Researchers Observe "Rorschach", One of the Fastest Ransomware Strains to Date
Researchers have recently observed a previously unnamed ransomware dubbed "Rorschach" that they emphasize to be "one of the fastest ransomware observed, by the speed of encryption." In the observed instance, researchers noted that Rorschach was deployed "using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product," which is a loading method that is not typically utilized by ransomware operations and uses three (3) files during execution. The main payload is injected into "notepad.exe" and then runs processes in SUSPEND mode while providing falsified arguments. This technique is conducted to make analysis more difficult as well as deleting shadow volumes and backups by using legitimate Windows tools, clearing specific Windows event logs, disabling the Windows firewall, and attempting to stop a number of predefined services. Researchers explained that Rorschach has interesting capabilities that are not commonly seen in ransomware, such as making direct calls using the "syscall" instruction in order to evade defense mechanisms. Rorschach also employs a "highly effective and fast hybrid-cryptography scheme,” which encrypts only a specific portion of the original file content rather than the entire file. Researchers emphasized that these capabilities, amongst others, allowed the ransomware to encrypt an environment in only four (4) minutes and thirty (30) seconds. LockBit 3.0, another known fast ransomware strain, encrypted an identical environment in seven (7) minutes. Despite having no clear-cut overlaps with any known ransomware groups, Rorschach has similarities to the leaked source code of Babuk ransomware and is suspected of taking inspiration for some components from LockBit 2.0. The ransom note also has similarities to Darkside and Yanlowang. CTIX analysts will continue to monitor Rorschach for new activity. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the linked report.
Threat Actor Activity
North Korean Archipelago Attacks Observed
A North Korean state-sponsored threat actor known as ARCHIPELAGO has been linked to cyberattacks targeting think tanks in South Korea and the U.S. Researchers in South Korea and Google’s Threat Analysis Group (TAG) has tracked the ARCHIPELAGO for over a decade and determined its priorities to line up with the Reconnaissance General Bureau (RGB), North Korea’s foreign intelligence agency. ARCHIPELAGO primarily relies on the use of phishing emails that contain malicious links. These links redirect to recreated fake login pages for credential harvesting. ARCHIPELAGO also takes its time with victims, typically spending weeks building trust with the target before finally sending the malicious link to them. By also applying the “browser-in-the-browser” technique, which renders a fake window within an actual browser window, they can further convince the victim of the login page’s authenticity. Although email is the primary form of malware delivery, ARCHIPELAGO has also experimented with ISO files, Chrome extensions, and encoding commands into drive names, showing a slow but steady increase in sophistication with their attack techniques. ARCHIPELAGO has posed as a variety of actors, including journalists and government agencies in order to trick its victims. CTIX analysts will continue to monitor ARCHIPELAGO and its attacks across the globe.
Multiple Critical Vulnerabilities in Popular ICS Products and Systems
On April 6, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published seven (7) advisories concerning multiple high-severity vulnerabilities affecting critical Industrial Control Systems (ICS). The flaws impact products and solutions from "Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx." In terms of severity, the vulnerabilities range from CVSS scores of 7.8/10 on the lower end to multiple flaws receiving a score as high as 9.9/10. The majority of the vulnerabilities stem from broken file permission validations and command injection flaws, which could allow attackers to escalate their local system privileges, move laterally across the network, exfiltrate sensitive information, drop malware, remotely execute arbitrary code, and take complete control of vulnerable systems and IoT devices. These vulnerabilities pose great threats to U.S. critical infrastructure and are valuable attack vectors for state sponsored threat actors working with their adversaries. CISA has provided technical details and instructions for all advisories in the alert linked below. CTIX analysts recommend that all administrators and users of the impacted products follow the advisories to prevent future exploitation, whether it be through security patching or via manual mitigation techniques.
Microsoft's Court Order Grants Them Offensive Capabilities to Combat Cybercrime
Microsoft finally received the green light to take offensive measures against cybercriminals abusing their software. Working together with the nonprofit Health Information Sharing and Analysis Center (Health-ISAC) and software maker Fortra, Microsoft's Digital Crime Unit (DCU) will go after cracked legacy copies of Fortra's Cobalt Strike which has been abused to wreak havoc on the healthcare industry. Cobalt Strike is an adversary simulator and penetration testing software tool utilized by red teams to proactively find vulnerabilities and prepare for attacks, but cybercriminals have exploited older versions of the software for malicious intents such as distributing malware. Malicious infrastructure hosting Cobalt Strike has been detected in China, the United States, Russia, and other parts of the world, having been linked to sixty-eight (68) ransomware attacks across nineteen (19) countries. After issuing hundreds of Digital Millennium Copyright Act (DMCA) violation notices, this court order finally allows these three (3) entities to collectively pursue cybercriminal servers hosting cracked copies of Cobalt Strike. Microsoft will notify internet service providers (ISPs) and computer emergency readiness teams (CERTs) about command-and-control (C2) servers and other malicious infrastructure leveraging their software in order to take them offline. Disrupting these connections between cybercriminals and infected victim's computers severs the attackers' distribution method and effectively disrupts the criminal ecosystem that exploits the companies' software.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.