CTI Roundup: LockBit Update, Earth Freybug Deploys UNAPIMON Malware

In this week’s roundup, CTI looks at a report from Trend Micro which covers law enforcement’s previous disruption of LockBit — including their analysis of a ransomware version that was in development at the time of the disruption. Next, CTI explores a recent Sophos report that assesses the impact that ransomware attacks have. Finally, CTI wraps up with an overview of a threat actor known as Earth Freybug that is using a new malware called UNAPIMON.

1. Law enforcement’s impact on LockBit

Trend Micro has released a report that investigates law enforcement’s previous disruption of LockBit, including details of how LockBit continued to operate following the disruption. The report also includes an analysis of a LockBit ransomware version that was in development at the time of the disruption.

About LockBit’s takedown

Data leak sites associated with LockBit began showing a 404 error message on February 19. This was the result of Operation Cronos, a law enforcement effort designed to take down LockBit’s infrastructure.

An hour after Trend Micro observed this error message on the site, it came back online with a law enforcement splash page confirming the sites were under the control of law enforcement. Next, law enforcement updated the site to mimic LockBit’s traditional page but included content related to press releases, indictments, and arrests.

On this page law enforcement also referenced LockBitSupp, the supposed mastermind behind LockBit, noting that the account had been banned from cybercrime forums like Exploit and XSS. The page also included an announcement that decryption keys would be made available for victims.

Law enforcement went on to leak details of the admin panel and revealed that they were able to access chats between affiliates and victims, helping them to identify victims. They were able to identify 193 affiliate accounts in addition to various testing accounts and the admin account.

About LockBit-NG-Dev

Trend Micro obtained and analyzed a sample of LockBit-NG-Dev, which they believe is another version of the ransomware that’s in development.

Trend Micro’s analysis of this version was also published on the leak site seized by law enforcement. This version was different from previous LockBit variants being written in .NET, compiled via CoreRT, and is platform agnostic.

LockBit activity post-disruption

In response to the disruption, LockBitSupp announced that it planned to create new Onion sites. On an underground forum, the group revealed that they were looking to buy .gov, .edu, and .org domains, signaling an intent to attack government organizations.

The new LockBit leak site seemed promising but with LockBitSupp still banned from multiple forums it didn’t seem like it was going to take off. After the disruption, there was a very clear drop in the true number of LockBit attacks.

Analyst comments from Tanium’s Cyber Threat Intelligence team

LockBit tried to stay afloat following a disruption by law enforcement, going as far as to re-post old data on their site and to modify the file tree to appear recently updated. This coordinated disruption between multiple law enforcement agencies was key in ensuring that LockBit would not be able to immediately return to normal operations.

This does not, however, mean that LockBit will never return. After all, agencies often fail to completely take down cybercriminals, and sometimes just disrupt them for a short period of time. It’s also worth remembering that threat groups often rebrand, meaning that the sophisticated creators and affiliates of LockBit may still be out there.

2. Unpatched vulnerabilities contribute to ransomware attacks

A recent report by Sophos looks at the impact of ransomware attacks and reveals that those stemming from the exploitation of unpatched vulnerabilities have a greater impact compared to those stemming from compromised credentials.

The report explores how attack outcomes tend to differ depending on the root cause, comparing the financial impact, operational impact, and overall severity.

Ransomware attacks stemming from unpatched vulnerabilities

Sophos found that roughly 32% of ransomware attacks begin with the exploitation of an unpatched vulnerability.

This number changes when looking at individual sectors with the highest sectors (energy, oil/gas, and utilities) having 49% of their ransomware attacks starting from vulnerabilities.

Sophos also found that this percentage increases depending on the size of the organization which is often since larger organizations have bigger attack services and thus more technologies to maintain.

Increased severity

As noted, Sophos found that ransomware attacks stemming from an exploited vulnerability are more severe — particularly among backup compromises, data encryption, and ransom payments.

• 75% of ransomware attacks that attempted to compromise backups were successful when the attack began with an exploited vulnerability compared to those starting with compromised credentials.
• 67% of attacks resulted in data encryption when they started with an exploited vulnerability compared to 43% that started with compromised credentials.
• 71% of compromised organizations had their data encrypted when the attack began with an exploited vulnerability compared to only 45% that began with compromised credentials.

Increased financial and operational impact

It should not come as a surprise that having unpatched vulnerabilities in your environment can put your organization at risk. Sophos found that ransomware attacks starting with an exploited vulnerability have a larger financial and operational impact than those that began with compromised credentials.

The survey found that the root cause did not change the overall amount of the ransom payment but did have an impact on who funded the payment. For example, 31% of organizations funded the full payment in-house when the attack began with a vulnerability, compared to only 2% when the attack began with compromised credentials.

Operationally, 45% of attacked organizations took longer than a month to recover when the attack began with an exploited vulnerability, and 37% took more than a month when it began with compromised credentials.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Sophos has included their own recommendations to protect against ransomware attacks stemming from unpatched vulnerabilities but it really all boils down to one thing: patching.

Patching, especially timely patching, is critical in helping to reduce the risk of ransomware attacks and other cyberattacks. Since not all ransomware attacks begin with vulnerabilities, it is equally as important to have continuous monitoring to be able to respond to all types of suspicious activities.

As Sophos notes, ‘technology alone cannot stop every attack’ and skilled defenders are necessary.

3. Earth Freybug deploys UNAPIMON malware

An actor known as Earth Freybug (a subset of APT41) was observed using a new malware called UNAPIMON.

The actor relies on living-off-the-land binaries along with custom malware, like the new UNAPIMON, to carry out its espionage activities. In the latest campaign, the actor adopted techniques like DLL hijacking and API unhooking.

UNAPIMON’s attack flow

The attack begins with a process called vmtoolsd.exe to create a scheduled task that subsequently launches a pre-deployed batch file in the remote machine.

The processes used in the attack flow are legitimate components of VMware and Windows.

Reconnaissance

After the scheduled task is triggered a previously deployed batch file is executed on the remote machine.

The batch file executes several commands to gather information about the infected system and stores it in a text file. Another scheduled task is then set up to execute another batch file and launch a backdoor.

DLL side loading

The second batch file leverages a service called SessionEnv to load a nonexistent library to side-load a malicious DLL. As part of the process, a DLL is dropped that was determined to be UNAPIMON malware.

A closer look at UNAPIMON malware

UNAPIMON is a DLL malware that is pretty basic as it is not packed or obfuscated. The malware has several techniques that prevent child processes from being monitored.

When it is loaded it creates an event object for synchronization and begins the hooking thread. It will install a hook using Microsoft Detours which is an open-source package from Microsoft that is used to monitor and instrument API calls on Windows devices. This will redirect calls from a process where the DLL Is loaded to the hook, thus its main purpose is to unhook critical API functions in child processes.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This threat actor has been around for a long time and has remained successful because of its ability to evolve its TTPs.

As this latest attack demonstrates, simple techniques can be incredibly successful for threat actors while at the same time making it more difficult for defenders to identify them.

Many threat actors are adopting this ‘back to the basics’ mentality, as it has proven to be effective.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.