In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.
Recent investigations by NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have uncovered significant deviations in Lorenz’s Tactics, Techniques, and Procedures (TTPs), shedding light on the group’s evolving strategies.
Key TTP changes:
New encryption extension – .sz41
Random strings for file and schedule task names
Binaries to create local admin accounts for persistence
Scheduled tasks to conduct enumeration
New encryption method – DLL – RSA using current time epoch as seed (predictable)
Changing Encryption Extensions
One notable shift observed in Lorenz’s recent activities is a change in their encryption extension. Previously, the group used the extensions ‘Lorenz.sz40’ or ‘.sz40’; however, during the recent compromise, a new extension, ‘.sz41,’ was identified. While seemingly minor, these extensions often serve as the group’s signature, making this change noteworthy. A change in the encryption extension can also indicate a change in the encryption methods being used.
File and Task Naming Conventions
During the investigation, the threat actor preferred the use of randomly generated strings, such as ‘[A-Z]{0-9},’ for file names and scheduled tasks. This includes the ransom note, now named ‘HELP__[A-Za-z]{0-9}__HELP.html,’ in contrast to the previously reported ‘HELP_SECURITY_EVENT.html.’ This demonstrates the group’s adaptability and attempts to subvert known Indicators of Compromise.
Malicious File: Wininiw.exe
A key discovery during the investigation was the presence of ‘Wininiw.exe’ in the ‘C:\Windows\*’ directory on compromised systems. The threat actor utilized this executable to modify the local Windows Registry, creating a new user with a specified password, and adding it to the Administrator group. Although the threat actor already had Administrator privileges, the creation of a new user may serve as a backup persistence mechanism.
Scheduled Tasks
To conduct enumeration, the threat actor utilized Scheduled Tasks to execute command prompt to run built-in commands. These commands matched previously reported TTPs, and primarily consisted of searching the device for cleartext passwords and dumping the result to C:\Windows\Temp. It is likely the threat actor used Scheduled Tasks to automate enumeration and to ensure their commands were being executed with SYSTEM privileges.
Encryption
We observed the threat actor employing a DLL titled ‘[A-Z]{0-9}.sz41,’ positioned within the ‘C:\Windows\*‘ directory. This DLL was responsible for both the encryption process and the creation of the ransom note. Notably, the encryption technique deviated from previously documented methods.
In this instance, the threat actor employed the current epoch time as a seed for a random number generator, which was subsequently used to generate a passphrase and then derive the encryption key. It is worth noting that this approach introduces a level of predictability to the encryption key if the period during which the encryption occurred is known. The DLL also contained a significant amount of redundant code, which does not execute, indicating this DLL has been iterated upon and possibly customized depending on the victim’s environment.
As ransomware gangs continue to evolve their tactics, organisations must remain vigilant and adapt their cybersecurity strategies accordingly. The recent investigation by NCC Group underscores the importance of continuous monitoring and analysis to stay ahead of ransomware threats. By understanding the evolution of Lorenz’s recent activities, organisations and cyber defenders can be better prepared to identify ransomware precursors and mitigate the risk associated with ransomware groups.
Indicators of Compromise
IoC
Type
“cmd.exe” /Q /C (copy \\<Domain>\NETLOGON\report.txt c:\Windows\WinIniw.exe dir dir start /b c:\Windows\WinIniw.exe dir)
If you think your organisation may have been compromised reading any of the above indicators, please contact our 24/7 Cyber Incident Response Team immediately to conduct an assessment.
NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024:
CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2
CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1
By combining these vulnerabilities threat actors can quickly access a network and obtain domain administrator privileges.
New TTPs
There is a wealth of excellent information from the Cybersecurity community detailing the subsequent tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) that have been observed since the public reporting on the Ivanti zero day. This blog focuses on the exploitation of specific CVEs, that when used together could be particularly damaging.
T1068 – Privilege Escalation – Exploitation for Privilege Escalation
NCC Group has assisted a number of clients who are dealing with the Ivanti Connect Secure VPN zero-day and in the process of doing so we identified what we believe to be follow on actions that attempted to leverage CVE-2021-422782 and CVE-2021-422873.
These are vulnerabilities in Active Directory that when combined can allow a regular user to impersonate a domain administrator.
In order to successfully exploit these in an environment there will need to be a domain controller present that is not patched against this vulnerability, the threat actor would need access to a regular domain user account and a machine user account quota above zero.
This activity shows that threat actors are quickly attempting lateral movement and privilege escalation once they have gained a foothold on a compromised Ivanti Connect Secure VPN.
Detection
If you have Ivanti Connect Secure VPNs in use, then it is advised to do the following to check if you are vulnerable to this attack or if it has been attempted in your organization:
Check that all of your domain controllers are patched against CVE-2021-42278 and CVE-2021-42287.
Check domain controller logs for suspicious activity coming from the Ivanti appliance, specifically the following:
Windows Security Log Event ID 5156 – The windows filtering platform has allowed a connection
Windows Security Log Event ID 4673 – A privileged service was called
Windows Security Log Event ID 4741 – A computer account was created
Windows Security Log Event ID 4724 – An attempt was made to reset an account’s password
Windows Security Log Event ID 4742 – A computer account was changed
Windows Security Log Event ID 4781 – The name of an account was changed
If you have been affected by the Ivanti vulnerability and see above activity that coincides with compromise you should invoke your incident response plan immediately and investigate further.
Mitigation
The good news is that mitigation for this issue is relatively straightforward. The following should be considered:
Patch all domain controllers against the underlying CVEs
Set the machine account quota for standard users to zero
Please ensure to test the impact of any changes within your environment before applying mitigations.
Conclusion
It appears that threat actors are rapidly stringing CVE’s together to take advantage of the access the Ivanti Zero day has provided. NCC Group has not been able to attribute the attacks at this time or define what the end objectives were, as the attacks were interrupted.
The Ivanti issue does present an opportunity for initial access brokers to plant backdoors in environments however, leading to the possibility of follow on action taking place weeks or months after the initial compromise of the Ivanti Connect Secure VPN.
It underscores how important it is that there is a thorough investigation of the wider environment if an Ivanti compromise is detected.
If you think you are experiencing an attack contact our 24/7 incident response team using this link.
This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.
Below provides a summary of findings which are presented in this blog post:
Initial access gained via a publicly disclosed vulnerability in an externally facing server
Use of vulnerable drivers to disable security controls
Remote Desktop Protocol was used for Lateral Movement
Access persisted through tunnelling RDP over SSH
Exfiltration of data via Mega
Execution of ransomware via scheduled task
NoEscape
NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.
Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.
Incident Overview
NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.
The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.
A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.
Timeline
T – Initial Access gained via webshell
T+1 min – Initial recon and credential dumping activity
T+9 min – Secondary access method established via Plink
T+18 days – Second phase of credential dumping activity
T+33 days – Data Exfiltration
T+33 days – Ransomware Executed
Mitre TTPs
Initial Access
T1190 – Exploit Public-Facing Application
In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.
WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.
Execution
T1059.001 – Command and Scripting Interpreter: PowerShell
PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.
net localgroup administrators
cmd.exe /c net group \”REDACTED” /domain
cmd.exe /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
T1053.005 – Scheduled Task
As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.
Persistence
T1505.003 – Server Software Component: Web Shell
Web Shells provided the threat actor continued access to the estate through the initial access vector.
Privilege Escalation
T1078.002 – Valid Accounts: Domain Accounts
Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution
T1078.003 – Valid Accounts: Local Accounts
The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.
Defence Evasion
T1562.001 – Impair Defences: Disable or Modify Tools
The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.
File
Description
Gmer.exe
GMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR
aswArPot.sys
An Avast antivirus driver deployed by threat actors to disable antivirus solutions.
mhyprot2.sys
Genshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes.
Credential Access
T1003 – Credential Dumping
Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.
File
Description
CSDump.exe
Unknown dumping tool (no longer on disk)
Fgdump.exe
A tool for mass password auditing of the Windows systems by dumping credentials from LSASS
MemoryDumper.exe
Creates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes.
Discovery
T1087.001 – Account Discovery: Local Account
A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:
net localgroup administrators
net group “REDACTED” /domain
T1018 – Remote System Discovery
Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:
netdom query /d:REDACTEDPDC
Lateral Movement
T1021.001 – Remote Desktop Protocol
Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.
Command and Control
T1572 – Protocol Tunnelling
Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.
The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.
Exfiltration
T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.
Impact
T1486 – Data Encrypted for Impact
The encryptor targeted all files on the C:\ drive except those with the below extension:
The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited
Execution
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected
Execution
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Native Windows commands were utilised during the discovery phase of the endpoint and victim estate
Execution
Scheduled Task
T1053.005
A scheduled task was utilised to execute the ransomware binary
Persistence
Server Software Component: Web Shell
T1505.003
Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities
Privilege Escalation
Valid Accounts: Domain Accounts
T1078.002
Credentials to domain accounts were obtained and utilised for lateral movement
Privilege Escalation
Valid Accounts: Local Accounts
T1078.003
A disabled local account was re-enabled by the threat actor and used.
Defence Evasion
Impair Defenses: Disable or Modify Tools
T1562.001
Tooling was deployed in an attempt to disable the deployed endpoint security controls
Credentials Access
Credential Dumping
T1003
Various different tools were deployed to dump credentials from LSASS
Discovery
Account Discovery: Local Account
T1087.001
‘net’ native Windows command was utilised to discovery users in the domain administrator group
Discovery
Remote System Discovery
T1018
‘netdom’ was utilised to discover the primary domain controller for the victims estate
Lateral Movement
Remote Desktop Protocol
T1021.001
The primary method of lateral movement was RDP
Command and Control
Protocol Tunnelling
T1572
PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells
Command and Control
Remote Access Software
T1219
Access was gained to the existing TeamViewer deployment and utilised for lateral movement
Exfiltration
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.002
MegaSync was utilised to exfiltrate data to the cloud storage solution Mega
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
Author: Molly Dewis
Intro
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa.
Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims.
Summary
This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.
Below provides a summary of findings which are presented in this blog post:
Use of web shells to maintain access.
Utilising PowerShell to conduct malicious activity.
Dumping password hashes.
Disabling antivirus services.
Use of Windows utilises for discovery activities.
Reverse tunnel for C2.
Data exfiltration.
Deployment of Medusa ransomware.
Medusa
Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.
Incident Overview
Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.
Timeline
T – Initial Access gained via web shells.
T+13 days – Execution activity.
T+16 days – Persistence activity.
T+164 days – Defense Evasion activity.
T+172 days – Persistence and Discovery activity.
T+237 days – Defense Evasion and Credential Access Activity started.
T+271 days – Ransomware Executed.
Mitre TTPs
Initial Access
The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.
Execution
PowerShell was leveraged by the threat actor to conduct various malicious activity such as:
Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe
Conducting discovery activity
Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain
Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node:<IP ADDRESS> / user:<DOMAIN\\USER> /password:<REDACTED> process call create ‘cmd.exe’.
Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.
A cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI
Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.
Persistence
Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>.
Defence Evasion
Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.
Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”<Antivirus Agent Firewall Rule Name>\”.
The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.
The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities.
Credential Access
The following credential dumping techniques were utilised by the threat actor:
Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.
Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable.
An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll.
he built-in Windows tool ntdsutil.exe was used to extract the NTDS:
powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q
Discovery
The threat actor conducted the following discovery activity:
Type of discovery activity
Description
nltest /trusted_domains
Enumerates domain trusts
net group ‘domain admins’ /domain
Enumerates domain groups
net group ‘domain computers’ / domain
Enumerates domain controllers
ipconfig /all
Learn about network configuration and settings
tasklist
Displays a list of currently running processes on a computer
quser
Show currently logged on users
whoami
Establish which user they were running as
wmic os get name
Gathers the name of the operating system
wmic os get osarchitecture
Establishes the operating system architecture
Lateral Movement
Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network.
Command and Control
A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used.
Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.
Exfiltration
Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.
Impact
The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
Author: Ross Inman (@rdi_x64)
Introduction
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group.
The D0nut extortion group was first reported in August 2022 for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.
Summary
Tl;dr
This post explores some of the TTPs employed by a threat actor who was observed deploying D0nut ransomware during an incident response engagement.
Below provides a summary of findings which are presented in this blog post:
Heavy use of Cobalt Strike Beacons to laterally move throughout the compromised network.
Deployment of SystemBC to establish persistence.
Modification of a legitimate GPO to disable Windows Defender across the domain.
Leveraging a BYOVD to terminate system-level processes which may interfere with the deployment of ransomware.
Use of RDP to perform lateral movement and browse folders to identify data for exfiltration.
Data exfiltration over SFTP using Rclone.
Deployment of D0nut ransomware.
D0nut
D0nut leaks is a group that emerged during Autumn of 2022 and was initially reported to be performing intrusions into networks with an aim of exfiltrating data which they would then hold to ransom, without encrypting any files1. Further down the line, the group were seen adopting the double-extortion approach2. This includes encrypting files and holding the decryption key for ransom, as well as threatening to publish the stolen data should the ransom demand not be met.
Numerous potential links have been made to other ransomware groups and affiliates, with the ransomware encryptor reportedly sharing similarities with the HelloXD ransomware strain. Indications of a link were observed through the filenames of the ransomware executable deployed throughout the incident, with the filenames being xd.exe and wxd7.exe. However, it should be noted that this alone is not compelling evidence to indicate a link between the ransomware strains.
Incident Overview
Once the threat actor had gained their foothold within the network, they conducted lateral movement with a focus on the following objectives:
Compromise a host which stores sensitive data which can be targeted for exfiltration.
Compromise a domain controller.
Cobalt Strike was heavily utilised to deploy Beacon, the payload generated by Cobalt Strike, to multiple hosts on the network so the threat actor could extend their access and visibility.
A Remote Desktop Protocol (RDP) session was established to a file server, which allowed the threat actor to browse the file system and identify folders of interest to target for exfiltration. Data exfiltration was conducted using Rclone to upload files to a Secure File Transfer Protocol (SFTP) server controlled by the threat actor. Rclone allows for uploading of files directly from folders to cloud storage, meaning the threat actor did not need to perform any data staging prior to the upload.
Before deploying the ransomware, the threat actor deployed malware capable of leveraging a driver, which has been used by other ransomware groups3, to terminate any anti-virus (AV) or endpoint detection and response (EDR) processes running on the system; this technique is known as bring your own vulnerable driver (BYOVD). Additionally, the threat actor modified a pre-existing group policy object (GPO) and appended configuration that would prevent Windows Defender from interfering with any malware that was dropped on the systems.
Ransomware was deployed to both user workstations and servers on the compromised domain. An ESXi server was also impacted, resulting in the hosted virtual machines suffering encryption that was performed at the hypervisor level.
The total time from initial access to encryption is believed to be less than a week.
TTPs
Lateral Movement
The following methods were utilised to move laterally throughout the victim network:
Cobalt Strike remotely installed temporary services on targeted hosts which executed Beacon, triggering a call back to the command and control (C2) server and providing the operator access to the system. An example command line of what the services were configured to run is provided below:
A service was installed in the system.
Service Name: <random alphanumeric characters>
Service File Name: \\<target host>\ADMIN$\<random alphanumeric characters>.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
RDP sessions were established using compromised domain accounts.
PsExec was also used to facilitate remote command execution across hosts.
Persistence
The threat actor used SystemBC to establish persistence within the environment. The malware was set to execute whenever a user logs in to the system, which was achieved by modifying the registry key Software\Microsoft\Windows\CurrentVersion\Run within the DEFAULT registry hive (please note this is not referring to the hive located at C:\Users\DEFAULT\NTUSER.dat, but the hive located at C:\Windows\System32\config\DEFAULT). An entry was created under the run key which ran the following command, resulting in execution of SystemBC:
As part of their efforts to evade interference from security software, the threat actor made use of two files, d.dll and def.exe, which were responsible for dropping the vulnerable driver RTCore64.sys, which has reportedly been exploited by other ransomware groups to disable AV and EDR solutions. The files were dropped in the following folders:
C:\temp\
C:\ProgramData\
Analysis of def.exe identified that the program escalated privileges via process injection, allowing it to terminate any system-level processes not present in its internally stored whitelist.
The threat actor took additional measures by appending registry configurations to a pre-existing GPO that would disable detection and prevention functionality of Windows Defender. Exclusions for all files with a .exe or .dll extension were also set, along with exclusions for files within the C:\ProgramData\ and C:\directories. The below configuration was applied across all hosts present on the compromised domain:
Command and Control
Cobalt Strike Beacons were heavily utilised to maintain a presence within the network and to extend access via lateral movement.
SystemBC was also deployed sparingly and appeared to be purely for establishing persistence within the network. SystemBC is a commodity malware backdoor which leverages SOCKS proxying for covert channelling of C2 communications to the operator. Serving as a proxy, SystemBC becomes a conduit for other malware deployed by threat actors to tunnel C2 traffic. Additionally, certain variants facilitate downloading and execution of further payloads, such as shellcode or PowerShell scripts issued by the threat actor.
Analysis of the executable identified the following IP addresses which are contacted on port 4001 to establish communications with the C2 server:
85.239.52[.]7
194.87.111[.]29
Exfiltration
Rclone, an open-source file cloud storage program heavily favoured by threat actors to perform data exfiltration, was deployed once the threat actor had identified a system which hosted data of interest. Through recovering the Rclone configuration file located at C:\User\<user>\AppData\Roaming\rclone.conf, the SFTP server 83.149.93[.]150 was identified as the destination of the exfiltrated data.
Initially deployed as rclone.exe, the threat actor swiftly renamed the file to explorer.exe in an attempt to blend in. However, due to the file residing in the File Server Resource Manager (FSRM) folder C:\StorageReports\Scheduled\, this artefact was highly noticeable.
Impact
Ransomware was deployed to workstations and servers once the threat actor had exfiltrated data from the network to use as leverage in the forthcoming ransom demands. The ransomware also impacted an ESXi server, encrypting the hosted virtual machines at the hypervisor level.
Volume shadow copies for a data drive of a file server were purged by the threat actor preceding the ransomware execution.
The ransomware was downloaded and executed via the following PowerShell command:
In some other instances, the ransomware was deployed as wxd7.exe. The ransomware executables were observed being executed from the following locations (however it is likely that the folders may vary from case to case and the threat actor uses any folders in the root of C:\):
C:\Temp\
C:\ProgramData\
C:\storage\
C:\StorageReports\
During analysis of the ransomware executable, the following help message was derived which provides command line arguments for the program:
A fairly unique ransom note is dropped after the encryption process in the form of a HTML file named readme.html:
Recommendations
Ensure that both online and offline backups are taken and test the backup plan regularly to identify any weak points that could be exploited by an adversary.
Hypervisors should be isolated by placing them in a separate domain or by adding them to a workgroup to ensure that any compromise in the domain in which the hosted virtual machines reside does not pose any risk to the Hypervisors.
Restrict internal RDP and SMB traffic so that only hosts that are required to communicate via these protocols are allowed to.
Monitor firewalls for anomalous spikes in data leaving the network.
Apply Internet restrictions to servers so that they can only establish external communications with known good IP addresses and domains that are required for business operations.
If you have been impacted by D0nut, or currently have an incident and would like support, please contact our Cyber Incident Response Team on +44 331 630 0690 or email [email protected].
Authored by Joshua Kamp (main author) and Alberto Segura.
Summary
Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families.
After our investigation, we concluded that the ERMAC source code was used as a base for Hook. All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical. The main features in ERMAC are related to sending SMS messages, displaying a phishing window on top of a legitimate app, extracting a list of installed applications, SMS messages and accounts, and automated stealing of recovery seed phrases for multiple cryptocurrency wallets.
Hook has introduced a lot of new features, with a total of 38 additional commands when comparing the latest version of Hook to ERMAC. The most interesting new features in Hook are: streaming the victim’s screen and interacting with the interface to gain complete control over an infected device, the ability to take a photo of the victim using their front facing camera, stealing of cookies related to Google login sessions, and the added support for stealing recovery seeds from additional cryptocurrency wallets.
Hook had a relatively short run. It was first announced on the 12th of January 2023, and the closing of the project was announced on April 19th, 2023, due to “leaving for special military operation”. On May 11th, 2023, the actors claimed that the source code of Hook was sold at a price of $70.000. If these announcements are true, it could mean that we will see interesting new versions of Hook in the future.
The launch of Hook
On the 12th of January 2023, DukeEugene started advertising a new Android botnet to be available for rent: Hook.
Hook malware is designed to steal personal information from its infected users. It contains features such as keylogging, injections/overlay attacks to display phishing windows over (banking) apps (more on this in the “Overlay attacks” section of this blog), and automated stealing of cryptocurrency recovery seeds.
Financial gain seems to be the main motivator for operators that rent Hook, but the malware can be used to spy on its victims as well. Hook is rented out at a cost of $7.000 per month.
The malware was advertised with a wide range of functionality in both the control panel and build itself, and a snippet of this can be seen in the screenshot below.
Command comparison
Analyst’s note:The package names and file hashes that were analysed for this research can be found in the “Analysed samples” section at the end of this blog post.
While checking out the differences in these malware families, we compared the C2 commands (instructions that are sent by the malware operator to the infected device) in each sample. This analysis did lead us to find several new commands and features on Hook, as can be seen just looking at the number of commands implemented in each variant.
Sample
Number of commands
Hook sample #1
58
Hook sample #2
68
Ermac sample #1 #2
30
All 30 commands that exist in ERMAC also exist in Hook. Most of these commands are related to sending SMS messages, updating and starting injections, extracting a list of installed applications, SMS messages and accounts, and starting another app on the victim’s device (where cryptocurrency wallet apps are the main target). While simply launching another app may not seem that malicious at first, you will think differently after learning about the automated features in these malware families.
Both Hook and ERMAC contain automated functionality for stealing recovery seeds from cryptocurrency wallets. These can be used to gain access to the victim’s cryptocurrency. We will dive deeper into this feature later in the blog.
When comparing Hook to ERMAC, 29 new commands have been added to the first sample of Hook that we analysed, and the latest version of Hook contains 9 additional commands on top of that. Most of the commands that were added in Hook are related to interacting with the user interface (UI).
Hook command: start_vnc
The UI interaction related commands (such as “clickat” to click on a specific UI element and “longpress” to dispatch a long press gesture) in Hook go hand in hand with the new “start_vnc” command, which starts streaming the victim’s screen.
In the code snippet above we can see that the createScreenCaptureIntent() method is called on the MediaProjectionManager, which is necessary to start screen capture on the device. Along with the many commands to interact with the UI, this allows the malware operator to gain complete control over an infected device and perform actions on the victim’s behalf.
Command implementation
For the commands that are available in both ERMAC and Hook, the code implementation is nearly identical. Take the “logaccounts” command for example:
This command is used to obtain a list of available accounts by their name and type on the victim’s device. When comparing the code, it’s clear that the logging messages are the main difference. This is the case for all commands that are present in both ERMAC and Hook.
Russian commands
Both ERMAC and the Hook v1 sample that we analysed contain some rather edgy commands in Russian, that do not provide any useful functionality.
The command above translates to “Die_he_who_reversed_this“.
All the Russian commands create a file named “system.apk” in the “apk” directory and immediately deletes it. It appears that the authors have recently adapted their approach to managing a reputable business, as these commands were removed in the latest Hook sample that we analysed.
New commands in Hook V2
In the latest versions of Hook, the authors have added 9 additional commands compared to the first Hook sample that we analysed. These commands are:
Command
Description
send_sms_many
Sends an SMS message to multiple phone numbers
addwaitview
Displays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayed
removewaitview
Removes the “wait / loading” view that is displayed on the victim’s device because of the “addwaitview” command
addview
Adds a new view with a black background that covers the entire screen
removeview
Removes the view with the black background that was added by the “addview” command
cookie
Steals session cookies (targets victim’s Google account)
safepal
Starts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)
exodus
Starts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)
takephoto
Takes a photo of the victim using the front facing camera
One of the already existing commands, “onkeyevent”, also received a new payload option: “double_tap”. As the name suggests, this performs a double tap gesture on the victim’s screen, providing the malware operator with extra functionality to interact with the victim’s device user interface.
More interesting additions are: the support for stealing recovery seed phrases from other crypto wallets (Safepal and Exodus), taking a photo of the victim, and stealing session cookies. Session cookie stealing appears to be a popular trend in Android malware, as we have observed this feature being added to multiple malware families. This is an attractive feature, as it allows the actor to gain access to user accounts without needing the actual login credentials.
Device Admin abuse
Besides adding new commands, the authors have added more functionality related to the “Device Administration API” in the latest version of Hook. This API was developed to support enterprise apps in Android. When an app has device admin privileges, it gains additional capabilities meant for managing the device. This includes the ability to enforce password policies, locking the screen and even wiping the device remotely. As you may expect: abuse of these privileges is often seen in Android malware.
DeviceAdminReceiver and policies
To implement custom device admin functionality in a new class, it should extend the “DeviceAdminReceiver”. This class can be found by examining the app’s Manifest file and searching for the receiver with the “BIND_DEVICE_ADMIN” permission or the “DEVICE_ADMIN_ENABLED” action.
In the screenshot above, you can see an XML file declared as follows: android:resource=”@xml/buyanigetili. This file will contain the device admin policies that can be used by the app. Here’s a comparison of the device admin policies in ERMAC, Hook 1, and Hook 2:
Comparing Hook to ERMAC, the authors have removed the “WIPE_DATA” policy and added the “RESET_PASSWORD” policy in the first version of Hook. In the latest version of Hook, the “DISABLE_KEYGUARD_FEATURES” and “WATCH_LOGIN” policies were added. Below you’ll find a description of each policy that is seen in the screenshot.
Device Admin Policy
Description
USES_POLICY_FORCE_LOCK
The app can lock the device
USES_POLICY_WIPE_DATA
The app can factory reset the device
USES_POLICY_RESET_PASSWORD
The app can reset the device’s password/pin code
USES_POLICY_DISABLE_KEYGUARD_FEATURES
The app can disable use of keyguard (lock screen) features, such as the fingerprint scanner
USES_POLICY_WATCH_LOGIN
The app can watch login attempts from the user
The “DeviceAdminReceiver” class in Android contains methods that can be overridden. This is done to customise the behaviour of a device admin receiver. For example: the “onPasswordFailed” method in the DeviceAdminReceiver is called when an incorrect password is entered on the device. This method can be overridden to perform specific actions when a failed login attempt occurs. In ERMAC and Hook 1, the class that extends the DeviceAdminReceiver only overrides the onReceive() method and the implementation is minimal:
The onReceive() method is the entry point for broadcasts that are intercepted by the device admin receiver. In ERMAC and Hook 1 this only performs a check to see whether the received parameters are null and will throw an exception if they are.
DeviceAdminReceiver additions in latest version of Hook
In the latest edition of Hook, the class to extend the DeviceAdminReceiver does not just override the “onReceive” method. It also overrides the following methods:
Device Admin Method
Description
onDisableRequested()
Called when the user attempts to disable device admin. Gives the developer a chance to present a warning message to the user
onDisabled()
Called prior to device admin being disabled. Upon return, the app can no longer use the protected parts of the DevicePolicyManager API
onEnabled()
Called after device admin is first enabled. At this point, the app can use “DevicePolicyManager” to set the desired policies
onPasswordFailed()
Called when the user has entered an incorrect password for the device
onPasswordSucceeded()
Called after the user has entered a correct password for the device
When the victim attempts to disable device admin, a warning message is displayed that contains the text “Your mobile is die”.
The fingerprint scanner will be disabled when an incorrect password was entered on the victim’s device. Possibly to make it easier to break into the device later, by forcing the victim to enter their PIN and capturing it.
All keyguard (lock screen) features are enabled again when a correct password was entered on the victim’s device.
Overlay attacks
Overlay attacks, also known as injections, are a popular tactic to steal credentials on Android devices. When an app has permission to draw overlays, it can display content on top of other apps that are running on the device. This is interesting for threat actors, because it allows them to display a phishing window over a legitimate app. When the victim enters their credentials in this window, the malware will capture them.
Both ERMAC and Hook use web injections to display a phishing window as soon as it detects a targeted app being launched on the victim’s device.
In the screenshot above, you can see how ERMAC and Hook set up a WebView component and load the HTML code to be displayed over the target app by calling webView5.loadDataWithBaseURL(null, s6, “text/html”, “UTF-8”, null) and this.setContentView() on the WebView object. The “s6” variable will contain the data to be loaded. The main functionality is the same for both variants, with Hook having some additional logging messages.
The importance of accessibility services
Accessibility Service abuse plays an important role when it comes to web injections and other automated feature in ERMAC and Hook. Accessibility services are used to assist users with disabilities, or users who may temporarily be unable to fully interact with their Android device. For example: users that are driving might need additional or alternative interface feedback. Accessibility services run in the background and receive callbacks from the system when AccessibilityEvent is fired. Apps with accessibility service can have full visibility over UI events, both from the system and from 3rd party apps. They can receive notifications, they can get the package name, list UI elements, extract text, and more. While these services are meant to assist users, they can also be abused by malicious apps for activities such as: keylogging, automatically granting itself additional permissions, and monitoring foreground apps and overlaying them with phishing windows.
When ERMAC or Hook malware is first launched, it prompts the victim with a window that instructs them to enable accessibility services for the malicious app.
A warning message is displayed before enabling the accessibility service, which shows what actions the app will be able to perform when this is enabled.
With accessibility services enabled, ERMAC and Hook malware automatically grants itself additional permissions such as permission to draw overlays. The onAccessibilityEvent() method monitors the package names from received accessibility events, and the web injection related code will be executed when a target app is launched.
Targeted applications
When the infected device is ready to communicate with the C2 server, it sends a list of applications that are currently installed on the device. The C2 server then responds with the target apps that it has injections for. While dynamically analysing the latest version of Hook, we sent a custom HTTP request to the C2 server to make it believe that we have a large amount of apps (700+) installed. For this, we used the list of package names that CSIRT KNF had shared in an analysis report of Hook [2].
The server responded with the list of target apps that the malware can display phishing windows for. Most of the targeted apps in both Hook and ERMAC are related to banking.
Keylogging
Keylogging functionality can be found in the onAccessibilityEvent() method of both ERMAC and Hook. For every accessibility event type that is triggered on the infected device, a method is called that contains keylogger functionality. This method then checks what the accessibility event type was to label the log and extracts the text from it. Comparing the code implementation of keylogging in ERMAC to Hook, there are some slight differences in the accessibility event types that it checks for. But the main functionality of extracting text and sending it to the C2 with a certain label is the same.
The ERMAC keylogger contains an extra check for accessibility event “TYPE_VIEW_SELECTED” (triggered when a user selects a view, such as tapping on a button). Accessibility services can extract information about a selected view, such as the text, and that is exactly what is happening here.
Hook specifically checks for two other accessibility events: the “TYPE_WINDOW_STATE_CHANGED” event (triggered when the state of an active window changes, for example when a new window is opened) or the “TYPE_WINDOW_CONTENT_CHANGED” event (triggered when the content within a window changes, like when the text within a window is updated).
It checks for these events in combination with the content change type
“CONTENT_CHANGE_TYPE_TEXT” (indicating that the text of an UI element has changed). This tells us that the accessibility service is interested in changes of the textual content within a window, which is not surprising for a keylogger.
Stealing of crypto wallet seed phrases
Automatic stealing of recovery seeds from crypto wallets is one of the main features in ERMAC and Hook. This feature is actively developed, with support added for extra crypto wallets in the latest version of Hook.
For this feature, the accessibility service first checks if a crypto wallet app has been opened. Then, it will find UI elements by their ID (such as “com.wallet.crypto.trustapp:id/wallets_preference” and “com.wallet.crypto.trustapp:id/item_wallet_info_action”) and automatically clicks on these elements until it navigated to the view that contains the recovery seed phrase. For the crypto wallet app, it will look like the user is browsing to this phrase by themselves.
Once the window with the recovery seed phrase is reached, it will extract the words from the recovery seed phrase and send them to the C2 server.
The main implementation is the same in ERMAC and Hook for this feature, with Hook containing some extra logging messages and support for stealing seed phrases from additional cryptocurrency wallets.
Replacing copied crypto wallet addresses
Besides being able to automatically steal recovery seeds from opened crypto wallet apps, ERMAC and Hook can also detect whether a wallet address has been copied and replaces the clipboard with their own wallet address. It does this by monitoring for the “TYPE_VIEW_TEXT_CHANGED” event, and checking whether the text matches a regular expression for Bitcoin and Ethereum wallet addresses. If it matches, it will replace the clipboard text with the wallet address of the threat actor.
The wallet addresses that the actors use in both ERMAC and Hook are bc1ql34xd8ynty3myfkwaf8jqeth0p4fxkxg673vlf for Bitcoin and 0x3Cf7d4A8D30035Af83058371f0C6D4369B5024Ca for Ethereum. It’s worth mentioning that these wallet addresses are the same in all samples that we analysed. It appears that this feature has not been very successful for the actors, as they have received only two transactions at the time of writing.
Since the feature has been so unsuccessful, we assume that both received transactions were initiated by the actors themselves. The latest transaction was received from a verified Binance exchange wallet, and it’s unlikely that this comes from an infected device. The other transaction comes from a wallet that could be owned by the Hook actors.
Stealing of session cookies
The “cookie” command is exclusive to Hook and was only added in the latest version of this malware. This feature allows the malware operator to steal session cookies in order to take over the victim’s login session. To do so, a new WebViewClient is set up. When the victim has logged onto their account, the onPageFinished() method of the WebView will be called and it sends the stolen cookies to the C2 server.
All cookie stealing code is related to Google accounts. This is in line with DukeEugene’s announcement of new features that were posted about on April 1st, 2023. See #12 in the screenshot below.
C2 communication protocol
HTTP in ERMAC
ERMAC is known to use the HTTP protocol for communicating with the C2 server, where data is encrypted using AES-256-CBC and then Base64 encoded. The bot sends HTTP POST requests to a randomly generated URL that ends with “.php/” (note that the IP of the C2 server remains the same).
WebSockets in Hook
The first editions of Hook introduced WebSocket communication using Socket.IO, and data is encrypted using the same mechanism as in ERMAC. The Socket.IO library is built on top of the WebSocket protocol and offers low-latency, bidirectional and event-based communication between a client and a server. Socket.IO provides additional guarantees such as fallback to the HTTP protocol and automatic reconnection [3].
The screenshot above shows that the login command was issued to the server, with the user ID of the infected device being sent as encrypted data. The “42” at the beginning of the message is standard in Socket.IO, where the “4” stands for the Engine.IO “message” packet type and the “2” for Socket.IO’s “message” packet type [3].
Mix and match – Protocols in latest versions of Hook
The latest Hook version that we’ve analysed contains the ERMAC HTTP protocol implementation, as well as the WebSocket implementation which already existed in previous editions of Hook. The Hook code snippet below shows that it uses the exact same code implementation as observed in ERMAC to build the URLs for HTTP requests.
Both Hook and ERMAC use the “checkAP” command to check for commands sent by the C2 server. In the screenshot below, you can see that the malware operator sent the “killme” command to the infected device to uninstall Hook. This shows that the ERMAC HTTP protocol is actively used in the latest versions of Hook, together with the already existing WebSocket implementation.
C2 servers
During our investigation into the technical differences between Hook and ERMAC, we have also collected C2 servers related to both families. From these servers, Russia is clearly the preferred country for hosting Hook and ERMAC C2s. We have identified a total of 23 Hook C2 servers that are hosted in Russia.
Other countries that we have found ERMAC and Hook are hosted in are:
The Netherlands
United Kingdom
United States
Germany
France
Korea
Japan
The end?
On the 19th of April 2023, DukeEugene announced that they are closing the Hook project due to leaving for “special military operation”. The actor mentions that the coder of the Hook project, who goes by the nickname “RedDragon”, will continue to support their clients until their lease runs out.
Two days prior to this announcement, the coder of Hook created a post stating that the source code of Hook is for sale at a price of $70.000. Nearly a month later, on May 11th, the coder asked if the thread could be closed as the source code was sold.
Observations
In the “Replacing copied crypto wallet addresses” section of this blog, we mentioned that the first received transaction comes from an Ethereum wallet address that could possibly be owned by the Hook actors. We noticed that this wallet received a transaction of roughly $25.000 the day after Hook was announced sold. This could be a coincidence, but the fact that this wallet was also the first to send (a small amount of) money to the Ethereum address that is hardcoded in Hook and ERMAC makes us suspect this.
We can’t verify whether the messages from DukeEugene and RedDragon are true. But if they are, we expect to see interesting new forks of Hook in the future.
In this blog we’ve debunked DukeEugene’s statement of Hook being fully developed from scratch. Additionally, in DukeEugene’s advertisement of HookBot we see a screenshot of the Hook panel that seemed to show similarities with ERMAC’s panel.
Conclusion
While the actors of Hook had announced that the malware was written from scratch, it is clear that the ERMAC source code was used as a base. All commands that are present in ERMAC also exist in Hook, and the code implementation of these commands is nearly identical in both malware families. Both Hook and ERMAC contain typical features to steal credentials which are common in Android malware, such as overlay attacks/injections and keylogging. Perhaps a more interesting feature that exists in both malware families is the automated stealing of recovery seeds from cryptocurrency wallets.
While Hook was not written completely from scratch, the authors have added interesting new features compared to ERMAC. With the added capability of being able to stream the victim’s screen and interacting with the UI, operators of Hook can gain complete control over infected devices and perform actions on the user’s behalf. Other interesting new features include the ability to take a photo of the victim using their front facing camera, stealing of cookies related to Google login sessions, and the added support for stealing recovery seeds from additional cryptocurrency wallets.
Besides these new features, significant changes were made in the protocol for communicating with the C2 server. The first versions of Hook introduced WebSocket communication using the Socket.IO library. The latest version of Hook added the HTTP protocol implementation that was already present in ERMAC and can use this next to WebSocket communication.
Hook had a relatively short run. It was first announced on the 12th of January 2023, and the closing of the project was announced on April 19th, 2023, with the actor claiming that he is leaving for “special military operation”. The coder of Hook has allegedly put the source code up for sale at a price of $70,000 and stated that it was sold on May 11th, 2023. If these announcements are true, it could mean that we will see interesting new forks of Hook in the future.
The following Suricata rules were tested successfully against Hook network traffic:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The second Suricata rule uses an additional Lua script, which can be found here
List of Commands
Family
Command
Description
ERMAC, Hook 1 2
sendsms
Sends a specified SMS message to a specified number. If the SMS message is too large, it will send the message in multiple parts
ERMAC, Hook 1 2
startussd
Executes a given USSD code on the victim’s device
ERMAC, Hook 1 2
forwardcall
Sets up a call forwarder to forward all calls to the specified number in the payload
ERMAC, Hook 1 2
push
Displays a push notification on the victim’s device, with a custom app name, title, and text to be edited by the malware operator
ERMAC, Hook 1 2
getcontacts
Gets list of all contacts on the victim’s device
ERMAC, Hook 1 2
getaccounts
Gets a list of the accounts on the victim’s device by their name and account type
ERMAC, Hook 1 2
logaccounts
Gets a list of the accounts on the victim’s device by their name and account type
ERMAC, Hook 1 2
getinstallapps
Gets a list of the installed apps on the victim’s device
ERMAC, Hook 1 2
getsms
Steals all SMS messages from the victim’s device
ERMAC, Hook 1 2
startinject
Performs a phishing overlay attack against the given application
ERMAC, Hook 1 2
openurl
Opens the specified URL
ERMAC, Hook 1 2
startauthenticator2
Starts the Google Authenticator app
ERMAC, Hook 1 2
trust
Launches the Trust Wallet app
ERMAC, Hook 1 2
mycelium
Launches the Mycelium Wallet app
ERMAC, Hook 1 2
piuk
Launches the Blockchain Wallet app
ERMAC, Hook 1 2
samourai
Launches the Samourai Wallet app
ERMAC, Hook 1 2
bitcoincom
Launches the Bitcoin Wallet app
ERMAC, Hook 1 2
toshi
Launches the Coinbase Wallet app
ERMAC, Hook 1 2
metamask
Launches the Metamask Wallet app
ERMAC, Hook 1 2
sendsmsall
Sends a specified SMS message to all contacts on the victim’s device. If the SMS message is too large, it will send the message in multiple parts
ERMAC, Hook 1 2
startapp
Starts the app specified in the payload
ERMAC, Hook 1 2
clearcash
Sets the “autoClickCache” shared preference key to value 1, and launches the “Application Details” setting for the specified app (probably to clear the cache)
ERMAC, Hook 1 2
clearcache
Sets the “autoClickCache” shared preference key to value 1, and launches the “Application Details” setting for the specified app (probably to clear the cache)
ERMAC, Hook 1 2
calling
Calls the number specified in the “number” payload, tries to lock the device and attempts to hide and mute the application
ERMAC, Hook 1 2
deleteapplication
Uninstalls a specified application
ERMAC, Hook 1 2
startadmin
Sets the “start_admin” shared preference key to value 1, which is probably used as a check before attempting to gain Device Admin privileges (as seen in Hook samples)
ERMAC, Hook 1 2
killme
Stores the package name of the malicious app in the “killApplication” shared preference key, in order to uninstall it. This is the kill switch for the malware
ERMAC, Hook 1 2
updateinjectandlistapps
Gets a list of the currently installed apps on the victim’s device, and downloads the injection target lists
ERMAC, Hook 1 2
gmailtitles
Sets the “gm_list” shared preference key to the value “start” and starts the Gmail app
ERMAC, Hook 1 2
getgmailmessage
Sets the “gm_mes_command” shared preference key to the value “start” and starts the Gmail app
Hook 1 2
start_vnc
Starts capturing the victim’s screen constantly (streaming)
Hook 1 2
stop_vnc
Stops capturing the victim’s screen constantly (streaming)
Hook 1 2
takescreenshot
Takes a screenshot of the victim’s device (note that it starts the same activity as for the “start_vnc” command, but it does so without the extra “streamScreen” set to true to only take one screenshot)
Hook 1 2
swipe
Performs a swipe gesture with the specified 4 coordinates
Hook 1 2
swipeup
Perform a swipe up gesture
Hook 1 2
swipedown
Performs a swipe down gesture
Hook 1 2
swipeleft
Performs a swipe left gesture
Hook 1 2
swiperight
Performs a swipe right gesture
Hook 1 2
scrollup
Performs a scroll up gesture
Hook 1 2
scrolldown
Performs a scroll down gesture
Hook 1 2
onkeyevent
Performs a certain action depending on the specified key payload (POWER DIALOG, BACK, HOME, LOCK SCREEN, or RECENTS
Hook 1 2
onpointerevent
Sets X and Y coordinates and performs an action based on the payload text provided. Three options: “down”, “continue”, and “up”. It looks like these payload texts work together, as in: it first sets the starting coordinates where it should press down, then it sets the coordinates where it should draw a line to from the previous starting coordinates, then it performs a stroke gesture using this information
Hook 1 2
longpress
Dispatches a long press gesture at the specified coordinates
Hook 1 2
tap
Dispatches a tap gesture at the specified coordinates
Hook 1 2
clickat
Clicks at a specific UI element
Hook 1 2
clickattext
Clicks on the UI element with a specific text value
Hook 1 2
clickatcontaintext
Clicks on the UI element that contains the payload text
Hook 1 2
cuttext
Replaces the clipboard on the victim’s device with the payload text
Hook 1 2
settext
Sets a specified UI element to the specified text
Hook 1 2
openapp
Opens the specified app
Hook 1 2
openwhatsapp
Sends a message through Whatsapp to the specified number
Hook 1 2
addcontact
Adds a new contact to the victim’s device
Hook 1 2
getcallhistory
Gets a log of the calls that the victim made
Hook 1 2
makecall
Calls the number specified in the payload
Hook 1 2
forwardsms
Sets up an SMS forwarder to forward the received and sent SMS messages from the victim device to the specified number in the payload
Hook 1 2
getlocation
Gets the geographic coordinates (latitude and longitude) of the victim
Hook 1 2
getimages
Gets list of all images on the victim’s device
Hook 1 2
downloadimage
Downloads an image from the victim’s device
Hook 1 2
fmmanager
Either lists the files at a specified path (additional parameter “ls”), or downloads a file from the specified path (additional parameter “dl”)
Hook 2
send_sms_many
Sends an SMS message to multiple phone numbers
Hook 2
addwaitview
Displays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayed
Hook 2
removewaitview
Removes a “RelativeLayout” view group, which displays child views together in relative positions. More specifically: this command removes the “wait / loading” view that is displayed on the victim’s device as a result of the “addwaitview” command
Hook 2
addview
Adds a new view with a black background that covers the entire screen
Hook 2
removeview
Removes a “LinearLayout” view group, which arranges other views either horizontally in a single column or vertically in a single row. More specifically: this command removes the view with the black background that was added by the “addview” command
Hook 2
cookie
Steals session cookies (targets victim’s Google account)
Hook 2
safepal
Starts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)
Hook 2
exodus
Starts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)
Hook 2
takephoto
Takes a photo of the victim using the front facing camera