The success of ransomware attacks on organizations around the world encourages more and more new attackers to "enter the game." One such new player is a group using the ProLock ransomware. It appeared in March 2020 as a successor to the PwndLocker program, which started working from the end of 2019. ProLock ransomware attacks primarily target financial and healthcare organizations, government agencies, and the retail sector. Recently, ProLock operators successfully attacked one of the largest ATM manufacturers, Diebold Nixdorf.
In this post Oleg Skulkin, Leading Specialist, Group-IB Computer Forensics Laboratory, talks about the main tactics, techniques and procedures (TTPs) used by ProLock operators. At the end of the article is a comparison with the MITER ATT&CK matrix, a public database that collects targeted attack tactics used by various cybercriminal groups.
Getting Initial Access
ProLock operators use two main vectors of primary compromise: the QakBot Trojan (Qbot) and insecure RDP servers with weak passwords.
Compromise through an externally accessible RDP server is extremely popular with ransomware operators. Attackers usually buy access to a compromised server from third parties, but it can also be obtained by members of the group themselves.
A more interesting primary compromise vector is QakBot malware. Previously, this Trojan was associated with another ransomware family, MegaCortex. However, ProLock operators now use it.
As a rule, QakBot is distributed through phishing campaigns. A phishing email may contain an attached Microsoft Office document or a link to such a file located in a cloud storage such as Microsoft OneDrive.
There are also known cases of downloading QakBot by another Trojan - Emotet, which is widely known for its participation in campaigns that distributed Ryuk ransomware.
Performance
After downloading and opening an infected document, the user is prompted to allow the execution of macros. If successful, PowerShell is launched, which will allow you to download and run the QakBot payload from the command and control server.
It is important to note that the same applies to ProLock: the payload is retrieved from the file BMP or JPG and loaded into memory using PowerShell. In some cases, a scheduled task is used to start PowerShell.
Batch script that starts ProLock through the task scheduler:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batFixing in the system
If it was possible to compromise the RDP server and gain access, then valid accounts are used to secure the network. QakBot is characterized by a variety of pinning mechanisms. Most often, this Trojan uses the Run registry key and creates tasks in the scheduler:
Pinning Qakbot to the system using the Run registry key
In some cases, startup folders are also used: a shortcut is placed there that points to the bootloader.
Bypass protection
By communicating with the command and control server, QakBot periodically tries to update itself, so to avoid detection, the malware can replace its own current version with a new one. Executable files are signed with a compromised or forged signature. The initial payload loaded by PowerShell is stored on the C&C with the extension PNG. In addition, after execution, it is replaced with a legitimate file calc.exe.
Also, to hide malicious activity, QakBot uses the technique of injecting code into processes using explorer.exe.
As mentioned, the ProLock payload is hidden inside the file BMP or JPG. This can also be seen as a method of bypassing protection.
Get credentials
QakBot has the functionality of a keylogger. In addition, it can download and run additional scripts, such as Invoke-Mimikatz, a PowerShell version of the famous Mimikatz utility. Such scripts can be used by attackers to dump credentials.
Network intelligence
After gaining access to privileged accounts, ProLock operators perform network reconnaissance, which may include port scanning and analysis of the Active Directory environment. In addition to various scripts, attackers use AdFind, another tool popular with ransomware groups, to gather information about Active Directory.
Network promotion
Traditionally, one of the most popular ways to surf the net is the Remote Desktop Protocol. ProLock is no exception. Attackers even have scripts in their arsenal to gain remote access via RDP to target hosts.
BAT script for gaining access via RDP protocol:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
For remote script execution, ProLock operators use another popular tool, the PsExec utility from the Sysinternals Suite.
ProLock on hosts is launched using WMIC, which is a command-line interface for working with the Windows Management Instrumentation subsystem. This tool is also gaining popularity among ransomware operators.
Π‘Π±ΠΎΡ Π΄Π°Π½Π½ΡΡ
Like many other ransomware operators, the group using ProLock collects data from a compromised network to increase their chances of getting a ransom. Before exfiltration, the collected data is archived using the 7Zip utility.
Exfiltration
To upload data, ProLock operators use Rclone, a command-line tool designed to synchronize files with various cloud storages such as OneDrive, Google Drive, Mega, etc. Attackers always rename the executable file to look like legitimate system files.
Unlike their peers, ProLock operators still do not have their own website to publish stolen data belonging to companies that refused to pay the ransom.
Achieving the ultimate goal
Once the data is exfiltrated, the team deploys ProLock throughout the enterprise network. The binary file is extracted from a file with the extension PNG or JPG using PowerShell and injected into memory:
First of all, ProLock terminates the processes specified in the built-in list (interestingly, it uses only six letters from the process name, such as "winwor"), and terminates services, including those related to security, such as CSFalconService (CrowdStrike Falcon). using the command net stop.
Then, as with many other ransomware families, the attackers use vssadmin to delete Windows shadow copies and limit their size so that no new copies are created:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock adds extension .proLock, .pr0Lock or .proL0ck to each encrypted file and places the file [HOW TO RECOVER FILES].TXT to each folder. This file contains instructions on how to decrypt the files, including a link to a site where the victim must enter a unique identifier and receive payment information:
Each instance of ProLock contains information about the amount of the ransom - in this case, it is 35 bitcoins, which is approximately $ 312.
Conclusion
Many ransomware operators use similar methods to achieve their goals. At the same time, some techniques are unique to each group. There is currently a growing number of cybercriminal groups using ransomware in their campaigns. In some cases, the same operators may be involved in attacks using different families of ransomware, so we will increasingly see overlaps in the tactics, techniques and procedures used.
Mapping to MITER ATT&CK Mapping
Tactical
Technical
Initial Access (TA0001)
External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)
Execution (TA0002)
Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)
Persistence (TA0003)
Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053), Valid Accounts (T1078)
Defense Evasion (TA0005)
Code Signing (T1116), Deobfuscate/Decode Files or Information (T1140), Disabling Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)
Credential Access (TA0006)
Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)
Discovery (TA0007)
Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)
Lateral Movement (TA0008)
Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)
Collection (TA0009)
Data from Local System (T1005), Data from Network Shared Drive (T1039), Data Staged (T1074)
Command and Control (TA0011)
Commonly Used Port (T1043), Web Service (T1102)
Exfiltration (TA0010)
Data Compressed (T1002), Transfer Data to Cloud Account (T1537)
Impact (TA0040)
Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
Source: habr.com