Revil - Kaseya Supply Chain Attack
Although I'm late to the Kaseya party, and this will be my first post here, but "Better late than Never"!!
Last updated
Although I'm late to the Kaseya party, and this will be my first post here, but "Better late than Never"!!
Last updated
I work in a Cloud SOC and the Kaseya news was more easily received than a cup of Coffee. As a Cloud SOC's Hunting Team member, intelligence is your best friend and as soon as we got the news and details it was our way to start Hunting, evaluate post compromise scenarios.
While Hunting is perceived differently by different people, to me Threat Hunting always has a trigger point, I don't tend to sit between data trying to find out one pain-point and waste 100s of other opportunities, rather I believe in Finding what's known and derive knowledge from it to test and learn.
A lot of threat/blog posts have talked about it and they are amazing, content rich, full of TTPs & IOCs, but what I would have loved more is to actually test the sample myself and have first-hand Details of the Ransomware.
As much as I hate IOCs, it is indispensable, it's the shortest path to say "nope no threats found".
But to me IOCs are like Keys, if you have the key and know the correct lock (Reputation Platform), you have access to the gold (Malware Sample).
So, I acquired the IOCs (hashes in this case) and got my samples if interest downloaded from Virus total.
Renamed the File to Agent.exe and double-clicked it, in a few seconds a random-namedfile.txt was generated on my desktop which had the ransom Message :
Executables and application were not encrypted and this was the first thing I could notice as the Ransom Note asked to Download TOR Browser and Open a Onion Link
Following on , I first thought of using Ransomware-ID to check the ransom-note and here's what i got , a confirmed sample of Revil :
Now I followed the step 2 and tries accessing the Link provided in the note and paste the string given in the Ransom Note, but it was blocked by My ISP or unreachable. tried some URLScanning Tools to check if the IP was reachable (Urlscan.io) & it was not. Maybe the Domain was taken Down. So the only way left was to fallback to downloading TOR and using the Link provided.Which actually redirect me to the link where Decrypto is being sold and monero is being demanded.
What I'm Interested more in now is what my EDR has captured and How can I write detection/study behaviours of this Sample in execution.
Falling back to my Kibana.
When I downloaded my malware sample it was named as "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" and i renamed it to "Agent.exe" to execute it as an executable. Since my EDR will be very noisy(as they are supposed to be), I'll find this event first and note the Timestamp as this is from where everything started!!
This was the binary sample that was downloaded and invoked by me.
Since we are invoking this binary ourselves we are already at execution phase of MITRE Framework and have no visibility over Initial Access Techniques.
But to note, since this was a supply chain attack, we know this malicious entity came via "Kaseya VSA Hot-Fix Patch"
Let's start investigating in a Timeline to observe what all did this executable do:
Let's Check what all events did this Agent.exe Process created in it's execution Cycle.
The Process dropped two files in temp location & Interestingly both of these files are named as MsMpEng.exe(Windows Defender Executable ) & Mpsvc.dll (DLL used by Defender ).
Follow on the Reputation Links in above table to see the virusTotal Scores for both of the Dropped file hashes.
From the Above events it was understood that the actual Agent file did'nt do anything Itself but was just the dropper/vector to bring in the malicious filesin to the target environment, As expected from the Kaseya Agent, After all it's a supply chain Attack.
Changing the query a bit to identify what child processes did "Agent.exe" create :
At first glance the count of Logs was more than 74k+, clustering them based ont he type of dataset to identify the nature of the logs, almost 74K logs belonged to File events, and it was no brainer understanding that these are file encryption logs where the malware encrypted all the files on my machines. , so discarding them from the scenario for a while let us check what else did this process do on my system apart from encryption.
DLL Load events :
Interestingly as can be observed in above screenshot of logs, dropped mpsvc.dll was loaded as a DLL library by the msmpeng.exe process from the temporary location rather than the original Directory path.
Registry Events
I ran this sample twice on two different VMs only to observe the malware creates Registry key as SID(S-1-5-21-*)\Softwares\BlackLives\Matter under HKLM_USERS hive. the values written are random and i could'nt understand them with current level of analysis.
File Events
The last type of events that MsMpEng.exe generated & we didn't look into it is File Events.so let's quickly dive into it.
All my files are converted to add a file.extension: "5y0kd6c" at the end, these were interestingly reflected as file rename operations as per logs rather than being file-encryption events. I tried renaming it back to original, seeing that these are simple file rename operations as per the logs but it didn't work (as if it would!).
Child Process of MsMpEng.exe
Netsh.exe was spawned as Child Process with the commands to enable network discovery on the Host.
Netsh also loaded a dll named bcrypt.dll which was a signed windows library, and is often required by netsh.exe binary, it provides cryptographic capabilities to the requestor process.
Child Process of Netsh.exe
Conhost.exe is a windows executable that provides console/command-line capabilities for for interfacing with the system, also responsible for API call servicing and translation. Found Nothing Suspicious Here, this Conhost.exe instance just interpreted the Netsh executables requests and completed it.
The Process Tree ended here. the Diagramatic representation(as shown below)from the EDR would be easier to understand.
Now that we understand the Dynamic Nature of the execution lifecycle of this Revil Ransomware sample. let's get down to the actual business of crafting detections & Hunting the behaviours.
Searching IOCs is not Hunting
Let's Start with Executable Written in temporary Location. This is a Hunt, It can be structured as well as unstructured as well.
Original Initial Access: Compromised Software Supply Chain: T1195.002
The Attack Surface Reduction Phase would be scoping out of all Machines/endpoints/hosts/instances which runs Kaseya VSA Agents. This would significantly reduce the number of Logs/results returned back by your queries and reduce much of the Noise.
Suspicious File-Write Operations(Dropper)
Executables/DLL (MZ) file write in temporary Location (unstructured)
MsMpEng.exe Binary dropped in Temporary Location (Structured)
Mpsvc.dll library Dropped in temporary locations (Structured)
DLL Side-Loading :
DLL library Loaded from a temporary Location
Registry Value Modification
Abnormally High Disk Write Operation - Data Encryption
Un-usual Child-Parent Process Relationship
Reference Jupyter Notebook for Threat Detection & Hunting for this Sample study is under-way
Dropped Files
SHA256 Hash
VT
mpsvc.dll
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
MsMpEng.exe
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
