Revil - Kaseya Supply Chain Attack

Although I'm late to the Kaseya party, and this will be my first post here, but "Better late than Never"!!

Trigger & Consequences

I work in a Cloud SOC and the Kaseya news was more easily received than a cup of Coffee. As a Cloud SOC's Hunting Team member, intelligence is your best friend and as soon as we got the news and details it was our way to start Hunting, evaluate post compromise scenarios.

While Hunting is perceived differently by different people, to me Threat Hunting always has a trigger point, I don't tend to sit between data trying to find out one pain-point and waste 100s of other opportunities, rather I believe in Finding what's known and derive knowledge from it to test and learn.

A lot of threat/blog posts have talked about it and they are amazing, content rich, full of TTPs & IOCs, but what I would have loved more is to actually test the sample myself and have first-hand Details of the Ransomware.

As much as I hate IOCs, it is indispensable, it's the shortest path to say "nope no threats found".

But to me IOCs are like Keys, if you have the key and know the correct lock (Reputation Platform), you have access to the gold (Malware Sample).

So, I acquired the IOCs (hashes in this case) and got my samples if interest downloaded from Virus total.

Renamed the File to Agent.exe and double-clicked it, in a few seconds a random-namedfile.txt was generated on my desktop which had the ransom Message :

Ransom Note 
$ Hash: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Executables and application were not encrypted and this was the first thing I could notice as the Ransom Note asked to Download TOR Browser and Open a Onion Link

RansomNote Instructions

Following on , I first thought of using Ransomware-ID to check the ransom-note and here's what i got , a confirmed sample of Revil :

ID-Ransomware

Now I followed the step 2 and tries accessing the Link provided in the note and paste the string given in the Ransom Note, but it was blocked by My ISP or unreachable. tried some URLScanning Tools to check if the IP was reachable (Urlscan.io) & it was not. Maybe the Domain was taken Down. So the only way left was to fallback to downloading TOR and using the Link provided.Which actually redirect me to the link where Decrypto is being sold and monero is being demanded.

Behaviour Study & Understanding

What I'm Interested more in now is what my EDR has captured and How can I write detection/study behaviours of this Sample in execution.

Falling back to my Kibana.

When I downloaded my malware sample it was named as "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" and i renamed it to "Agent.exe" to execute it as an executable. Since my EDR will be very noisy(as they are supposed to be), I'll find this event first and note the Timestamp as this is from where everything started!!

Rename Event Performed

Process Tree Breakdown

Activities of Agent.exe Binary

This was the binary sample that was downloaded and invoked by me.

Since we are invoking this binary ourselves we are already at execution phase of MITRE Framework and have no visibility over Initial Access Techniques.

But to note, since this was a supply chain attack, we know this malicious entity came via "Kaseya VSA Hot-Fix Patch"

Let's start investigating in a Timeline to observe what all did this executable do: 

process where process.name== "Agent.exe" 
AND process.hash.sha256=process.hash.sha256: "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"

Let's Check what all events did this Agent.exe Process created in it's execution Cycle. 

any where process.name == "Agent.exe"
Execution Entry -Process Invocation

The Process dropped two files in temp location & Interestingly both of these files are named as MsMpEng.exe(Windows Defender Executable ) & Mpsvc.dll (DLL used by Defender ).

Files Dropped on Machine

Dropped Files

SHA256 Hash

VT

mpsvc.dll

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Reputation

MsMpEng.exe

33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

Reputation

Follow on the Reputation Links in above table to see the virusTotal Scores for both of the Dropped file hashes.

Process Exit - Termination

From the Above events it was understood that the actual Agent file did'nt do anything Itself but was just the dropper/vector to bring in the malicious filesin to the target environment, As expected from the Kaseya Agent, After all it's a supply chain Attack.

Changing the query a bit to identify what child processes did "Agent.exe" create : 

any where process.parent.name == "Agent.exe"
MsMpeng.exe Spawned as Child-Process of Agent.exe

Activities of Dropped MsMpEng.exe Binary

At first glance the count of Logs was more than 74k+, clustering them based ont he type of dataset to identify the nature of the logs, almost 74K logs belonged to File events, and it was no brainer understanding that these are file encryption logs where the malware encrypted all the files on my machines. , so discarding them from the scenario for a while let us check what else did this process do on my system apart from encryption.

DLL Load events : 

any where process.name == "MsMpEng.exe" and event.category == "library"
DLL Loaded by MsMpEng.exe Process

Interestingly as can be observed in above screenshot of logs, dropped mpsvc.dll was loaded as a DLL library by the msmpeng.exe process from the temporary location rather than the original Directory path.

Registry Events

any where process.name == "MsMpEng.exe" and event.category == "registry"
Registry Modification Operations

I ran this sample twice on two different VMs only to observe the malware creates Registry key as SID(S-1-5-21-*)\Softwares\BlackLives\Matter under HKLM_USERS hive. the values written are random and i could'nt understand them with current level of analysis.

File Events

The last type of events that MsMpEng.exe generated & we didn't look into it is File Events.so let's quickly dive into it.

any where process.name == "MsMpEng.exe" and event.category == "file"
Distribution of file operations performed by MsMpEng.exe

All my files are converted to add a file.extension: "5y0kd6c" at the end, these were interestingly reflected as file rename operations as per logs rather than being file-encryption events. I tried renaming it back to original, seeing that these are simple file rename operations as per the logs but it didn't work (as if it would!).

Child Process of MsMpEng.exe

any where process.parent.name == "MsMpEng.exe"
Invocation of netsh.exe

Netsh.exe was spawned as Child Process with the commands to enable network discovery on the Host.

any where process.name == "netsh.exe" and process.pid==9208

Netsh also loaded a dll named bcrypt.dll which was a signed windows library, and is often required by netsh.exe binary, it provides cryptographic capabilities to the requestor process.

Child Process of Netsh.exe 

any where process.parent.name == "netsh.exe"
Invocation of Conhost.exe

Conhost.exe is a windows executable that provides console/command-line capabilities for for interfacing with the system, also responsible for API call servicing and translation. Found Nothing Suspicious Here, this Conhost.exe instance just interpreted the Netsh executables requests and completed it.

The Process Tree ended here. the Diagramatic representation(as shown below)from the EDR would be easier to understand.

Final Process Tree Representation from EDR

Hunting Revil based on Detected Behaviours

Now that we understand the Dynamic Nature of the execution lifecycle of this Revil Ransomware sample. let's get down to the actual business of crafting detections & Hunting the behaviours.

Searching IOCs is not Hunting

Let's Start with Executable Written in temporary Location. This is a Hunt, It can be structured as well as unstructured as well.

Original Initial Access: Compromised Software Supply Chain: T1195.002

The Attack Surface Reduction Phase would be scoping out of all Machines/endpoints/hosts/instances which runs Kaseya VSA Agents. This would significantly reduce the number of Logs/results returned back by your queries and reduce much of the Noise.

  • Suspicious File-Write Operations(Dropper)

    • Executables/DLL (MZ) file write in temporary Location (unstructured)

    • MsMpEng.exe Binary dropped in Temporary Location (Structured)

    • Mpsvc.dll library Dropped in temporary locations (Structured)

  • DLL Side-Loading :

    • DLL library Loaded from a temporary Location

  • Registry Value Modification

  • Abnormally High Disk Write Operation - Data Encryption

  • Un-usual Child-Parent Process Relationship

Reference Jupyter Notebook for Threat Detection & Hunting for this Sample study is under-way

PreviousHunts Vs DetectionsNextHunting & Detecting Kaseya - Jupyter Notebook

Last updated

Was this helpful?