ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and decrypting an encrypted payload written to disk (CaddyWiper). It has been used against Ukrainian targets in destructive attacks and it’s believed to be linked with the Russian threat actor known as Sandworm (aka BlackEnergy).At the time of writing several Caddywiper-related analyzes can already be found on the net but none seem to delve into what happens in its loader. Having worked on this malware family in order to hunt for similar samples I decided to share a quick analysis that led to the creation of a hunting YARA rule.
INSIGHTS
This piece of malware it is not complex in its logic; The loader expects to be launched with two parameters from the command line. The first represents the decryption key and the second the path of the payload on the disk. Immediatly after the execution smong the first interesting things it goes to dynamically resolve the shell32.CommandLineToArgW and kernel32.GetCommandLine API functions.
It calls the latter in order to retrieve the parameters with which the executable has been launched and shell32.CommandLineToArgW in order to parse the command line string and get an array of pointers to the command line arguments. The next operation of interest is the resolving of kernel32.ReadFile and kernel32.GetFileSize API functions in order retrieve and work on the encrypted CaddyWiper payload written on the disk (pa.pay).
Below the image as this payload appears in its original encrypted form
As said the primary job of such malware is reading, decrypting and executing the CaddyWiper payload. Regarding this task it’s possibile to observe the execution on 00471B04. Here one byte from the input key (JRIBDFIMCQAKVBBP) is used to decrypt the payload as reported above.
As result a decrypted payload as shown following can be observed
At this point we land on real CaddyWiper payload. Even here the malware goes to retrieve several API function that will need to operate on various areas of the affected systems like FindFirstFileA, FindNextFileA, CreateFileA, WriteFile etc.etc. after to have retrieved the machine role via DsRoleGetPrimaryDomainInformation.
At this point the malware starts its job by iterating through files on the system and replacing their contents with null-bytes (\x00). It’s starts by looking for files under %SystemDrive%\Users and continuing to logical drives D:\ up to Z:\. Disk partitions from //./PHYSICALDRIVE9 to //./PHYSICALDRIVE0 are the last to be impacted.
THREAT HUNTING
In this analysis we observed an essential point of the execution chain. It allows the loader to decrypt and execute the real payload of the attack. In my opinion indeed one good point to hunt for threats similar to the ArguePatch version described here is at sub_471B04. According with the logic of the executable this function is needed to recover the malicious payload and ensure that the targeted systems are impacted.
Creating a rule on this code fragment (reported following) is then useful for the hunting of similar payloads:
A few days ago a new variant of an ICS-capable malware known as Industroyer has been employed during a cyber-attack conducted against industrial control systems (ICS) responsible for the management and control of power plants subsystems in Ukraine.
This new version has been named Industroyer2 and represents the evolution of a malware family already observed in December 2016 working against similar targets. This type of attack was reported after a long series of other attacks targeting Ukrainian organizations and entities which generally involved the use of wipers, backdoors and DDoS attacks.
Its peculiarity is that it is in fact the first to have been clearly targeted ICS infrastructures and to employ ICS-capable malware.
INDUSTROYER2 INSIGHTS
I had a look at the file identified with the following characteristics:
This is a 37.00 Kb in size 32-bit x86 Portable Executable (PE) compiled on Wednesday 23 March 202210:07:29 as evidence reported following
Basically speaking, the malware is designed to read some embedded configuration entries in order to craft IEC-104Application Service Data Unit (ASDU) messages that allow it to interact with the remote targeted units (reachable as internal IP addresses) over TCP protocol.
Taking a look at the execution flow, we can see that this piece of malware handles two optional parameters from the command line which are -t and -o as evidence from the code extraction below
-o allows to write a debug file on the filesystem (by default it’s printed on the console) while -t allows to delay execution by referencing the current SystemTime.
After parsing the parameters provided via the CLI, the malware starts to retrieve the information from the embedded configuration entries
These entries appear as the image following
Each configuration entry starts with an internal IP address (in the image above obscured in the last two octets) and a port, followed by four numbers (may be some sort of operating flags) a process name and a path (in this case D:\OIK\DevCounter).
The last chunck consists of information used to construct the message intended to be send to the ASDUs. For each of the entries found the malware goes to terminate the process PServiceControl.exe.
The process name is hardcoded within the executable.
At this point it goes to enumerate processes again in order to find the process name corresponding to the one specified in the configuration entry (PService_PPD.exe).
After recovering the path D:\OIK\DevCounter and the file name PService_PPD.exe it’s going to rename the file present under this path by adding the .MZ extension to it.
Most likely this is done to prevent any task designed for the process’s ‘always-on‘ from re-launching it. For each embedded configuration a thread is then created in order to implement IEC-104 communication protocol.
The IEC-104 extends the IEC-101 in a way that it can be transmitted over a TCP/IP network. So in each such thread the malware will attempt to communicate with the specified IP address using the protocol described in the IEC-104 standard after to have iterated through the ASDU entries in the configuration block.
In IEC-104 each object in the ASDU has an Information Object Address. Basically, the primary purpose of this action is to connect to the specified IP address and send crafted ASDU messages resulting in Information Object Address state being set to either ON or OFF.
INDUSTROYER vs INDUSTROYER2
By doing a comparative analysis of INDUSTROYER (its IEC-104 module) and INDUSTROYER2 it’s possibile to note a lot similarities above all in the operating logic despite the fact that the latest samples certainly show substantial differences if compared with 2016 ones.
Among the technical similarities at the code level it’s possibile to observe overlaps in the functions dedicated to the management, composition and control of ASDU messages.
The new executable in some cases joins together some strings in respect to previous sample optimizing in some cases the global execution process but in general the strings that refer to the debug messages are the same allowing old YARA rules to match the new sample as well.
According to the first first attribution of the family shared by ESET researchers and in the light of the further technical evidence extracted in this article, the threat in question is to be linked with the threat actor known as Sandworm (aka BlackEnergy).
CONCLUSIONS
I can definitely say that the Industroyer malware family is a sophisticated piece of malware used against industrial control systems (ICS). The findings reported here are in line with previous operations already attributed by the security community to Russian APT groups and to the best of my current knowledge this is the first ICS-capable malware used since the beginning of the conflict between Russia and Ukraine after a long series of attacks that have seen the use of wipers, backdoors, different early and middle-stage implants and (D)DoS attacks.
The use of this type of malware should alert about the potential of Russia-State linked APT groups to focus their efforts against industrial control systems (ICS) and their willingness to use this kind of “digital weapons” to cause disruption of critical services.
It’s important to consider the attackers could adapt this malware to other similar targets and that any intrusion against targets of this type should be considered extremely dangerous and complex to mitigate in relation to the presence of protocols born decades ago without taking the security factor into consideration.
DETECTION
YARA
rule Sandworm_Industroyer2_76222_00001 : RUSSIAN THREAT GROUP { meta: author = “Emanuele De Lucia” description = “Strings-based threat detection rule for INDUSTROYER2” tlp = “white” date = “2022-04-15” hash1 = “d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00” strings: $ = “PServiceControl.exe” $ = “Sent=x%X | Received=x%X” $ = “Cause: %s (x%X) | Telegram type: %s (x%X)” $ = “Length:%u bytes | “ $ = “Unknown APDU format !!!” $ = “%02hu:%02hu:%02hu:%04hu” condition: (uint16(0) == 0x5a4d and all of them) }
BigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It was first spotted out in 2018 and was observed to include new features in the last quarter of 2020. During operations usually it’s used in combination with R.A.T. (Remote Administration Tools) such as Kazuar and Carbon. Several months ago I had the opportunity to analyze some versions of these pieces of malware and have now decided to publish an excerpt based solely on some specific technical characteristics observed. The activity had as objective the production of detection and attribution rules one of which is shared in this post.
Insights
BigBoss implants exports basically (3) three functions. The Start() one is designed to retrieve basic information and to call sub_407E50 at 0040B0D3. First of all modulenamekernel32.dll is dexored through the key 0x4d4e and an handle to kernel32.dll is obtained through GetModuleHandle. Malware writer chose to dynamically resolve certain API functions likely in order to hide information, from static analysis, about libraries and functions that are used by the implant and normally stored in IAT. In this case IsWow64Process is found through GetProcAddressto retrieve OS bitness.
Shortly after a call to sub_409C70 where the path of the .inf file is retrieved.
BigBoss writes a configuration file named backport.inf. The configuration file is written to %SystemRoot%\INF\backport.inf (as reported in screenshot above) and contains a [Version] section with various configuration entries. At this point instructions performed call the StartServiceCtrlDispatcher function in order to connect to the SCM (Service Control Manager) and start the control dispatcher thread. The dispatcher thread loops, waiting for incoming control requests for the services specified in the dispatch table.
Service name is SWCheckState. Further API functions is then dynamically resolved. One of them is CreateService retrieved even in this case through a GetProcAddress call after to have obtained an handle to advapi32.dll at sub_408790. After the service is created OpenService function is called in order to interact with the service just created and ChangeServiceConfig2W & ChangeServiceConfigW are subsequently used to modified parameters of the same. Finally, StartServicestarts the service. In ServiceMain a RegisterServiceCtrlHandlerExfunction is used to register a control handler with the control dispatcher. SetServiceStatusis called to set the status of the service and the CreateEvent function is then responsible to create the event object.
SMB Server is then enabled by creating the RegKey HKEY_LOCAL_MACHINE “SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters on sub_40AB90. Named pipes are used for interprocess communication (IPC) both locally and remotely. Access to the remote named pipes is done via SMB. RegKey HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous is then set to 0 in order to permit anonymous logon users can access all shared resources on a remote share
The RegKey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes is also written in order to add the following values
COMNAP
COMNODE
SQLQUERY
SPOOLSS
LLSRPC
browser
sub_40AAE0 is responsible for connections to remote devices via IPC$. via WNetAddConnection2
BigBoss supports connections through null sessions or via default credentials. A thread is then created having sub_408830 as StartAddress. This thread is mainly responsible to handle communications with CnC (Command and Control) server. CreateNamedPipeW and ConnectNamedPipe are used to test connection. If successfull it’s able to get additional payloads and write operation results into log files created and written under %temp% path.
Conclusions
BigBoss is an integral part of the Turla team’s attack and persistence suite. Its development and evolution have probably shared practices and logic with other implants linked to its main cluster such as the second stage backdoor called Carbon. For example, by analyzing both, it can be noted that it shares with it not only a partial overlap in some internal functions, as shown below
but in some cases whole code chunks having a full overlap
I based one of my hunting rules for this family on this piece of code. The rule is released in the “Detection” section
On July 2, 2021, Kaseya issued a notice stating that the company was experiencing a potential cyber attack against the VSA suite. The company itself advised that the on-prem customers servers should be shut down immediately until further notice from them.
VSA is a very common solution and usually used by Managed Service Providers especially in the United States and the United Kingdom. It allows to perform patch management and client monitoring for MSP customers.
From the first reconstructions of the incident, a threat actor caused the spread of malicious code together with alleged updates performing a s.c. supply-chain attack. The delivered malicious code is capable of copying a malware dropper (digitally signed with a valid signature from PB03 TRANSPORT LTD.) of the Revil / Sodinokibi ransomware on the affected systems.
As per evidence extracted, this dropper (sha1: 5162f14d75e96edb914d1756349d6e11583db0b0) has the purpose of creating two distinct files under the path C:\Windows\ . Although not common practice among malware writers, this path is hard-coded within the executable.
The creation of the aforementioned files has the purpose of side-loading a malicious dll (sha1: 656c4d285ea518d90c1b669b79af475db31e30b1) within a legitimate copy of the Microsoft Windows Defender executable (MsMpEng.exe). As soon as the latter is launched, the file encryption phase is therefore carried out through a legitimate process, complicating the detection operations.
Both payloads are retrieved by referencing two resources within the dropper, as shown in the following image
Side-Loaded DLL
The loaded dll into the legitimate Windows Defender executable is intended to perform the actual file encryption operations. The malicious Revil / Sodinokibi payload is originally retrieved after an useful key for this process is dexored at sub_10001110. The DLL exports several function: ServiceCrtMain, ServiceMain, SvchostPushServiceGlobals as evidences reported
ServiceCrtMain is the one of our interest as it is responsible for initiating the logic of retrieving and executing malicious instructions
The payload is then mapped as file into the created thread through CreateFileMappingW and MapViewOfFile.
File mapping is commonly used in order to load into memory a file and permits malware writers to manipulate it easily. CreateFileMapping function is useful to load a file into memory while MapViewOfFile function returns a pointer to the base address of the mapping. The payload is then executed. Following is reported the implant configuration file as it has been extracted in its original form:
Supply chain attacks perpetrated with the aim of targeting new victims is something we are not used to see in a ransomware-related incident. This one appears however to have a big impact and certainly opens to considerations about the devastating new trend in cybercrime to study and focus on a single target only to hit hundreds or thousands of them. What must definitely be considered in this event is that the first targets are MSPs (Managed Service Providers) because, by hitting them, the attacker has the potential to further spread malicious payloads even towards their customers.
Victimology
Managed Service Providers located at least in the following countries: US, DE, UK, IE according to the visibility I can dispose of at the time of writing. MSPs are generally to be considered a strategic target as they offer a direct channel to reach many other potential targets (the same MSP customers).
The following rule can be useful to identify the Revil / Sodinokibi dropper
rule REvil_Dropper_827322_000001 { meta: description = “Detects REvil/Sodinokibi dropper as observed in Kaseya supply-chain attack” author = “Emanuele De Lucia” reference1 = “https://twitter.com/markloman/status/1411036209304965121” reference2 = “www.emanueledelucia.net/revil-sodinokibi-ransomware-delivered-through-kaseya-supply-chain-attack” date = “2021-07-02” hash1 = “d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e” strings: $ = “MpSvc.dll” fullword ascii $ = “MsMpEng.exe” fullword wide $ = “Antimalware Service Executable” fullword wide $ = “MsMpEng.pdb” fullword ascii $ = “SOFTIS” fullword wide $ = “MODLIS” fullword wide condition: uint16(0) == 0x5a4d and all of them }
#powershell
A possible way to get a first degree of visibility into potential events related to such threat could be to detect how the adversary tries to disable the defenses of the victim system (T1562). In particular, this allows us to observe events in which the adversary successfully disabled Windows Defender through powershell message
What we today define “ransomware” at the beginning were basically screen lockers demanding a ransom from the victim (“Your PC contains illegal content and cannot be used …“).
In relation to the increasing revenues they are able to generate, in recent years they have become one of the fastest growing classes of malicious software in the cyber threat landscape.
Lately, moreover, almost all of the interventions and articles on “cyber” topics were related to this category of malware as a result of a specific attack against Colonial Pipelines Inc. which caused countless economic losses and inconveniences of any kind in the States.
In face of first rivers of ink spilled on the incident itself and then on the group responsible for the attack (- note it was one of the group’s affiliates and not the same dev team of the #DarkSide ransomware -) they are not missing, here and there, articles / advice / posts by experts on how to defend against this type of malware.
The plethora of suggestions given, however, in my opinion have rarely been placed within a strategic context and almost always indicated as a list of specific actions to be performed.
The individual items of these lists, although singularly impeccable from a theoretical point of view (such as “installing a good antivirus” and “applying risk management processes“), can be difficult to apply in practice if not placed in a well-defined context that pursue a specific purpose; this purpose should the contrast and mitigation of extortion-oriented attacks and much more generally the enhancement of one’s defensive capabilities.
Finally, considering the famous phrase – “It is not possible to be 100% protected from malicious code” – it is also clear that a valid defensive solution cannot be based exclusively on the adoption of the latest AV / EDR technologies (more or less sophisticated) nor much less on tricks and / or tips of the last minute.
Survival Skills:
Implementing a good defense program against these threats is undoubtedly an active and continuous process over time that involves the strengthening of at least five (5) internal capabilities.
They are:
Prevention: prevent the exploitation of infrastructure weaknesses and / or vulnerabilities through processes for updating, hardening and control of public information (social networks, public managers / employees profiles, job descriptions …) Technically speaking, in some cases, prevention could also mean adopting alternative technologies to those already in place and normally used, for example, for remote access services (VPN / RDP) in order to totally eliminate the growing risks due to the greater attention of criminal groups against them (0day research, 1 day exploit and theft / sale of access credentials on clearnet / darknet). Their potential compromise, in fact, could be catastrophic for the environment to be protected and provide an advantage that is difficult to recover on a defensive level as these services are often designed to interface directly with corporate intranets.
Detection and Protection: represents the ability to protect your assets from potentially adverse events by acquiring the ability to detect and contain a threat. As for the malicious code, the protection of your assets certainly includes the adoption of an AV / EDR, execution prevention systems, sandboxes etc.etc.
Resistance: indicates the ability to face and / or minimize the effects of an unknown or particularly stealthy threat and which has a high possibility of representing a concrete risk. It involves the implementation of concepts such as the separation of environments, the reduction of the potential attack surface, the identification of critical services and more stringent access control to them, etc. etc.
Resilience: indicates the ability to recover after an accident. Knowledge (SA – Situational Awareness): it means clearly understanding what to defend against in relation to our perimeter as well as the tactics and procedures implemented by the opponents and the consequent adoption of a defense strategy.
Knowledge (SA – Situational Awareness): it means clearly understanding what one must defend against in relation to our perimeter as well as the tactics and procedures implemented by the adversaries and a consequent adoption of a defense strategy.
Ransomware…pays off:
The Covid-19 pandemic has been very useful for the “ransomware” business. In general the higher revenues of many criminal groups (tripled, according to some estimates, compared to the pre-covid period) are due to the inability of many organizations to adapt to a de-centralized work model after a large percentage of their the workforce begun to operate outside a defined perimeter (the classic corporate one).
However, in many cases, it should be noted that the extension of the attack surface as a direct consequence of the new “smart-workers” not actually created a “new” problem from scratch but has often magnified one that was present even previously. This problem is mainly due to the lack of equipment (not only in the technological field but also in the procedural and internal policies ones) with which many companies fight these threats.
The most typical and widespread weakness observed during the analysis of some incidents was to focus (or limit) these defense on few points compared to the five (5) listed above. Closely related to what the “classic” cyber-security industry proposes, very often the one and only line of defense is delegated to AntiVirus / EDR and “Monitoring Operations“, thus concentrating all the contrast strategy in the already described capacity of “Detection and Protection“.
In consideration of the fact that even the most modern anti-malware solutions available on the market cannot guarantee detection rates even close to 100% (without considering the context on the basis of which an adversary arrives to operate within our perimeter) itìs evident that relying exclusively on them may not be enough.
Survival vs Kill Chain:
All the intrusions that arrive at a ransom request have effectively closed the so-called “Kill-chain”. The kill-chain virtually represents a series of steps (or rings), precisely, concatenated, and in general, simplifying, they are:
1. Information gathering
2. First access and early-stage payload delivery
3. Lateral movement
4. Late-stage payload delivery
Closing this chain often means, for the victim, having to pay an expensive ransom to get back its data and documents. An effective contrast strategy will therefore provide for the direct mitigation of the potential risks deriving from each single phase (or ring) of this kill-chain, directing, with a more strategic vision, one’s work towards the five (5) points identified before.
Information Gathering: In this phase, attackers seek and hunt potential victims by acquiring information about them. While only some time ago the approach to choice seemed to be quite casual and a direct consequence of the general external posture of the organization to hit (in the sense that robbing a shop is generally easier than robbing a bank) now the trend seems to be moving towards a much more targeted decision, so as to be able to ask for very substantial ransoms once the operation succeed. Under the heading of “Prevention“, fall the set of activities aimed at not exposing the side to such attacks by trying to contain the information released (voluntarily or not) on social networks and public profiles of the company. In this regard, Security Awareness programs are particularly useful. Information sources (threat intelligence) designed to increase the levels of Situational Awareness of the staff in charge of network protection can also be particularly useful.
First Access / Early-Stage payloaddelivery: In this phase, the attacker is able to obtain a first access to the perimeter. In order to make their life as difficult as possible it is necessary to correctly apply hardening and patching programs to the systems. Technically limiting the potential attack surface, applying multiple authentication systems, blocking the execution of macros and scripting languages that are not strictly necessary, checking permissions, logically limiting the communications of internal workstations are all useful factors for an Incident Prevention strategy. If the attacker still manages to deliver a first-stage payload and therefore to obtain a first access to our infrastructure, the adoption of policies aimed at obtaining greater visibility regarding what is happening (for example: alerts on login credentials anomalies, alerts on changes to accounts in the AD – Active Directory -, alerts on malicious DNS resolutions, alerts on network flow anomalies – Firewall Logs -, alerts on IDS / IPS events and so on…) is useful to strengthen our Detection and Protection skills. EDR / AV and SIEM support these skills as well.
Lateral movement: In this phase, the attacker managed to effectively compromise one or more machines inside our infrastructure and aims at expanding his/her control. If the defenses put in place up to now have proved ineffective, a further protective barrier capable of mitigating what is in place could be represented by the application of strong network segmentation policies of the environments. A further critical factor that can significantly increase our Resistance skills is the application of Behavior Analytics Systems.
Late-stage payload delivery: If the strategies applied so far have proved particularly ineffective in combating a so advanced and persistent adversary, we could suffer the effects of the last phase of a ransomware-kill-chain, that is the release of the last stage payload, the one that will probably be in charge of encrypting our data and information. Most likely the attacker already got the full control of several internal machines and probably also obtained “admin–grade” credentials. Based on my personal experience, therefore, if we are at this point there is little chance that the Detection and Protection systems can effectively mitigate the course of events. The best defense at this point is to have a good backup of all data, files, applications and any other critical resources. These backups must obviously be isolated from other systems.
Conclusions:
The ransomware business is particularly profitable. Considering the revenues it generates, it’s possible to assume possible to assume much more frequent and sophisticated attacks. The application of defensive measures in the various stages of the kill-chain, however, can reduce the risk of a full data loss (and to rely exclusively on negotiations with criminals to recover them).
