March 22, 2023

A new ransomware strain named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make “a lot of money” by breaching corporate networks and encrypting devices.

Researchers have taken a deep dive into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.

The Rook ransomware payload is usually delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector. The payloads are packed with UPX or other crypters to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could interrupt the encryption.

Advertisements

Its been seen the kph.sys driver from Process Hacker come into play in process termination. Rook also uses vssadmin.exe to delete volume shadow copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files. Once after the encryption it will append the “.Rook” extension and then delete itself from the compromised system.

Files encrypted by Rook

Babuk Connection

A numerous code similarities between Rook and Babuk, a defunct RaaS that had its complete  source code leaked on a Russian speaking forum. Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.

Enumerating local drives alphabetically

Similarities include the encryptor deletes shadow volume copies, uses the Windows Restart Manager API, and enumerates local drives. Due to these code similarities, it’s believed that Rook is based on the leaked source code for the Babuk Ransomware operation.

Advertisements

Indicators of Compromise

SHA1
104d9e31e34ba8517f701552594f1fc167550964
19ce538b2597da454abf835cff676c28b8eb66f7
36de7997949ac3b9b456023fb072b9a8cd84ade8

SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

MITRE ATT&CK
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery

Tags:

Leave a Reply

Related Post

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023

You may have missed

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
%d bloggers like this: