πŸ”’
There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education

30 September 2021 at 16:20

SentinelLabs has been tracking the activity of Agrius, a suspected Iranian threat actor operating in the Middle East, throughout 2020 and 2021 following a set of destructive attacks starting December 2020. Since we last reported on this threat actor in May 2020, Agrius lowered its profile and was not observed conducting destructive activity. This changed recently as the threat actor likely initiated a ransomware attack on the Israeli university Bar-Ilan utilizing the group’s custom Apostle ransomware.

Although the full technical details of the incident were not disclosed publicly, some information was released to the public, most notably the ransom demand text file dropped on victim machines. The .txt file matches that from a new version of Apostle compiled on August 15, 2021, the day of the attack.

The new version of Apostle is obfuscated, encrypted and compressed as a resource in a loader we call Jennlog, as it attempts to masquerade payload in resources as log files. Before executing the Apostle payload, Jennlog runs a set of tests to verify that it is not being executed in an analysis environment based on an embedded configuration. Following the analysis of the Jennlog loader, SentinelLabs retrieved an additional variant of Jennlog, used to load and run OrcusRAT.

Jennlog Analysis

Jennlog (5e5e526a69490399494dcd7195bb6c67) is a .NET loader that deobfuscates, decompresses and decrypts a .NET executable from a resource embedded within the file. The resources within the loader appear to look like log files, and it contains both the binary to run as well as a configuration for the malware’s execution.

Jennlog attempts to extract two different resources:

  • helloworld.pr.txt – stores Apostle payload and the configuration.
  • helloworld.Certificate.txt – contains None. If configured to do so, the malware compares the MD5 value of the system information (used as system fingerprint) to the contents of this resource.

The payload hidden in β€œhelloworld.pr.txt” appears to look like a log file at first sight:

Contents of β€œhelloworld.pr.txt” resource embedded within Jennlog

The payload is extracted from the resource by searching for a separator word – β€œJennifer”. Splitting the contents of the resource results in an array of three strings:

  1. Decoy string – Most likely there to make the log file look more authentic.
  2. Configuration string – Used to determine the configuration of the malware execution.
  3. Payload – An obfuscated, compressed and encrypted file.

Configuration

The configuration of Jennlog consists of 13 values, 12 of which are actually used in this version of the malware. In the variants we were able to retrieve, all of these flags are set to 0.

Jennlog configuration values

One of the most interesting flags found here is the certificate flag. If this flag is set, it will cause the malware to run only on a specific system. If this system does not match the configured MD5 fingerprint, the malware either stops operation or deletes itself utilizing the function ExecuteInstalledNodeAndDelete(), which creates and runs a BAT file as observed in other Agrius malware.

Jennlog ExecuteInstalledNodeAndDelete() function

Following all the configuration based-checks, Jennlog continues to unpack the main binary from within the resource β€œhelloworld.pr.txt” by performing the following string manipulations in the function EditString() on the obfuscated payload:

  • Replace all β€œ\nLog” with β€œA”.
  • Reverse the string.
  • Remove all whitespaces.

This manipulation will result in a long base64-encoded deflated content, which is inflated using the function stringCompressor.Unzip(). The inflated content highly resembles the contents of the original obfuscated payload, and it is deobfuscated again using the EditString() function.

The deobfuscation of the inflated content is carried out in a rather peculiar way, being run as a β€œcatch” statement after attempting to turn a string containing a URL to int, which will always result in an error. The domain presented in the URL was never bought, and highly resembles other Agrius malware unpurchased domains, often used as β€œSuper Relays”. Here, however, the domain is not actually contacted.

Execution of EditString() function as a catch statement

Following a second run of the EditString() function, Jennlog decodes the extracted content and decrypts it using an implementation of RC4 with a predefined key. The extracted content found in this sample is a new version of the Apostle ransomware, which is loaded into memory and ran using the parameters given to Jennlog at execution.

Apostle Ransomware Analysis

The new variant of Apostle (cbdbda089f7c7840d4daed22c34969fd876315b6) embedded within the Jennlog loader was compiled on August 15, 2021, the day the attack on Bar-Ilan university was carried out. Its execution flow is highly similar to the variant described in previous reports, and it even checks for the same Mutex as the previous ransomware variant.

The message embedded within it, however, is quite different:

Ooops, Your files are encrypted!!! Don't worry,You can return all your files! 
If you want to restore theme, Send $10000 worth of Monero to following address : Β 
43JuFUyzfcKQwTzCTHpQoA8uLGtbwFBLyeeXoYEEU5dZLhLT1cZJDk4cytjcgQT7kdjSerJqpEp2gUcH91bjLcoq2bqik3j 
Then follow this Telegram ID :Β  hxxps://t[.]me/x4ran

This is the exact same message that was released to the media in the context of the Bar-Ilan ransomware incident, as reported on ynet:

Ransom demand text file as seen in Bar-Ilan university

Other than the ransom demand note, the wallpaper picture used on affected machines was also changed, this time presenting an image of a clown:

New Apostle variant wallpaper image

OrcusRAT Jennlog Loader

An additional variant of Jennlog (43b810f918e357669be42030a1feb727) was uploaded to VirusTotal on July 14, 2021 from Iran. This variant is highly similar to the one used to load Apostle, and contains a similar configuration scheme (all set to 0). It is used to load a variant of OrcusRAT, which is extracted from the files resources in a similar manner.

The OrcusRAT variant (add7b6b60e746c36a66f5ec233873372) extracted from within it was submitted to VT on June 20, 2021 using the same submitter ID from Iran. It seems to connect to an internal IP address – 192.168.178.114, indicating it might have been used for testing. It also contained the following PDB path:

C:\Users\dou\Desktop\repo\arcu-win\src\Orcus\obj\Debug\Orcus.pdb

Conclusion

Agrius has shown a willingness to strategically wipe systems and has continued to evolve its toolkit to enable ransomware operations. At this time, we don’t know if the actor is committed to financially-motivated operations, but we do know the original intent was sabotage. We expect the sort of subterfuge seen here to be deployed in future Agrius operations. SentinelLabs continues to track the development of this nascent threat actor.

Technical Indicators

Jennlog Loader (Apostle Loader)

  • 5e5e526a69490399494dcd7195bb6c67
  • c9428afa269bbf8c48a08a7109c553163d2051e7
  • 0ba324337b1d76a5afc26956d4dc9f57786483230112eaead5b5c92022c089c7

Apostle – Bar-Ilan variant

  • fc8221382521a40ec0042431a947a3ca
  • cbdbda089f7c7840d4daed22c34969fd876315b6
  • 44c13c46d4f597ea0625f1c87eecffe3cd5dcd257c5fac18a6fa931ba9b5f97a

Jennlog Loader (OrcusRAT Loader)

  • 43b810f918e357669be42030a1feb727
  • 3de36410a99cf3bd8e0c56fdeafa32bbf7625af1
  • 14659857df1753f720ac797a43a9c3f3e241c3df762de7f50bbbae00feb818c9

OrcusRAT

  • add7b6b60e746c36a66f5ec233873372
  • a35bffc49871bb3a48bdd35b4a4d04d208f23487
  • 069686119adc13e1785cb7a425611d1ec13f33ae75962a7e50e00414209d1809

From Wiper to Ransomware | The Evolution of Agrius

25 May 2021 at 12:16

Executive Summary

  • A new threat actor SentinelLabs tracks as Agrius was observed operating in Israel starting in 2020.
  • Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks.
  • The attacks were carried out using DEADWOOD (aka Detbosit), a wiper with unconfirmed links to an Iranian threat group.
  • Agrius actors also dropped a novel wiper named β€˜Apostle’ and a custom .NET backdoor called β€˜IPsec Helper’.
  • Later intrusions carried out by Agrius revealed they kept maintaining and improving Apostle, turning it into a fully functional ransomware.

Agrius Overview

A new threat actor SentinelLabs track as Agrius was observed operating in Israel beginning in 2020. An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets. The operators behind the attacks intentionally masked their activity as ransomware attacks.

One of the wipers used in the attack, dubbed β€˜Apostle’, was later turned into a fully functional ransomware, replacing its wiper functionalities. The message inside it suggests it was used to target a critical, nation-owned facility in the United Arab Emirates. The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities.

The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions. Analysis of the Apostle malware provides a rare insight into such attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.

Based on technical analysis of the tools and attack infrastructure, we assess with medium confidence that the attacks were carried out by a threat group affiliated with Iran. While some links to known Iranian actors were observed, the set of TTPs and tools appear to be unique to this set of activities. SentinelLabs tracks this threat actor as Agrius.

Agrius Attack Life Cycle

The Agrius threat group utilizes VPN services (primarily ProtonVPN) for anonymization when accessing the public facing applications of its targets. Upon successful exploitation, the threat actor deploys webshells or simply accesses the target by using the target organization’s VPN solution. The webshells Agrius deploys are mostly variations of ASPXSpy.

Agrius uses those webshells to tunnel RDP traffic in order to leverage compromised accounts to move laterally. During this phase, the attackers use a variety of publicly available offensive security tools for credential harvesting and lateral movement.

A summary of Agrius attack life cycle

On interesting hosts, the threat actor deploys its own custom malware – β€˜IPsec Helper’. This backdoor is written in .NET and appears exclusive to Agrius. The malware registers itself as a service to achieve persistence. It can be used to exfiltrate data or deploy additional malware.

Agrius has deployed two different wipers. The first, dubbed β€˜Apostle’, appears to be written by the same developer as β€˜IPsec Helper’. Both are written in .NET, share functions, and execute tasks in a similar manner. Interestingly, Apostle was later modified into functioning ransomware. The second wiper, DEADWOOD, was previously involved in a wiping attack in the Middle EastΒ  and tentatively attributed to Iran.

Attribution

Throughout our analysis of Agrius techniques, tools, and infrastructure, we found no solid links to any known threat groups. While it is hard to provide a definitive attribution for Agrius, a set of indications pointing the activity towards an Iranian nexus came up throughout the investigation:

  1. Correlation with Iranian interests and past actions
    While this is not a strong link, it is worth noting when correlated with other, technical links. Iranian threat actors have a long history of deploying wipers, dating back to 2012, when Iranian hackers deployed the notorious Shamoon malware against Saudi Aramco. Since then, Iranian threat actors have been caught deploying wiper malware in correlation with the regime’s interests on several occasions.
  2. Webshells VirusTotal submissions
    Some of the webshells deployed by Agrius throughout its intrusions were modified versions of ASPXSpy, deploying additional obfuscation and changing variable names. Three of the variants of this webshell were uploaded from Iran, the rest from other countries within the Middle East region.
    While VirusTotal submissions are not an exact form of determining where a sample was deployed, the sources reinforce a Middle East regional focus.
    Modified Agrius webshells uploaded from Iran (source: VirusTotal)
  3. Infrastructure links to Iran
    The threat actor often used public VPN providers, such as ProtonVPN. On instances where the access was performed from non-VPN nodes, it originated from servers that have also resolved to Iranian domains in the past.
    Agrius infrastructure resolving to Iranian domains (source: PassiveTotal)
  4. The usage of the DEADWOOD wiper
    Agrius utilized the DEADWOOD wiper, which was previously attributed to an Iranian-nexus actor. We cannot independently corroborate previous clustering claims. The ties between Agrius and the threat actor who originally deployed DEADWOOD remain unclear. It’s possible that the two groups have access to shared resources.

Conclusion

Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East. In some cases, the group leveraged its access to deploy destructive wiper malware, and in others a custom ransomware. Considering this, we find it unlikely that Agrius is a financially motivated threat actor.

Our analysis of Agrius activity does not come in a vacuum. Early May 2021 saw another set of disruptive ransomware attacks attributed to Iran targeting Israel from the n3tw0rm ransomware group, a newly-identified threat actor with links to the 2020 Pay2Key attacks. The close proximity of the Agrius and n3tw0rm campaigns suggest they may be part of a larger, coordinated Iranian strategy. Leaks from Lab Dookhtegan and the Project Signal ransomware operation also support this claim.

While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame. Similar strategies have been used with devastating effect by other nation-state sponsored actors. The most prominent of those was NotPetya in 2017, a destructive malware targeting Ukraine masked as ransomware and attributed to Russian state-sponsored threat actors by Western intelligence agencies.

Read the Full Report

See the report for the full list of IOCs and further details on Agrius.

Read the Full Report

The post From Wiper to Ransomware | The Evolution of Agrius appeared first on SentinelLabs.

  • There are no more articles
❌