Search This Blog

Showing posts with label Hive. Show all posts

Sneak Peek: Hive’s RaaS Techniques

 

With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations. 

Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers. Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space. While other ransomware operators, like as REvil, dominated news in its first year, 

Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States. 

How Hive Set Up a "Sales Department" 

The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group. Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets. 

The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS). The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department." 

When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.

Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.

However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.

Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.

With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.

Hive Gang Changes Programming from Go to Rust

About Hive Ransomware

Microsoft Security researchers found new versions of Hive ransomware written in the Go programming language but now in Rust. Hive surfaced in June 2021, it was found by the FBI in August. In November, Mediamarkt, a European electronics retail company was hit by Hive. 

It's a RaaS (Ransomware as a service) double extortion gang that has recently been attacking vulnerable Microsoft Exchange Servers, compromised VPN credentials, phishing, and vulnerable RDP servers to install the ransomware and steal information that can be leaked. 

Why the change from Go to Rust

The Rust change from Hive has been underway for quite some time, it took its lessons from BlackCat ransomware, written in Rust as well. Researchers from Group-IB in March discovered that Hive changed its Linux encryptor (for attacking VMware ESXi servers) to Rust to make it difficult for cybersecurity experts to monitor the ransom talks with targets. 

The Rust rewrite is much easier, Microsoft Threat Intelligence Center in its blog said, "the upgrades in the latest variant [of Hive] are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. 

What is the impact

The implications of these updates are far-reaching, we should consider that Hive is a RaaS payload that Microsoft found in attacks against organizations in the software and healthcare industries from big ransomware actors like DEV-0237. 

Microsoft has mentioned some advantages of Rust over other languages that make it one of the most preferred languages among programmers, like good crypto library support and better memory security. 

Following are the benefits of Rust language, as per Microsoft: 

  • It offers memory, data type, and thread-safety It has deep control over low-level resources It has a user-friendly syntax 
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption 
  • It has a good variety of cryptographic libraries 
  • It's relatively more difficult to reverse-engineer 

ZDNet reports "Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: "Do not delete or reinstall VMs. There will be nothing to decrypt" and "Do not modify, rename or delete *.key files. Your data will be undecryptable." The *.key files are the files that Hive has encrypted."

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload

 

Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.