Malware Activity
Mimic Ransomware Identified Abusing Legitimate Windows "Everything" Tool's APIs
Trend Micro researchers published a new report about "Mimic," a new ransomware that was first observed in June 2022, abusing the Windows Everything tool's APIs. The ransomware is an executable that drops various binaries and a password-protected archive that is disguised as "Everything64.dll". The archive contains the ransomware payload and tools that disable Windows Defender and other legitimate binaries. Once executed, the executable drops and extracts its contents as well as drops a session key file that is used for continuing the encryption process even if it is interrupted. The ransomware is renamed to "bestplacetolive.exe" and all other files are deleted from the %Temp% directory. Mimic has an array of capabilities, such as creating persistence through the “RUN” key, removing indicators, disabling sleep mode and shutdown of the compromised machine, collecting system information, and more. "Everything32.dll", a legitimate Windows filename search engine, is leveraged by Mimic to query specific file extensions and filenames using the tool's APIs in order to retrieve the file's path for encryption. The "Everything_SetSearchW" function is also used to avoid encrypting certain files. Once files have been encrypted, the ".QUIETPLACE" file extension is added and a ransom note is displayed. Mimic is noted to target primarily English and Russian-speaking users and has code similarities with the Conti ransomware builder, which was leaked in March 2022. Some similarities noted by researchers include the enumeration of the encryption modes sharing the same integer for both ransomwares, the port scanning capabilities are based on Conti, and Conti's Windows Share Enumeration code is being used by Mimic. Additional technical details as well as indicators of compromise (IOCs) can be reviewed in Trend Micro's report linked below.
Threat Actor Activity
Hive Ransomware Seized, Decryption Keys Released to Victims
A major ransomware enterprise was disrupted on Thursday as a result of a joint task force operation by the Federal Bureau of Investigation (FBI), Department of Justice (DOJ), US Secret Service (USSS), and other international agencies. Hive Ransomware's leak sites was seized by authorities and currently displays the statement [translated from Russian] "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware." One (1) of the significant reasons Hive Ransomware was targeted for seizure was due to their repeated attacks against hospitals and healthcare centers throughout the world. One (1) attack carried out in Midwestern United States caused a hospital to turn away sick patients after ransomware was deployed on their systems. Another attack didn’t compromise the integrity of hospital systems, but Hive actors exfiltrated sensitive patient data on 270k individuals from hospital systems. According to the DOJ, the FBI had successfully infiltrated Hive systems back in July 2022 and captured decryption keys for over a thousand victims, releasing them for free. This act alone saved victims from paying over $130 million in ransom demands. While Hive Ransomware operations may be disrupted for now, a rebranding or reemergence is predictable alongside minimal disruption of the entire ransomware landscape. CTIX continues to monitor fallout from the Hive Ransomware seizure and will continue to provide additional updates accordingly.
Vulnerabilities
Malicious Botnets Leveraged Against Vulnerable Supply Chain Network Infrastructure
Security researchers stated in a new report that they have observed a sharp uptick in the exploitation of a years old remote code execution (RCE) vulnerability affecting the Realtek Jungle SDK. Realtek Jungle chipsets have become a staple in hundreds of routers, switches, and other IoT devices used by supply-chain organizations across the world. Only days after the flaw was originally disclosed in August 2021, researchers and security personnel observed as many as 1 million vulnerable devices being attacked at one time. By December 2022, researchers stated they observed approximately 134 million exploitation attempts, and that the attack is still ongoing. The vulnerability, tracked as CVE-2021-35394 (CVSS 9.8/10), is a combination of memory corruption and command injection flaws in a Realtek Jungle SDK diagnostic tool called "MP Daemon", and compiled as a "UDPServer" binary. The exploitation of this vulnerability is being leveraged by multiple malicious botnet variants, mainly Mirai, Gafgyt, Mozi, and derivatives of them, as well as a new GO-based botnet known as "RedGoBot", leveraged in distributed denial-of-service (DDoS) attacks. These botnets have been observed delivering three (3) different malware payloads. Supply-chain vulnerabilities pose an especially lucrative opportunity for threat actors, and the nature of the supply chain itself often leaves it very vulnerable. This flaw was patched in August 2021; however, depending on the organization's part in the supply chain, shutting down operations to update their infrastructure could cause a critical loss to business or even threaten national security. CTIX analysts urge any administrators responsible for vulnerable infrastructure to begin developing a plan for patching this flaw that will impact operations the least, through rolling updates where the organization is patched piece-by-piece. The exploitation of this flaw is expected to stay high throughout the beginning of 2023, and CTIX analysts will continue to monitor this campaign.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
