Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- REvil operators leverage phishing emails for initial access.
- Post-exploitation techniques include abuse of legitimate management tools for lateral movement.
- Discovery and impact were primarily aimed at data encryption and exfiltration.
Executive Summary
Our investigation centered around a recent incident involving the REvil ransomware strain, which highlighted significant operational methodologies used by the actors. The attack began with an initial access vector commonly associated with phishing emails but evolved into a complex exploitation chain. Through phases of execution, persistence, and lateral movement, the attackers aimed to leave a substantial impact on the victim’s infrastructure. The final stage involved data exfiltration and encryption, which is typical of REvil’s objectives.
Initial Access
During the investigation, we observed that the attack commenced with a well-crafted phishing email. The email contained a malicious attachment that mimicked a legitimate document. Once the victim opened the attachment, it executed a macro that downloaded a second-stage payload, commonly known as a dropper. This payload fetched additional components of the malware from a remote server, establishing the initial foothold within the target environment.
Execution & Persistence
The sample we examined provided insights into the execution method utilized by the attackers. Post-download, the dropper executed a PowerShell script, leveraging the execution policy bypass technique to run the payload. We noted that the malware attempted to establish persistence by creating a new service with the command sc create, allowing it to restart automatically via the Windows service manager. The persistence mechanism is facilitated through the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` registry key, where the malware persisted under a misleading service name.
Command and Control
Our analysis revealed that the implant communicated with a command and control (C2) server using HTTPS, making the traffic less suspicious. The C2 server exhibited behaviors typical of REvil, such as the use of custom encryption for commands and responses. During the investigation, we identified the actor’s specific domain used for C2 communications, which was blended with legitimate traffic to obscure its activities. Beaconing patterns were consistent, with the implant attempting to check in every 30 seconds, providing the operators with real-time capabilities to execute further commands.
Lateral Movement & Discovery
The lateral movement phase demonstrated the actor’s use of legitimate tools, specifically leveraging WMIC and PsExec. These tools were employed to propagate the malware across the network. Utilizing accounts with elevated privileges, the malware moved laterally to other endpoints, which in some cases, included access to sensitive databases. We uncovered evidence that the attackers executed commands such as wmic /node:[target] process call create [payload], enabling them to run processes remotely.
Impact & Objectives
The ultimate goal of this attack was to encrypt the victim’s files and exfiltrate sensitive data. The ransomware executed a symmetric encryption algorithm to lock files, followed by the deployment of a ransom note that provided instructions for payment in cryptocurrency. Post-attack analysis highlighted that significant data had been exfiltrated, including personally identifiable information (PII), which amplified the incident’s severity. The actor’s tactics represented a double extortion model, leveraging not only the threat of data loss but also public exposure of the stolen data.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial access was achieved through phishing emails containing malicious attachments.
- T1059.001 – PowerShell: Utilized to execute the malware after initial download.
- T1021.001 – Remote Services: Abuse of WMIC and PsExec for lateral movement.
Detection Opportunities
- Monitor for unusual PowerShell execution patterns and script blocks.
- Implement file integrity monitoring on the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` registry key.
- Conduct network traffic analysis looking for anomalous outbound communications to newly created domains and unusual HTTP/S traffic patterns.
Analyst Notes
This incident highlights the ever-evolving landscape of ransomware attacks, particularly the strategic use of phishing and lateral movement tactics. Organizations must enhance their detection and prevention mechanisms through employee training on phishing threats and robust incident response planning. The ability to quickly detect and isolate compromised assets can significantly reduce the impact of such attacks. Increased focus on monitoring for lateral movement and C2 communication will be essential in mitigating risks associated with these advanced threat actors.
Source: Original Report