Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.
ProLock = Egregor
The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.
First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.
Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.
Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).
Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.
Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.
The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.
The malware encryption service run by a Romanian based in Craiova and Bucharest duo helped hackers embed malicious code in legit software to bypass antivirus tools.
The pair ran online malware encryption services, aka crypting services dubbed CyberSeal and Dataprotector. These services were offered to cybercriminals to encrypt the computer code in malware, including information stealers, Remote Access Trojans, and ransomware, to help cyber criminals launch attacks successfully.
The pair also offered the Cyberscan service through which their cybercriminal clients could test their malware against antivirus (AV) programs. Malware authors used these services to wrap their payloads in encryption shells to bypass most of the AV tools.
Over 1560 cyber criminals purchased this and improved 3000 malware strains for sophisticated attacks. Testing samples against AV scanners, the operators demanded $7 to $40, and for the actual crypting services, they asked for $40 to $300. Varies on the requirements
Cybercriminals could embed and hide their malware in legitimate software by purchasing these services and circulated them to unsuspecting users. Cyberscan allowed attackers to test their malware strains against AV tools.
The duo had been offering crypting services since 2010. They launched the CyberSeal service in 2014 and Dataprotector in 2015. The Cyberscan service was comparatively new, as it was launched in 2019.
Romanian police obtained search warrants for locating the suspects. The police raided four homes, including the suspects’ houses in Craiova and Bucharest, and discovered back-end servers in Romania, the USA, and Norway. Finally the CyberSeal (cyber-seal.org) and Cyberscan (cyberscan.org) websites are now offline.
Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.
RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.
Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.
RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.
The RaaS tiers
According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking
While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.
But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.
Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public
This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.
With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.
These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).null
Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.
This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.
Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.null
This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.
All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.
A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.
A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.Appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.
The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam
Payloads has 3 malwares Chinoxy, PCShare, and FunnyDream
Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.
PCShare, known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.
FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.
“Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities,” using living of the land tools