CTI Roundup: FBI and CISA Issue a Joint Advisory for Snatch RaaS

In this week’s roundup, CTI explores how threat actors are repurposing old proof of concept (PoC) code to create a fake PoC for new vulnerabilities. Next up, CTI covers a joint cybersecurity advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) about Snatch ransomware. Finally, CTI investigates a Chinese espionage threat actor known as Earth Lusca that is targeting government organizations in multiple countries with a new Linux backdoor called SprySOCKS.

1. Threat actors repurpose old code in fake vulnerability PoC

In a warning to researchers, Palo Alto reveals how a threat actor committed a fake PoC script to a GitHub repository shortly after the public reporting of the vulnerability, resulting in the download of Venom RAT.

On August 17, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR, tracked as CVE-2023-40477. Just four days later, an actor using the alias of whalersplonk committed a fake PoC script to their GitHub repository. This fake PoC is based on a publicly available PoC script that exploited a SQL injection vulnerability.

The fake PoC script does not exploit the intended vulnerability, and instead is based on a publicly available PoC code for a vulnerability in GeoServer. Instead of exploiting the WinRAR vulnerability, as you would expect the PoC code to do, it sets off an infection chain that results in the installation of VenomRAT.

The fake PoC is a Python script that was uploaded to VirusTotal in a ZIP archive named CVE-2023-40477-main.zip, specifically poc.py.

Social engineering component

The README.md file within the ZIP archive tries to trick users into compromising their own system by providing a summary of the vulnerability along with usage instructions for the supposed PoC script. The instructions also include a link to a video. However, the video is no longer hosted on that URL as it was set to expire.

Researchers determined that there were over 100 individual views of the video referenced in the README file. They were able to obtain two screenshots that were used as thumbnails to display parts of the video.

• The first image is displayed before the user clicks the play button and shows the threat actor’s desktop and task manager, including a process named Windows.Gaming.Preview. This is the same executable name as the VenomRAT payload.
• The second screenshot is believed to be captured halfway through the video and shows an archive of Burp Suite, a password in Notepad, and the PuTTY client. It also shows the date and time of the Windows clock which was helpful in determining a timeline.

The fake PoC

The fake PoC Python script within the archive was named poc.py and was based on the open-source CVE-2023-25157 PoC with some changes.

The changes include:

• Removal of comments regarding details about the CVE-2023-25157 vulnerability
• Removal of lines of code that would suggest it’s a network-related vulnerability, such as the setting of variables named PROXY and PROXY_ENABLED
• Modified strings from geoserver to exploit
• Inclusion of additional code that downloads and executes a batch script with a comment of “check dependency”

A batch script will run an encoded PowerShell script to download an additional PowerShell script which is saved to %TEMP%\c.ps1. This downloaded script will download and run another executable before creating a scheduled task (Windows.Gaming.Preview.exe) to run the executable every three minutes.

Windows.Gaming.Preview.exe is a variant of VenomRAT. This variant starts a key logger functionality to log keystrokes before beginning to communicate with its C2.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The motivation behind this attack is interesting, as it appears the targeting is likely rather opportunistic but still focused on security researchers.”

“This activity emphasizes the fact that threat actors are constantly looking for new attack avenues and will play on the interests of their targets. It also reminds us of the importance of using credible sources, especially when downloading PoC code.”

2. The FBI and CISA release a joint advisory for Snatch RaaS

The FBI and CISA have released a joint cybersecurity advisory to disseminate the latest IOCs and TTPs associated with Snatch ransomware.

Snatch ransomware first appeared in 2018, operating as a ransomware-as-a-service (RaaS) model. The group was originally called Team Truniger because of the nickname of a key group member. The threat actors used a customized ransomware variant that was most notable for rebooting devices into Safe Mode, allowing the ransomware to circumvent detection and encrypt files when fewer services are running.

The threat actors have been known to purchase data stolen by other ransomware variants to further exploit those victims. As we’ve noted before, the Snatch ransomware group has claimed responsibility for multiple attacks on education organizations which resulted in the exfiltration of student and staff PII onto the dark web. Since mid-2021, the Snatch ransomware threat actors have been constantly evolving their TTPs to take advantage of the changing threat landscape. The threat actors have historically targeted a wide range of critical infrastructure sectors including the defense industrial base (DIB), food and agriculture, and information technology sectors.

Snatch ransomware threat actors conduct operations involving data exfiltration and double extortion. They often communicate directly with victims to demand a ransom and threaten to post stolen data on their extortion blog.

Initial access and persistence

Snatch threat actors have several methods for gaining access and maintaining persistence. Affiliates tend to rely on the exploitation of weaknesses in RDP to brute force and gain administrator credentials to the network. In some instances, affiliates have purchased compromised credentials from underground cybercriminal forums.

The threat actors establish persistence by compromising an administrator account and establishing connections over port 443 to a C2 server. The C2 server is located on a Russian bulletproof hosting service.

Data discovery and lateral movement

The threat actors use various TTPs to discover data, move laterally, and search for data for exfiltration. Sc.exe is used to configure, query, stop, start, delete, and add system services using the Windows command line. The threat actors also used Metasploit and Cobalt strike.

Before deploying the ransomware, the threat actors spend up to three months on the victim’s system. During this time, the threat actors exploit the network, moving laterally via RDP for the largest possible deployment of ransomware.

Defense evasion and execution

During the early phases of the attack chain, Snatch threat actors attempt to disable antivirus software and run an executable as a file named safe.exe. In more recent instances, the ransomware’s executable name consisted of a string of hexadecimal characters, matching the SHA-256 hash of the files.

Once initiated, the ransomware payload will query and modify registry keys, use various native Windows tools to enumerate the system, find processes, and create benign processes to execute Windows batch files. In some cases, the ransomware deletes volume shadow copies. After execution of the batch files, the ransomware removes the batch files from the system.

The ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts. This is unique to each infection. It will also drop a HOW TO RESTORE YOUR FILES.txt file into each folder. The threat actors communicate with their victims via email and the Tox communication platform, depending on the identifiers left in ransom notes.

Some victims have reported receiving a spoofed call from an unknown female claiming to be associated with the Snatch ransomware group and directing them to the group’s extortion site. In some instances, the victims had a different ransomware variant deployed on their systems, but still received the Snatch ransom note.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“What’s unique about this ransomware group is its occasional spoofed phone calls, which go directly to the victim and point them to the extortion site. While this tactic doesn’t appear in all Snatch ransomware attacks, it still begs the question of why — and whether the trend will catch on across other ransomware families.”

“The last three pages of the joint advisory includes detailed mitigation recommendations from the FBI and CISA. Their top recommendations include securing and closely monitoring RDP, maintaining offline data backups, and enabling and enforcing phishing-resistant MFA.”

3. Threat actors deploy new SprySOCKS Linux malware in cyberespionage attacks

A Chinese espionage threat actor known as Earth Lusca is now targeting government organizations across multiple countries with a new Linux backdoor called SprySOCKS. The backdoor originates from the Trochilus open-source Windows malware, with many of its functions ported to work on Linux systems.

Recent Earth Lusca activity

Earth Lusca has remained active in 2023, carrying out attacks targeting government departments in foreign affairs, technology, and telecommunications.

Earth Lusca is now more frequently exploiting server-based N-day vulnerabilities for initial access. After this, it will deploy a web shell and install Cobalt Strike to perform lateral movement. The group will exfiltrate documents, email account credentials, and deploy further advanced backdoors like ShadowPad and the Linux version of Winnti.

Mandibule loader component

Trend Micro observed a file named libmonitor.so.2 hosted on Earth Lusca’s delivery server. They found that the loader was not developed from scratch. Its developer used a publicly available Linux ELF injector called mandibule.

The original ELF injector project is a command line tool with the ability to inject a payload into itself or into another project. This served as the base of the malware loader. The developer removed the usage screen and the ability to inject other processes and instead added a function to load and decrypt the second stage. Researchers note that this was a rather sloppy job, as the developer did not remove debug messages or strip the loader.

The name of the process is set to kworker/0:22 by the prctl command. Kwoker is typically a placeholder process for kernel worker threads. This name was likely chosen to avoid suspicion. The loader accepts two command-line parameters: the path to the encrypted second stage file and the self-delete flag. The second stage is encrypted with an AES-ECB cipher, with the password being hard-coded in the loader. The loader also sets persistence by copying itself and the encrypted second stage to the /usr/sbin/ directory and renaming it. It then starts the loader as a service and self-deletes.

SprySOCKS component

Researchers examined the decrypted second stage and found that it was statically compiled via HP-Socket project, a high-performance network framework of Chinese origin. The initialization procedure revealed a hardcoded encrypted password used to encrypt communication with the C2 server. The C2 address and port are also hard-coded, but in plain text.

The malware appears to be a mixture of multiple malware. The SprySOCKS C2 communication protocol is similar to the Windows backdoor RedLeaves. In contrast, the implementation of the interactive shell seems to derive from the Linux malware known as Derusbi. The RAT implements several standard backdoor commands like collecting system information, starting an interactive shell, listing network connections, creating SOCKS proxy, uploading/downloading files, and more.

Attribution

The encrypted SprySOCKS payload was hosted on a delivery server in early June 2023. This server was operated by the Earth Lusca threat actor and delivered executable files of Cobalt Strike and the Linux version of Winnti to its targets. The SprySOCKS payload contains a version number of 1.3.6 and uses a particular C2 domain. Researchers found another SprySOCKS payload on VirusTotal with the version number 1.1, which connected to a different C2 domain. This C2 domain had multiple overlaps with a domain that is known to be a C2 of Earth Lusca.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Trend Micro has only observed the SprySOCKS malware being used by Earth Lusca at this time. However, given the fact that Chinese threat actors often share custom malware, it would not be surprising to see additional Chinese threat actors leveraging SprySOCKS in the future.”

“The malware does not seem to be incredibly complex right now, but its multiple versions indicate that it is likely still developing and maturing.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.