REvil, a prominent hacking group, have allegedly made use of a set of PowerShell scripts to target vulnerabilities existing in businesses. Researchers from cybersecurity firm Sophos, reported that threat-actors have exploited corporate networks using PowerShell scripts that were initially intended to provide encryption.
DETAILS
According to the report, vulnerabilities in unpatched Exchange servers were exploited, courtesy of a new ransomware called Epsilon Red written in Go programming language.
The only evidence that connects the REvil group to this attacker was the ransom note left behind on infected computers: the note resembled REvil group’s general style, with the addition of minor grammatical corrections.
As per the researcher, the name of the ransomware is perhaps inspired from a comic book character: “The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.”
It was observed that on May 15th, a ransom of 4.29BTC was paid to the cryptocurrency address provided by the attackers.
The attackers formulated their plan by leveraging an unpatched enterprise Microsoft Exchange server, consequently obtaining a foothold inside the network by installing other malicious software with the help of Windows Management Instrumentation (WMI).
“During the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it,”
said the researchers.
The threat actors also appeared to have altered the script by adding square brackets and then later using a command to clean and strip the script of those brackets, presumably to evade detection should an anti-malware tool be doing its job. The researchers, though, were not fazed by it and said that they “were able to use the same rules the attackers set up to craft a recipe using CyberChef that strips out the extraneous characters and renders the script human-readable.”
The Go-language-programmed ransomware is called RED.exe and is a 64-bit Windows executable compiled using MinGW, a free and open-source software development environment to create Microsoft
Windows applications.
An open-source project called godriwalk acts as a benefactor for the ransomware, with the executable containing some code from the mentioned project, subsequently facilitating the ransomware in scanning the hard drive it’s running on for directory paths and then compiling them into a list. This results in spawning of a child process “that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously.”
The nature of RED.exe to primarily encrypt files on the victim’s machine justifies its small size as compared to other ransomwares which look to compromise entire networks. In addition, the functions this ransomware utilizes, like killing processes, have already been handed to PowerShell scripts, making it a relatively simple program.
According to the researchers, the ransomware is very chaotic: with no specified file type or file extension, RED.exe encrypts everything and anything inside the folder it has targeted, appending a suffix of .epsilonred to the files and leaving a ransom note in the folder. This very note, apart from few grammatical adjustments, boasts a striking resemblance to those used by REvil.
The researchers have advised customers to protect themselves by updating the Exchange servers to patched versions as soon as possible.