{"id":22499,"date":"2023-07-18T15:21:14","date_gmt":"2023-07-18T23:21:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/07\/18\/news-16229\/"},"modified":"2023-07-18T15:21:14","modified_gmt":"2023-07-18T23:21:14","slug":"news-16229","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/07\/18\/news-16229\/","title":{"rendered":"Sophos Discovers Ransomware Abusing “Sophos” Name"},"content":{"rendered":"

Credit to Author: Andrew Brandt| Date: Tue, 18 Jul 2023 21:20:01 +0000<\/strong><\/p>\n

\n

Attackers will sometimes use the name of security companies in their malware. While performing a regular search on VirusTotal looking for interesting malware and new ransomware variants using our threat hunting rules this week, a Sophos X-Ops analyst discovered a novel ransomware executable that appears to use “Sophos” in the UI of the panel alerting that files have been encrypted, (shown below) and as the extension (“.sophos”) for encrypted files.<\/p>\n

The SophosLabs teams immediately investigated and began work on developing a targeted detection rule for Sophos endpoint security products, but a pre-existing behavioral rule (and Sophos CryptoGuard) blocked the ransomware from causing harm in tests. This targeted detection rule has been released as indicated in \u201cDetections,\u201d below.<\/p>\n

\"\"<\/a><\/p>\n

The ransomware executable itself, compiled using MinGW and containing linked Rust libraries, is unusually retro in terms of the functionality it appears to have. In most contemporary ransomware incidents, the threat actors who build the ransomware make a tool that is explicitly and exclusively made for the purpose of encrypting files, without including a lot of other functionality. Most ransomware we deal with today is a single-purpose executable that doesn\u2019t bring many, or any, additional capabilities.<\/p>\n

By all indications, the VirusTotal records on these files seem to indicate, and our analysis confirms, that one of the samples has the capability to do many things beyond encrypting files, which is unusual. The ransomware also seems to emphasize methods for the target to communicate with the attacker that most ransomware groups no longer use: email, and the Jabber instant messenger platform.<\/p>\n

In fact, the capabilities of one of these files<\/a> falls closer to a general-purpose remote access trojan (RAT) with the capacity to encrypt files and generate these ransom notes, than to a contemporary ransomware executable. Those capabilities include hooking the keyboard driver for keystroke logging and profiling the system using WMI commands. Like many other ransomware, it excludes a list of directories that would either impede the system from booting or that contain unimportant files if they were encrypted. The ransomware also checks the language settings on the system and refuses to run if it is set to use the Russian language.<\/p>\n

The other known sample has fewer of these non-ransomware features. However, both of them connect over the internet to a command-and-control server address. The connection references an address on the Tor (.onion) dark web, but the ransomware samples we analyzed do not actually make a Tor connection.<\/p>\n

In addition, both samples contain a hardcoded IP address (one we did see the samples connect to). The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.<\/p>\n

\"\"<\/a>
Historical data strongly implicates the C2 address used by the ransomware in prior malicious activity<\/figcaption><\/figure>\n

Console ransomware application<\/h3>\n

Both samples are intended to be executed in the Windows command line. When executed in the Windows Command Prompt application, the ransomware prompts the user (\u201cuser\u201d here means the criminal who is deploying the ransomware, not the owner of the computer) to enter a string of information that configures its behavior and the contents of the ransom note it eventually drops.<\/p>\n

The program prompts the person running it to enter a \u201cpassword encrypted (32 characters)\u201d followed by a \u201ctoken,\u201d an email address and a Jabber instant messaging account address. After the user enters that information, the program prompts the user to select an option to (1) encrypt all files on the hard drive, (2) encrypt a single drive letter, or (3) to quit the program.<\/p>\n

\"\"<\/a>
The ransomware console application prompts the criminal to add their contact information<\/figcaption><\/figure>\n

If the user chooses either the \u201csingle\u201d or \u201call\u201d options, when the ransomware completes the encrypting task, it renames the encrypted files using the \u201ctoken\u201d value in the renamed filename. The email address and Jabber address get added to the ransom note, which is an HTML Application (.hta file) dropped into any directory where encryption has taken place.<\/p>\n

The .hta file simply displays the ransom note, customized with the email address and other information the attacker provided at the start of the attack.<\/p>\n

\"\"<\/a><\/p>\n

The .hta contains the embedded email\/Jabber ID information.<\/p>\n

\"\"<\/a><\/p>\n

The ransomware appends a unique machine identifier, the email address entered during setup, and the suffix “.sophos” to every file it encrypts at the end of the process.<\/p>\n

\"\"<\/a>
Files renamed by the ransomware append the .sophos suffix<\/figcaption><\/figure>\n

If the encryption process is stopped before it is complete, the ransomware does not leave a ransom note behind or change the wallpaper image to the one it retrieves from the public image server.<\/p>\n

The ransomware also retrieves a graphic from a public image library website, and uses that to change the Windows desktop wallpaper to a screen which reads \u201cSophos.\u201d It\u2019s notable that this does not replicate Sophos logos, colors, or branding but instead presents a green padlock logo and instructions on how the target can find and use the ransom note to contact the attackers.<\/p>\n

\"\"<\/a><\/p>\n

The ransomware’s file icon appears to match the padlock icon used in the wallpaper graphic shown at the top of the article.<\/p>\n

When run in the console, the ransomware outputs a long list of what appears to be debug logging, reporting the time it took to encrypt each file it finds, in milliseconds.<\/p>\n

\"\"<\/a>
The ransomware outputs debug logging in the console while running. It will report “SUCCESS” even when Sophos Intercept X prevents it from encrypting files.<\/figcaption><\/figure>\n

The testing of the ransomware also revealed that the ransomware attempts to validate the user’s permission to use the ransomware when it is run on a computer connected to the internet. In our tests, the ransomware also was capable of performing encryption tasks when it was run on a computer not connected to the internet.<\/p>\n

Ransomware that checks its own validity<\/h3>\n

The ransomware executables’ Properties sheets show that they are versions 0.0.8 and 0.0.9, respectively, of the program. Neither executable is signed, and both prompt for elevation via UAC when executed.<\/p>\n

\"\"<\/a><\/p>\n

The initial behavior of the ransomware is for the user (again, “user” means criminal) to enter a “token.” The ransomware performs a minor bit of system profiling on the computer, retrieves the public IP address for the target’s network, and performs an HTTP POST request to the IP address 179.43.154.137<\/strong> on port 21119\/tcp<\/strong> that transmits the token, and profiling information about the computer. The session is not encrypted.<\/p>\n

\"\"<\/a>
HTTP POST session information during the ransomware “token” check<\/figcaption><\/figure>\n

If the “token” value is not acceptable to the server, the application outputs the error message “Your token is not valid!” in the console, and the application quits. However, if the ransomware is run on an offline computer disconnected from the internet, the ransomware displays “Local use of the program” and it proceeds to function, prompting the user to enter a 32-byte password, the contact information that gets embedded into the ransom note and appended to each filename, and it proceeds to begin encrypting.<\/p>\n

Detection<\/h2>\n

Sophos Intercept X products will block the execution and malicious behaviors of this ransomware using the following signatures:<\/p>\n