Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ransomware and wiper signed with stolen certificates
#1
Bug 
Quote:[Image: abstract-binary-code-ok-signed-sl-1200.jpg]

Introduction

On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.

Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidia’s leaked code signing certificate to sign the malware.

So, what’s new in this blogpost?
  • We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
  • The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
  • We identified potential cooperation between different attack groups speaking different languages, and the possible use of AnyDesk as an initial entry point to start the ransomware/wiper infections.
  • The changes implemented to automate and speed up wiping in the second wave of attacks are reminiscent of the notorious Shamoon wiper attacks in the Middle East.
Wiper and ransomware, comparing wave 1 and wave 2

Below, we compare and discuss the differences between the wave 1 and wave 2 ransomware and wiper malware.

Initial Infection – traces of cooperation between different attack groups and use of AnyDesk utility

Although we weren’t able to identify the initial entry point of the threat actor in the analyzed intrusion, a few days after the second wave wiping activities, we noticed underground chatter about someone having access to an AnyDesk account at another non-governmental but significant Albanian entity, and suggestions for Persian-speaking hackers to use it for deploying ransomware or wiper malware. This may increase the likelihood that the initial entry point for wave 2 is through legitimate remote access software such as AnyDesk, especially since we know that the wave 2 wiper modifications included automatic execution upon driver installation only – potential need for urgency due to the limited time/access window. The attackers and access provider seemed to belong to different attack groups and spoke different languages.

The ransomware – use of Kuwait Telecommunications Company signing certificate=

MD5 96eabcc77a6734ea8587599685fbf1b4
SHA1 6a36962709abbfc1f88f87e7fe88a417302bfe43
SHA256 8ad01b028e6aa711d26879d346a7bef82516e372e0f14e8e69db6aef0f25d992
Imphash 653ee44c85bc91d12ec33dfed8056c27
Link time Wed Jul 06 21:30:41 2016
File type 32-bit executable
Compiler MinGW-w32 gcc
File size 45.48 KB
File name PdftoDoc.exe

This second wave sample has the same signing certificate parameters as the first wave sample, which is related to Kuwait Telecommunications Company. It’s unclear how the threat actor was able to sign its malware using Kuwait Telecommunications Company’s certificate, but we suspect it was stolen. As of the date of this publication, the certificate is no longer valid and has been revoked.
 
[Image: Stolen_certificates_used_in_ransomware_a...cks_01.png]

After the initial execution, the wave 2 ransomware checks for any six arguments (or more) supplied by the threat actor, as opposed to the wave 1 sample that checks for five arguments or more – a small modification that assists in defense evasion. Nevertheless, the intrusion analysis conducted on one of the affected machines indicates that in wave 2 the threat actor did not use a BAT file to invoke the ransomware while supplying seven digits similar to wave 1, but instead invoked the wave 2 ransomware immediately from the command line using six zeroes: “000000”. If ransomware execution fails because the correct arguments are not supplied, the wave 2 sample displays a different message from that of wave 1; the wave 2 message resembles an error message displayed by a PDF to DOC converter.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • ismail
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Microsoft Edge fixes 0-day vulnerability...
Microsoft released...harlan4096 — 10:12
AnyDesk 8.0.9
AnyDesk 8.0.9:   ...harlan4096 — 10:10
AMD Confirms RDNA 3+ GPU Architecture F...
AMD Zen5-based Strix...harlan4096 — 10:08
Adobe Acrobat Reader DC 24.001.20629 (Op...
Adobe Acrobat Read...harlan4096 — 10:06
FastCopy 5.7.5
FastCopy 5.7.5: ...harlan4096 — 10:04

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>