Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Astro Locker. Show all posts

Users get Directly Infected by AstraLocker 2.0 via Word Files

Threat researchers claim that the developers of a ransomware strain named AstraLocker just published its second major version and that its operators conduct quick attacks that throw its payload directly from email attachments. This method is particularly unique because all the intermediary stages that identify email attacks normally serve to elude detection and reduce the likelihood of triggering alarms on email security tools.

ReversingLabs, a firm that has been monitoring AstraLocker operations, claims that the attackers don't appear to be concerned with reconnaissance, the analysis of valuable files, or lateral network movement. It is carrying out a ransomware operation known as "smash and grab." 

The aim of smash and grab is to maximize profit as quickly as possible. Malware developers operate under the presumption that victims or security software will rapidly discover the malware, hence it is preferable to move right along to the finish line. 

Smash-and-grab strategy 

An OLE object with the ransomware payload is concealed in a Microsoft Word document that is the lure utilized by the developers of AstraLocker 2.0. WordDocumentDOC.exe is the filename of the embedded program. 

The user must select "Run" in the warning window that displays after opening the document in order to run the payload, thus decreasing the threat actors' chances of success. 

Researchers point out that this approach is less sophisticated than the recent Follina vulnerability which requires no user involvement or even the use of macros improperly which requires some user interaction. 
 
Encryption set up

Despite its haste to encrypt, AstraLocker still manages to do certain basic ransomware actions: It attempts to disable security software, disables any active programs that can obstruct encryption, and steers clear of virtual computers, which might suggest that it is being used by lab researchers.

The virus sets up the system for encryption using the Curve25519 method after executing an anti-analysis check to make sure it isn't executing in a virtual machine and that no debuggers are set in other ongoing processes. 

Killing applications that might compromise the encryption, erasing volume shadow copies that would facilitate victim restoration, and disabling a number of backup and antivirus services are all part of the preparation procedure. Instead of encrypting its contents, the Recycle Bin is simply emptied.

AstraLocker origins 

AstraLocker is based on Babuk's stolen source code, a dangerous but flawed ransomware strain that left the market in September 2021, according to ReversingLabs' code analysis. Furthermore, the Chaos ransomware's developers are connected to one of the Monero wallet addresses stated in the ransom text.

Supposedly, this isn't the work of a clever actor, but rather someone who is determined to launch as many devastating attacks as possible, based on the tactics that support the most recent campaign.

Quantum Ransomware was Detected in Several Network Attacks

 

Quantum ransomware, originally spotted in August 2021, has been found carrying out fast attacks which expand quickly, leaving defenders with little time to react. The assault began with the installation of an IcedID payload on a user endpoint, followed by the launch of Quantum ransomware 3 hours and 44 minutes later. It was identified by DFIR Report researchers as one of the fastest ransomware attacks it had ever seen. IcedID and ISO files have recently been utilized in other attacks, as these files are great for getting past email security safeguards.

According to Mandiant's M-Trends 2022 study, the threat actors began encrypting the victim's data only 29 hours after the first breach in a Ryuk ransomware assault in October 2020. The median global dwell period for ransomware is around 5 days. However, once the ransomware has been installed, the data of the victim may be encrypted in minutes. According to a recent analysis from Splunk, ransomware encrypts data in an average of 43 minutes, with the fastest encryption time being less than 6 minutes. 

The IcedID payload was stored within an ISO image which was presumably distributed by email in the examined Quantum ransomware outbreak. The malware was disguised as a "document" file, which was an LNK file designed to run a DLL (IcedID). Several discovery activities were run when the DLL was executed, utilizing various built-in Windows functions, and a scheduled job was constructed to ensure persistence. 

Cobalt Strike was installed into the victim system about two hours after the first breach, allowing the attackers to begin 'hands-on-keyboard' behavior. The fraudsters then began network reconnaissance, which included identifying each host in the environment as well as the active directory structure of the target organization. After releasing the memory of LSASS, the intruders were able to steal Windows domain credentials and spread laterally via the network. 

Cobalt Strike was also used by the attackers to collect credentials and test them for remote WMI detection tasks. The credentials enabled the adversary to log in to a target server through the remote desktop protocol (RDP), from which they attempted to distribute Cobalt Strike Beacon. The malicious actors then used RDP to access other servers in the system, where they prepared to deliver Quantum ransomware per each host. Threat actors eventually used WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices via WMI and PsExec. 

The Quantum Locker ransomware is a rebranded version of the MountLocker malware, which first appeared in September 2020. Since then, the ransomware gang has gone by several names, including AstroLocker, XingLocker, and Quantum Locker, which is now in its current phase. 

While the DFIR report claims since no data exfiltration activity was detected in the assault they investigated, researchers claim the ransom demands for this gang fluctuate based on the victim, with some attacks seeking $150,000 in exchange for a decryptor. Quantum Locker, unlike its prior versions, is not a highly active operation, with only a few attacks per month.

Windows API Used as a Doorway in a MountLocker Ransomware Operation

 

Threat actors are now using MountLocker ransomware via ‘Windows Active Directory enterprise APIs’ to target website developers and organizations. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS).

MountLocker core team receives a small portion of 20-30% of a ransom payment and the affiliate receives the remainder, as part of this tie-up. In March 2021, ‘Astro Locker’ ransomware group emerged and started using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites. 

"It's not a rebranding, probably we can define it as an alliance," Astro Locker told BleepingComputer when asked about its association to MountLocker. Eventually, in May 2021, a third group emerged called 'XingLocker' who additionally makes use of a personalized MountLocker ransomware executable. 

Earlier this week, MalwareHunterTeam shared a sample of what was believed to be a brand new MountLocker executable that incorporates a new worm feature that permits it to unfold and encrypt to different gadgets on the network. After installing the sample, BleepingComputer confirmed that it was a personalized pattern for the XingLocker workforce. 

A brief evaluation by BleepingComputer showed that you could enable the worm feature by running the malware sample with the /NETWORK command-line argument. As this feature requires a Windows. After sharing the sample with Superior Intel CEO Vitali Kremez, it was found that MountLocker is now using the Home windows Lively Listing Service Interfaces API as a part of its worm characteristic. 

"Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan," Kremez told BleepingComputer in a dialog about the malware.

“This is the quantum shift of professionalizing ransomware development for corporate network exploitation. As Windows network administrators commonly use this API, Kremez believes the threat actor who added this code likely has some Windows domain administration experience,” he further added. 

While this API has been seen in other malware, such as TrickBot, this may be the first corporate type ransomware for professionals that are using these APIs in order to perform built-in reconnaissance and spread to other devices.