Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. Affiliates are typically threat actors responsible for gaining an initial foothold in a target network. In a recent analysis published by Sophos. The report states that the new deployments of Ryuk and Egregor ransomware have involved the use of SystemBC backdoor to laterally move across the network and fetch additional payloads for further exploitation.
Cyber threat researchers report that SystemBC infects systems through malware such as DanaBot, Amadey, and other software of this type that is already installed on the operating system, or through RIG and Fallout exploit kits. Exploit kits are programs that are used to initiate exploits against installed vulnerable software.
"SystemBC is a regular part of recent ransomware attackers' toolkits," said a Sophos senior threat researcher. “The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration, and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for mass exploitation, but they have now been folded into the toolkit for targeted attacks including ransomware."
First documented by Proofpoint in August 2019, SystemBC is a proxy malware that leverages SOCKS5 internet protocol to mask traffic to command-and-control (C2) servers and download the DanaBot banking Trojan. DanaBot is a banking Trojan. Banking Trojans mainly focus on stealing financial information from affected systems. DanaBot is spread through exploit kits and malicious spam. At first it focused on Australia but it has now expanded to North America and Europe. Amadey is malicious software categorized as a trojan. Cyber criminals can purchase Amadey on a Russian dark web forum and then use it to perform various malicious tasks: download and install (execute) other malware, steal personal information, log keystrokes, send spam from a victim's computer, and add an infected computer to a botnet.
The SystemBC RAT (Remote Access Trojan) has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks. Researchers note that SystemBC has been used in a number of ransomware attacks often in conjunction with other post-exploitation tools like CobaltStrike to take advantage of its Tor proxy and remote access features to parse and execute malicious shell commands, VBS scripts, and other DLL blobs sent by the server over the anonymous connection.
It also appears that SystemBC is just one of the many commodity tools that are deployed because of initial compromise stemming from phishing emails that deliver malware loaders like Buer Loader, Zloader, and Qbot leading the researchers to suspect that the attacks may have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers. These capabilities give attackers a point-and-shoot capability to perform discovery, exfiltration, and lateral movement with packaged scripts and executables without having to have hands-on a keyboard.
The rise of commodity malware also points to a new trend where ransomware is offered as a service to affiliates like it's in the case of MountLocker, where the operators provide double extortion capabilities to affiliates so as to distribute the ransomware with minimal effort. "The use of multiple tools in ransomware-as-a-service attacks creates an ever more diverse attack profile that is harder for IT security teams to predict and deal with," Sophos said. "Defense-in-depth, employee education, and human-based threat hunting are essential to detecting and blocking such attacks."
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing the supply chains inside the transportation sector. For many years we have believed the supply chain is the Achilles Heel to the over-all cyber network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments