CTI Roundup: Ransomware Impersonates Cybersecurity Firm, Espionage Tactics Evolve in China

Up first in this week’s roundup, CTI takes a deep-dive into a report from Sophos about a new ransomware-as-a-service (RaaS) operation which leverages the company’s name for its own benefit. Next up is a breakdown of how the financially motivated threat actor FIN8 is now using a modified Sardonic backdoor to deliver BlackCat ransomware and maximize profits. Finally, CTI explores how Chinese cyber espionage groups are evolving to minimize detection and complicate attribution.

1. SophosEncrypt ransomware impersonates cybersecurity firm Sophos

A recent report from cybersecurity firm, Sophos, written in response to a discovery made public by a July 17 Tweet from MalwareHunterTeam, exposes a new ransomware-as-a-service (RaaS) operation dubbed SophosEncrypt which leverages the company’s name for its own benefit.

At first, the ransomware was reportedly believed to be part of a red team exercise being carried out by Sophos. However, the Sophos X-Ops team quickly responded to the Tweet above, thanking MalwareHunterTeam for the heads up and disclosing that its researchers had already discovered a sample of the ransomware on VirusTotal earlier that day.

BleepingComputer reports that MalwareHunterTeam’s ID Ransomware service shows one submission from a victim infected by the new malware — a clear indication that the RaaS operation is active. While researchers still know little about the operation and its method of promotion, a sample of the encryptor was found by MalwareHunterTeam – enabling them to get a “quick look at how it operates.”

What is SophosEncrypt?

The novel sample in question was discovered by a Sophos X-Ops analyst during a regular search of VirusTotal. The analyst noticed that the variant uses “Sophos” in the UI of a panel used by its ransomware to alert its victims that their files have been encrypted. It also appeared to append encrypted files with the extension “.sophos.”

With regards to the actual ransomware executable, researchers at Sophos were able to determine that it was compiled using MinGW and contains linked Rust libraries. Sophos also describes it as being “unusually retro” in terms of its functionality.

From Sophos:

“In most contemporary ransomware incidents, the threat actors who build the ransomware make a tool that is explicitly and exclusively made for the purpose of encrypting files, without including a lot of other functionality. Most ransomware we deal with today is a single-purpose executable that doesn’t bring many, or any, additional capabilities.

By all indications, the VirusTotal records on these files seem to indicate, and our analysis confirms, that one of the samples has the capability to do many things beyond encrypting files, which is unusual.”

The researchers go so far as to claim that the capabilities of the malware’s files make it appear more in line with a general-purpose remote access trojan (RAT) equipped with the capability to encrypt files and generate ransom notes, than with a typical, contemporary ransomware variant.

Such activities include hooking the keyboard driver for keystroke logging and profiling the system using WMI commands. However, like so many other ransomware families, SophosEncrypt features a list of directories to be excluded from encryption (as they would either impede the system’s ability to boot, or contain unimportant files deemed unnecessary to encrypt). And like so many ransomware families, SophosEncrypt performs the usual check for the system’s language settings, refusing to run if it determines the settings to be configured to use the Russian language.

To facilitate ransom negotiations, the ransomware’s developers prefer its victims to use methods of communication which are, for the most part, no longer relied upon by most of today’s ransomware outfits. Some examples include email and the Jabber instant messaging platform.

Exploring sample differences

The Sophos report references another known sample which contains less of the non-ransomware-like features outlined above. That said, both variants connect over the internet to a command-and-control (C2) server, with the connection referencing a Tor address on the dark web (although Sophos concedes that neither of the analyzed samples made a Tor connection).

Furthermore, both samples contain a hardcoded IP address which the samples connect to. According to Sophos, the address in question has been associated for over a year with both Cobalt Strike C2 activity and automated attacks which attempt to infect public-facing devices with crypto mining software.

Both samples are designed to be executed via Windows command line. When executed in the Command Prompt application, the ransomware prompts the ransomware’s operator to enter a string of information which results in the configuration of the malware’s behavior, as well as the ransom note it ultimately drops to the victim’s device.

According to Sophos, the program also prompts its controller to enter a 32-character encrypted password, followed by what appears to be a token as well as an email address and Jabber instant messaging account address. Once the attacker successfully enters the information, the program prompts the controller to select one of the following options:

1. Encrypt all files on the hard drive.
2. Encrypt a single drive letter.
3. Quit the program.

If the attacker chooses either the first or second option, the ransomware renames the encrypted files using the token value in the renamed file name once the encryption task is complete.

The specified email address and Jabber address both get added to the ransom note, which goes to the victim in the form of an HTML Application (.hta) file dropped into any directory in which encryption has successfully occurred.

This file simply displays the ransom note, complete with the contact information provided by the attacker during the initial stage of the attack.

As is the case with the first variant described above, the ransomware appends a unique machine identifier, the email address entered by the attacker during setup, and the suffix “.sophos” to the end of the name of every file it encrypts at the end of the process.

Sophos also notes that if the encryption process is interrupted, the ransomware will not leave a ransom note or alter the wallpaper image to the one it is configured to retrieve from the public image server. Otherwise, assuming the encryption process goes off without a hitch, the ransomware retrieves a graphic from a public image library website, using it to alter the victim’s Windows desktop wallpaper, changing it to a screen which reads “Sophos.” What’s more, the Sophos banner now adorning the victim’s desktop fails to accurately replicate the logo, colors, or branding utilized by the legitimate cybersecurity firm. Instead, the victim is presented with a logo featuring an image of a green padlock, accompanied by instructions on how the victim may find and use the ransom note to contact the attackers and commence negotiations.

Logging its own performance

When SophosEncrypt runs in the console, it produces a comprehensive list detailing the results of debug logging and reports the time it takes to encrypt each file in milliseconds. Oddly, the ransomware will report “SUCCESS” even when the Sophos Intercept X security solution prevents file encryption.

A look at the ransomware executable’s properties reveals that they are “versions 0.0.8 and 0.0.9, respectively, of the program. Neither executable is signed, and both prompt for elevation via UAC when executed.”

About the ransomware’s token

As Sophos explains, the token comes into play when the ransomware performs a minor bit of system profiling on the computer. It retrieves the public IP address for the target’s network and performs an HTTP POST request to the IP address 179.43.154[.]137 on port 21119/tcp that transmits the token and profiling information about the computer. The session is not encrypted.

If the server does not accept the token value, the application will output an error message in the console stating that the token is not valid. At this point, the application will quit. If the ransomware runs on an offline computer, it will display “local use of the program” and proceed to function — prompting the user to enter a 32-byte password and contact information before encrypting.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This is not the first time a security company’s name has popped up in an adversary’s malware. It’s not a surprising development because we have observed threat actors imitating security researchers and creating fake cybersecurity firms to attract hacking talent and collect intelligence.

With that in mind, impersonating a cybersecurity company’s software seems like the next logical progression. According to BleepingComputer, researchers are still analyzing SophosEncrypt to determine whether any weaknesses may allow the recovery of encrypted files for free.”

2. FIN8 uses modified Sardonic backdoor for BlackCat ransomware

A new Symantec report reveals how the financially motivated threat actor FIN8 is using a revamped version of a backdoor called Sardonic to deliver BlackCat ransomware. Symantec’s researchers believe this development is FIN8’s attempt to diversify its focus and maximize profits.

About FIN8

• FIN8 is a financially motivated threat group that has been active since at least January 2016. The group targets organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors.

• The group has historically made use of living-off-the-land tactics, making use of built-in tools like PowerShell and WMI. Its preferred initial access methods are social engineering and spear phishing.

• FIN8 initially specialized in point of sale (POS) attacks but has since been observed using different ransomware threats in its attacks. For example, in June 2021, FIN8 was observed deploying the Ragnar Locker ransomware onto devices it had compromised in a financial services company earlier in the year. In January 2022, the group was observed leveraging White Rabbit ransomware in attacks. Then in December 2022, Symantec observed the group attempting to deploy BlackCat ransomware in its attacks.

How FIN8 uses backdoors

FIN8 has a history of taking extended breaks in between its attacks, likely to improve its tactics, techniques, and procedures (TTPs). In 2021, Bitdefender published details of the new Sardonic backdoor and linked it to FIN8. The Sardonic backdoor can harvest system information and execute commands. It also has a plugin to load/execute additional malware payloads that are delivered as DLLs.

The December 2022 attack that Symantec observed utilized a reworked backdoor to deploy BlackCat ransomware. While the Sardonic backdoor used in this campaign shares features with the backdoor analyzed by Bitdefender, most of the backdoor’s code has been rewritten, giving it a new appearance. Most notably, the code no longer used the C++ standard library, and most of the object-oriented features have been replaced with a plain C implementation.

Attacker activity

During the December 2022 incident, the threat actor connected with PsExec to execute the “quser” command and display the session details. It then executed an additional PowerShell command to launch the backdoor. The threat actor connected to the backdoor and checked details of the impacted computer before executing a command to establish persistence.

The next day, the threat actor connected to the now persistent backdoor but paused activity after running a few simple commands.  Thirty minutes later, the activity resumed, and the threat actor used wmiexec.py from Impacket to start a process to launch a new backdoor. This new backdoor was used over the next few hours. The new backdoor PowerShell script uses a new file name and simplifies the command-line by removing the decryption key argument.

PowerShell script

One key difference between this attack and previous FIN8 attacks is the technique used to deploy the backdoor.

In this case the backdoor was embedded indirectly into a PowerShell script and used to infect target machines. The PowerShell script in this campaign has a few key pieces. The first line of the script is meant to delete the PowerShell script file itself. The second line checks the architecture of the current process before picking the 32-bit or 64-bit version of the encoded .NET loader. The third line decodes the .NET loader binary and loads it into the current process. The last line of code starts the main functionality of the loader, where the injector and backdoor are decrypted.

• .NET loader: The loader is an obfuscated .NET DLL and contains two blobs. The blobs are decrypted with the RC4 algorithm using a hardcoded decryption key before decompressing. The decompressed blobs are then copied into a continuous chunk of memory. The loader then transfers control to the second blob, the injector, passing the memory location and size of the first blob, the backdoor, as parameters.
• Injector: The injector is in the form of shellcode. The purpose of this injector is to initiate the backdoor in a newly created WmiPrvSE.exe process. When creating this process, the injector will attempt to start it in session-0 using a token it steals from the lsass.exe process.

The Sardonic backdoor

The Sardonic backdoor is also in the form of shellcode.

• Interactive sessions: One interesting feature of this backdoor is related to interactive sessions, where the attacker runs cmd.exe or other interactive processes on the impacted device. The sample allows up to 10 sessions to un at the same time. When starting each individual process, the threat actor can use a process token stolen from a specified process ID that is different for each session.
• Extensions: Another notable feature of the backdoor is its support of three different formats to extend its functionality. The first format is with PE DLL plugins that the backdoor loads within its own process. The second format that the backdoor supports is in the form of shellcode, where each plugin executes in its own dedicated process. The third format is also in the form of shellcode but with a different convention to pass arguments.
• Network communication: To communicate with its command and control (C2) server, the backdoor will exchange messages of variable size using the below structure. The size of body field can be determined from the content of the header field.
• Initial message: Once the backdoor connects to its C2 server it will send the initial message of 0x10C bytes with the header field value 0xFFFFFCC0 (hardcoded), and footer field left uninitialized.
• body size is 0x80 for each incoming message with a header field value of 0xFFFFFE78 (hardcoded), and
  • body size is simply the value of the header field in all other cases.

The content of the body and footer fields is encrypted with RC4 using rc4_key as the encryption key. The keystream is reused when encrypting each individual field.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“FIN8 is clearly continuing to improve upon its capabilities by refining and updating its TTPs. The group’s use of a modified Sardonic backdoor several months after the backdoor’s emergence further proves the regular refinement and updating.

As Symantec points out, the group’s pivot from POS attacks to deploying ransomware highlights its dedication and its interest in maximizing profits.”

3. Chinese cyber espionage actors evolve tactics to avoid detection

Mandiant is tracking multiple ways in which Chinese cyber espionage groups are evolving to minimize opportunities for detection and complicate attribution. According to their analysis, Chinese groups are exploiting zero-days, targeting routers, and using other methods of relaying and disguising internal and external traffic to their victims’ networks.

China focusing on networking, security, and virtualization software

Mandiant believes that in 2021 and 2022, Chinese threat cyber espionage zero-day exploitation focused on security, networking, and virtualization technologies.

Targeting these devices allows for many tactical advantages to a threat actor. Since security and networking devices are edge devices — meaning they are accessible to the internet — a threat actor can gain initial access to them without requiring any human interaction. This decreases the chances of being detected.

As Mandiant points out, edge devices and virtualization software can be more challenging to monitor. Some may not support EDR solutions, further decreasing the likelihood of detection. Two relatively recent campaigns highlight the notable strategies that Chinese threat actors have been using to maximize stealth.

UNC3886 burns two zero-days in complex ops against hard targets

Mandiant investigated incidents in 2022 where the cyber espionage actor UNC3886 used multiple attack paths and two zero-days to establish persistence and gain access to virtualized environments. This threat actor primarily targeted defense industrial bases, technology, and telecommunication organizations across the U.S. and Asia.

This threat actor limited its presence on networks to Fortinet security devices and VMware virtualization technologies, devices and platforms that traditionally lack EDR solutions. The threat actor’s custom malware and exploits prioritized circumventing logs/security controls and would clear and modify logs and disable file system verification on startup.

UNC4841’s exploitation of Barracuda ESG starts stealthy, turns aggressive

The suspected Chinese cyber espionage actor UNC4841 exploited a zero-day vulnerability in Barracuda ESG appliances during a campaign targeting both public and private organizations across the globe. In multiple instances, Mandiant saw evidence of the actor searching for email data of interest before staging it for exfiltration.

The threat actor looked to disguise elements of its activity in multiple ways.

• The threat actor sent emails with specially crafted TAR files that exploited the Barracuda vulnerability, allowing the threat actor to execute arbitrary system commands with the elevated privileges of the ESG product.
• The group also developed custom malware using naming conventions that are similar to legitimate ESG files before inserting custom backdoor code into legitimate Barracuda modules.
• In some cases, the threat actor leveraged legitimate self-signed SSL temporary certificates that are shipped on ESG appliances for setup purposes along with certificates stolen from victim environments to hide C2 traffic.

The threat actor had a rather aggressive response to remediation efforts and the activity going public. After the Barracuda vulnerability was disclosed and initial remediation actions were taken, the threat actor countered this by working quickly to alter its custom malware, employing additional persistence mechanisms, and moving laterally to maintain access.

Additional examples

The two incidents outlined above are just a small piece of a growing list of Chinese cyber espionage campaigns exploiting zero-days in security and networking products.

• Mandiant reported exploitation of CVE-2022-42475 (a vulnerability in Fortinet’s FortiOS SSL-VPN), with the earliest evidence dating to October 2022.
• In December 2022, Citrix reported in-the-wild exploitation of CVE-2022-27518 in its Application Delivery Controller (ADC), which the U.S. National Security Agency (NSA) attributed to APT5.
• In March 2022, Sophos reported in-the-wild exploitation of CVE-2022-1040 in its firewall product, which Volexity linked to Chinese cyber espionage actors.
• Mandiant investigated multiple intrusions that occurred between August 2020 and March 2021 and involved exploitation of CVE-2021-22893 in Pulse Secure VPNs.
• In March 2021, Mandiant identified three zero-day vulnerabilities that were exploited in SonicWall’s Email Security (ES) product (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023). “

Chinese actors disguise external and internal traffic with botnets and tunnels

Mandiant is more frequently identifying examples of Chinese cyber espionage operations leveraging botnets of compromised IoT devices, smart devices, and routers to disguise external traffic between the victim environment and the C2 infrastructure.

They are also increasingly observing the use of several malware families that can stealthily relay threat actor traffic within a compromised network. These tactics are likely used to evade detection and make attribution more difficult.

Botnet-as-smokescreen

Researchers identified several examples of Chinese cyber espionage groups leveraging botnets to obfuscate traffic between the threat actor and the victim network. This activity was observed being conducted by APT41, APT31, APT15, TEMP.hex, and Volt Typhoon, and others.

Some examples include:

• In May 2023, Microsoft reported on Volt Typhoon activity targeting critical infrastructure organizations in the US. The threat actor used a botnet of compromised SOHO devices to route its network traffic.
• In 2023, Check Point analyzed the Camaro Dragon threat actor and its use of a custom backdoor called Horse Shell. This activity targeted European foreign affairs organizations and allowed the threat actor to establish an SSH encrypted SOCKS proxy and transfer files.
• In 2022, PwC reported on BPFDOOR malware which received commands from VPS that were controlled by a network of Taiwan-based compromised routers. Mandiant believes this activity is related to that of APT41.
• PwC also reported its observation of Red Vulture and its use of a shared proxy network, dubbed RedRelay in 2021 and 2022. This group supposedly corresponds to APT15, APT25, and Ke3chang.
• French and U.S. authorities issued public reports highlighting Chinese state sponsored actors’ exploitation of network devices to route traffic between C2 infrastructure and victim networks. The 2022 U.S. advisory called out the exploitation of Network Attached Storage (NAS) devices. The 2021 French advisory described a specific campaign attributed to APT31.
• ESET reported on their observation of a Linux backdoor, SideWalk, that was used to compromise a Hong Kong university in February 2021. Mandiant attributes most of this activity to APT41.

Mandiant has also observed evidence of suspected Chinese cyber espionage operators deploying custom malware to disguise traffic within the victim networks by using DNS, HTTP, and TCP/IP hijacking.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Most of the above tactics are not new to Chinese cyber espionage actors, nor are they unique to these actors. Mandiant compiled this information with the intent of highlighting how Chinese cyber espionage actors use these tactics as part of a ‘broader evolution toward more purposeful, stealthy, and effective operations.’

The incidents that Mandiant details above are all successful campaigns. This indicates that the investment these actors are making into evolving TTPs to avoid detection are working.”

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.