August 15, 2022

TheCyberThrone

Thinking Security ! Always

Sabbath Ransomware !

Ransomware Susceptibility - Black Kite

A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada. The group is a rebrand of Arcane and Eruption gangs, observed last year deploying the ROLLCOAST ransomware. The security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath). It targets infrastructures in America and canada

Advertisements

Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

It’s been observed in two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Use of BEACON is common practice in ransomware intrusions, but the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.

The ROLLCOAST ransomware runs in memory and checks the system language to avoid infecting Russia and other Commonwealth of Independent States member countries. ROLLCOAST also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.

“UNC2190 is a lesser known and potentially a smaller ransomware affiliate group and has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.

Advertisements

Indicators Of Compromise

MALWARE FAMILYIOC SHA 256
BEACONda92878c314307a5e5c9df687ec19a402d93126b3818e5fb6b7241ab375d1e12
BEACON0fb410b9a4d32a473b2ee28d4dc5e19a64524e107b980fc1ce8de2ad0dcc3302
BEACON298662f3fed24d757634a022c16f4124919b653f8bf7717e4f7a5b7d741729c0
BEACONafd61168c1fae6841faa3860dca0e5839f1b7a3169184a1c04de5a9b88adfe5d
BEACONa053408747e9b32721d25c00351c4ce9286208e8714780416f18cbe2536672a9
BEACONb2ffd7d83e004308a97355a18529fe3528dcbbd7901fb28aaad9d46194469947
BEACONe302a958856208adeab4ab3cd6d2991e644798fabd57bb187a0aede314a4baa0
BEACON8ddb23c90cb4133b4624127a1db75335a51e90d557c01e996ce33fe23f638e71
BEACON1bbb11e526141af7bafb5d4db3671b1a01bb277fda047920995c1f2a4cb6654c
BEACON1cd586852d2c06b0f7209c7a4da8f3d0de794f92e97b7c4405ad71c859dc2f50
BEACON79b47780382f54ca039ad248d8241e42a7ed6b1e4b75af836890e4e46c0f8737
BEACONf4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
BEACON3edb237aeee6efad6f21f0f2c2037ec0f9f817197432de9759b0a772a4c8f311
BEACONa4891cc85802833d9a89e2522a42a7e3c8dc6de1d2bbed5945497ee4006c8ddb
BEACON756ed760cbf4b35054c78a75009f748f0f6cd5eb2cbd44bb3a2d964da3c419cf
BEACON87cdcbc55aed4267f47a913b17f4bc697634bf633659c639f87a4dbf00f853c1
BEACONa8741f6f400c7fedfbdc7a298ab4a636be42d379eb4ecc3cccd81eadca09f8d0
BEACON5a6b7569c2b8e91f5bd8a67322af384cfad5ddaf3ea9de271093a0879b88c438
BEACONf883f7d7c068b6f1eb62804591d748c28c584fbfb769628d9567c22aa00f26f6
ROLLCOAST ransom notee25f2284fc6e80011587bf95829d8ff30ecae06a2d2bbe494d8af3bd05f9e43f
%d bloggers like this: