHacker binary's Import Address Table (IAT) to decide which DLL to hijack. Each name is hashed using the CRC32 algorithm and compared to a hardcoded list of hashes, if a match is found, the name is added to a list data structure. To select one of the three names from the list, a random number generator is employed. 

After selecting a DLL, the authentic Windows version of the DLL is read into a memory buffer. This DLL serves as a template for creating the malicious stager DLL. The file is saved in the same folder as the ProcessHacker executable and has the same name as the hijacked DLL.

Lockean Multi-ransomware Hitting French Companies--CERT-FR


France’s Computer Emergency Response Team (CERT-FR) professionals identified details about the tools and tactics used by a ransomware affiliate group, named Lockean. Over the past two years, the cyber group is targeting French companies continuously. Reportedly, at least eight French companies’ suffered data breaches on a large scale. The group steals data and executes malware from multiple ransomware-as-a-service (RaaS) operations. 

According to the data, the companies that have been victimized by this group are the transportation logistics firm Gefco, the newspaper Ouest-France and the pharmaceutical groups Fareva and Pierre Fabre, among a few others. 

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cybercriminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics, and procedures (TTPs…” 

“…First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor, and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale), reads the report published by CERT-FR.” 

In 2020, Lockean was spotted for the very first time when the group targeted a French manufacturing company and executed DoppelPaymer ransomware on the network. Around June 2020 and March 2021, Lockean compromised at least seven more companies’ networks with various ransomware families including big names like Maze, Egregor, REvil, and ProLock. 

In most of the attacks, the hackers gained initial access to the victim network through Qbot/QakBot malware and post-exploitative tool CobaltStrike. Qbot/QakBot is a banking trojan that changed its role to spread other malware into the system, including ransomware strains ProLock, DoppelPaymer, and Egregor, CERT-FR officials said. 

The cybercriminal group had used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email. Additionally, the group used multiple tools for data exfiltration including AdFind, BITSAdmin, and BloodHound, and the RClone.

Bretagne Télécom recovered 30 TB data in a ransomware attack by DoppelPaymer

Bretagne Télécom, a cloud service provider was hacked by DoppelPaymer, ransomware that exploited CVE-2019-19781 vulnerability in unpatched servers.

Bretagne Télécom is a French cloud hosting telecommunications company that provides a range of services like telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers with 10,000 servers.

Fortunately this is a success story with a happy ending, as the ransom attack was a failure with no data loss and no ransom paid. The company could restore the encrypted system and data from backups on Pure Storage FlashBlade arrays.

Around 30 TB data was encrypted

The attack took place in the first half of January, on the unpatched servers making them vulnerable to attack. The attackers started scanning the vulnerable servers from Jan 8 and attacked two days later. The company soon released patches to overcome the vulnerability with the final patch being published on January 24.

The DoppelPaymer's operators infiltrated around 148 machines with data from "around thirty small business customers", as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.

The DoppelPaymer Ransomware hackers demanded a ransom of 35 bitcoins (~$330K) for decrypting the system. Ofcourse, the company restored the data and didn't require the "decrypting services" from the hackers. Using the Pure Storage FlashBlade arrays' Rapid Restore feature, Bretagne Télécom could restore all of the customer's data.

"We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions."

"It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn't interfere," Boittin added.

"Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again."
The company personally decrypted and stored data from each customer without a network, some even took six hours. They could efficiently tackle the attack by considering them as data breaches, most of the companies do that resulting in compromise of sensitive information even before the encryption takes place.