CTI Roundup: Threat Actors Use Self-Extracting (SFX) Archives for Backdoor Attacks

This week, CTI takes a deep dive into a CrowdStrike report about a threat actor using malicious self-extracting (SFX) archives to launch backdoor attacks. Next, CTI explores a Mandiant report highlighting the activities of an ALPHV/BlackCat ransomware affiliate observed exploiting three known Veritas Backup vulnerabilities to access target networks. Finally, CTI wraps things up with a look at a recent attack during which a previously unnamed ransomware strain, now dubbed Rorschach, was deployed against a U.S.-based company.

1. Hackers use self-extracting (SFX) archives exploit for stealthy backdoor attacks

Recent findings by CrowdStrike reveal that an unknown threat actor is leveraging malicious self-extracting (SFX) archives to gain persistent backdoor access into private networks. The archives also contain harmless decoy files to help evade detection.

What are SFX archives?

Self-extracting archives are executables created with compression software, like WinRAR or 7-Zip. They contain archived data, along with the code required to unpack it.

• Researchers are increasingly reporting having observed threat actors leveraging SFX archive files containing hidden malicious functions which are not always visible to the recipient, nor to technology-based detections.
• The executable part of the file is known as a decompressor stub; a tool for sharing compressed files with someone who lacks software for decompressing and viewing standard archive files.
• Two common types of software that allow for the creation of an SFX archive are WinRAR and 7-Zip. Both use a specific variety of decompressor stub, and both have features that can be abused by threat actors.
• SFX archives are occasionally password-protected. These are more likely to be leveraged in business environments, wherein a commercial product is being used to encrypt files, resulting in the need for a password to access them. This same method of protecting files is often used to facilitate intrusions.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“CrowdStrike analyzed multiple malicious samples of SFX archives that were either password-protected or contained benign files, but also used WinRAR setup parameters to achieve malicious execution. Their analysis found that these samples had relatively low detection rates, highlighting their ability to bypass a wide range of security tooling.”

“This is not the first time SFX files have been abused in attacks. Late last year, Kaspersky analyzed a malware campaign utilizing links to password-protected SFX files to automatically distribute RedLine stealer. That said, CrowdStrike believes the abuse of SFX archives is a trend which will likely continue into the near future.”

2. ALPHV ransomware exploits Veritas Backup Exec bugs for initial access

Mandiant recently observed an ALPHV/BlackCat ransomware affiliate actively exploiting three vulnerabilities in the Veritas Backup product to gain initial access to target networks.

The ALPHV ransomware operation — which Mandiant refers to as UNC4466 — emerged in December 2021 and is thought to be run by former members of the Darkside and Blackmatter programs that shut down abruptly to escape law enforcement pressure. Both the aforementioned ransomware operations were known to target critical infrastructure and healthcare entities, a tradition that ALPHV appears to have kept alive and well.

In March of 2021, Veritas issued an advisory detailing three critical vulnerabilities in Veritas Backup Exec 16.x, 20.x, and 21.x. At the time, Veritas stated that a known exploit for the vulnerabilities was available in the wild.

The security bugs consist of the following:

1. Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.

• CVE ID: CVE-2021-27877
• CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
• Overall CVSS Score: 8.2 (High)

2. Veritas Backup Exec could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.

• CVE ID: CVE-2021-27877
• CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
• Overall CVSS Score: 8.2 (High)

3. Veritas Backup Exec Agent could allow an attacker to use a data management protocol command to execute an arbitrary command on the BE Agent machine.

• CVE ID: CVE-2021-27878
• CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Overall CVSS Score: 8.8 (High)

Veritas reportedly released a fix with version 21.2. But according to Mandiant, a “commercial Internet scanning service identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be unpatched and vulnerable.”

BleepingComputer points out that a Metasploit module designed to exploit these vulnerabilities was released to the public in September of 2022. The code enables attackers to create a session and interact with breached endpoints.

UNC4466 allegedly began using this particular module a month after it became available.

ALPHV ransomware attack details

• UNC4466 first compromised an internet-facing Windows server running Veritas Backup Exec by using the publicly available Metasploit module.
• UNC4466 maintained persistent access to the host in this way, and following the initial compromise, leveraged the Advanced IP Scanner and ADRecon utilities to harvest information regarding the victim’s environment.
• UNC4466 was then observed downloading additional tools to the compromised host, including Lazagne, Ligolo, WinSW, RClone, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS).
• To maintain communications with the command-and-control server, UNC4466 leveraged the SOCKS5 tunneling protocol. This, the download of other tools via BITS, and the deployment of the ransomware payload were accomplished by adding immediate tasks to the default domain policy, disabling security software, and executing the encryptor.
• To escalate privileges, UNC4466 utilized Mimikatz, LaZagne, and Nanodump to steal valid user credentials.
• Finally, the threat actor evaded detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring capability.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Prior to Mandiant observing this ALPHV affiliate leverage the opportunistic targeting of known vulnerabilities, ALPHV intrusions investigated by Mandiant primarily originated from stolen credentials – signaling a possible shift in this affiliate’s methodology and a break with the traditional TTPs employed by ALPHV.”

“Security researchers have constantly stressed the importance of maintaining good backups to enable recovery and minimize downtime after a ransomware attack. Unfortunately, this story serves as a reminder of what can happen when backup utilities are left unpatched and exposed to the internet.”

3. Rorschach ransomware emerges, leading experts to warn of advanced evasion strategies

Check Point Research has encountered a previously unnamed ransomware strain — now dubbed Rorschach — featuring fast encryption speeds and unique technical components and techniques, such as the use of direct syscalls.

Check Point discovered Rorschach while responding to a ransomware case against a U.S.-based company. Unlike in many other observed ransomware cases, this threat actor did not try to hide behind an alias, nor did it appear to be affiliated with any of the known ransomware groups.

A deeper dive into this ransomware revealed several rather unique features.

• The ransomware is partly autonomous, spreading itself automatically when executed on a domain controller (DC).
• The ransomware was found to be extremely flexible as well, operating on several optional arguments allowing it to change its behavior according to the operator’s needs.
• Rorschach leverages direct syscalls which is not often seen in ransomware families.

What researchers know about Rorschach

Execution flow

Rorschach execution uses three files:

1. Cy[.]exe: Palo Alto’s Cortex XDR Dump Service Tool – abused to side-load winutils[.]dll.
2. Winutils[.]dll: Packed Rorschach loader and injector – used to decrypt and inject the ransomware.
3. Config[.]ini: Encrypted Rorschach ransomware – contains all the logic and configuration.

When cy[.]exe is executed, the winutils[.]dll is loaded into memory, and runs in the context of cy[.]exe. The main Rorschach payload, config[.]ini, is then subsequently loaded into memory as well. It is decrypted and injected into Notepad, where the ransomware logic begins.

Evasion tactics

This ransomware spawns processes in a rather uncommon way, running them in SUSPEND mode and giving falsified arguments to make analysis and remediation efforts more difficult. The falsified argument consists of a repeating string of the digit “1” based on the length of the real argument. It is rewritten in memory and replaced with the real argument.

It also attempts to stop predefined services, deletes shadow volumes and backups using legitimate Windows tools, clears Windows event logs, and disables the Windows firewall.

Self-propagation

When the ransomware is executed on a Windows PC, it will automatically create a group policy, spreading itself to other machines within the domain.

To do so, it copies its files into the scripts folder of the domain controller and deletes the files from the original location. Next it will create a group policy that copies itself into the %Public% folder of all workstations in the domain. It then creates another group policy to kill certain processes via a scheduled task to invoke taskkill[.]exe. Lastly, it creates one more group policy to register a scheduled task which will run immediately upon user logon.

How Rorschach is similar to other ransomware

Rorschach’s hybrid cryptography scheme mentioned above is suspected to be borrowed from the leaked source code of Babuk ransomware.

Inspiration from Babuk can be seen in various routines including the stopping of processes and services. The code used to stop services through the service control manager seems to have been directly copied from Babuk’s source code. Similarly, the list of services to be stopped in Rorschach’s configuration is a 1:1 match to that leaked in the Babuk source code.

Rorschach also takes inspiration from LockBit. The list of languages used to stop the malware is identical to the list in LockBit v2.0. The final renaming of the encrypted files in Rorschach is implemented in the exact same way as LockBit v2.0 as well.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Rorschach seems to have borrowed many features from ransomware families whose source code leaked online at some point. Its developers appear to have combined various, cherry-picked functions to create a new and complex ransomware containing the best features of the leaked ransomware strains.”

“Rorschach’s self-propagating capabilities via group policy allow it to spread rapidly and with little to no manual interaction. Its fast encryption speed is impressive, but it seems incongruous to put such effort into encryption improvement when one considers recent research noting that ransomware actors are beginning to move away from encryption and toward pure, encryption-less extortion.”

“Time will tell whether Rorschach too begins to move away from encryption or is unique enough in its capabilities to survive and remain successful in an ever-changing threat landscape.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.