January 23, 2022

TheCyberThrone

Thinking Security ! Always

Rook Ransomware With Shades of Babuk

A new ransomware strain named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make “a lot of money” by breaching corporate networks and encrypting devices.

Researchers have taken a deep dive into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.

The Rook ransomware payload is usually delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector. The payloads are packed with UPX or other crypters to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could interrupt the encryption.

Advertisements

Its been seen the kph.sys driver from Process Hacker come into play in process termination. Rook also uses vssadmin.exe to delete volume shadow copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files. Once after the encryption it will append the “.Rook” extension and then delete itself from the compromised system.

Files encrypted by Rook

Babuk Connection

A numerous code similarities between Rook and Babuk, a defunct RaaS that had its complete  source code leaked on a Russian speaking forum. Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.

Enumerating local drives alphabetically

Similarities include the encryptor deletes shadow volume copies, uses the Windows Restart Manager API, and enumerates local drives. Due to these code similarities, it’s believed that Rook is based on the leaked source code for the Babuk Ransomware operation.

Advertisements

Indicators of Compromise

SHA1
104d9e31e34ba8517f701552594f1fc167550964
19ce538b2597da454abf835cff676c28b8eb66f7
36de7997949ac3b9b456023fb072b9a8cd84ade8

SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

MITRE ATT&CK
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery

%d bloggers like this: