Revil - Kaseya Supply Chain Attack
Although I'm late to the Kaseya party, and this will be my first post here, but "Better late than Never"!!
Trigger & Consequences
I work in a Cloud SOC and the Kaseya news was more easily received than a cup of Coffee. As a Cloud SOC's Hunting Team member, intelligence is your best friend and as soon as we got the news and details it was our way to start Hunting, evaluate post compromise scenarios.
While Hunting is perceived differently by different people, to me Threat Hunting always has a trigger point, I don't tend to sit between data trying to find out one pain-point and waste 100s of other opportunities, rather I believe in Finding what's known and derive knowledge from it to test and learn.
A lot of threat/blog posts have talked about it and they are amazing, content rich, full of TTPs & IOCs, but what I would have loved more is to actually test the sample myself and have first-hand Details of the Ransomware.
As much as I hate IOCs, it is indispensable, it's the shortest path to say "nope no threats found".
But to me IOCs are like Keys, if you have the key and know the correct lock (Reputation Platform), you have access to the gold (Malware Sample).
So, I acquired the IOCs (hashes in this case) and got my samples if interest downloaded from Virus total.
Renamed the File to Agent.exe and double-clicked it, in a few seconds a random-namedfile.txt was generated on my desktop which had the ransom Message :

$ Hash: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Executables and application were not encrypted and this was the first thing I could notice as the Ransom Note asked to Download TOR Browser and Open a Onion Link

Following on , I first thought of using Ransomware-ID to check the ransom-note and here's what i got , a confirmed sample of Revil :

Now I followed the step 2 and tries accessing the Link provided in the note and paste the string given in the Ransom Note, but it was blocked by My ISP or unreachable. tried some URLScanning Tools to check if the IP was reachable (Urlscan.io) & it was not. Maybe the Domain was taken Down. So the only way left was to fallback to downloading TOR and using the Link provided.Which actually redirect me to the link where Decrypto is being sold and monero is being demanded.
Behaviour Study & Understanding
What I'm Interested more in now is what my EDR has captured and How can I write detection/study behaviours of this Sample in execution.
Falling back to my Kibana.
When I downloaded my malware sample it was named as "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" and i renamed it to "Agent.exe" to execute it as an executable. Since my EDR will be very noisy(as they are supposed to be), I'll find this event first and note the Timestamp as this is from where everything started!!

Process Tree Breakdown
Activities of Agent.exe Binary
This was the binary sample that was downloaded and invoked by me.
Let's start investigating in a Timeline to observe what all did this executable do:
process where process.name== "Agent.exe"
AND process.hash.sha256=process.hash.sha256: "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
Let's Check what all events did this Agent.exe Process created in it's execution Cycle.
any where process.name == "Agent.exe"

The Process dropped two files in temp location & Interestingly both of these files are named as MsMpEng.exe(Windows Defender Executable ) & Mpsvc.dll (DLL used by Defender ).

Dropped Files
SHA256 Hash
VT
Follow on the Reputation Links in above table to see the virusTotal Scores for both of the Dropped file hashes.

From the Above events it was understood that the actual Agent file did'nt do anything Itself but was just the dropper/vector to bring in the malicious filesin to the target environment, As expected from the Kaseya Agent, After all it's a supply chain Attack.
Changing the query a bit to identify what child processes did "Agent.exe" create :
any where process.parent.name == "Agent.exe"

Activities of Dropped MsMpEng.exe Binary
At first glance the count of Logs was more than 74k+, clustering them based ont he type of dataset to identify the nature of the logs, almost 74K logs belonged to File events, and it was no brainer understanding that these are file encryption logs where the malware encrypted all the files on my machines. , so discarding them from the scenario for a while let us check what else did this process do on my system apart from encryption.
DLL Load events :
any where process.name == "MsMpEng.exe" and event.category == "library"

Interestingly as can be observed in above screenshot of logs, dropped mpsvc.dll was loaded as a DLL library by the msmpeng.exe process from the temporary location rather than the original Directory path.
Registry Events
any where process.name == "MsMpEng.exe" and event.category == "registry"

I ran this sample twice on two different VMs only to observe the malware creates Registry key as SID(S-1-5-21-*)\Softwares\BlackLives\Matter under HKLM_USERS hive. the values written are random and i could'nt understand them with current level of analysis.
File Events
The last type of events that MsMpEng.exe generated & we didn't look into it is File Events.so let's quickly dive into it.
any where process.name == "MsMpEng.exe" and event.category == "file"

All my files are converted to add a file.extension: "5y0kd6c" at the end, these were interestingly reflected as file rename operations as per logs rather than being file-encryption events. I tried renaming it back to original, seeing that these are simple file rename operations as per the logs but it didn't work (as if it would!).
Child Process of MsMpEng.exe
any where process.parent.name == "MsMpEng.exe"

Netsh.exe was spawned as Child Process with the commands to enable network discovery on the Host.
any where process.name == "netsh.exe" and process.pid==9208
Child Process of Netsh.exe
any where process.parent.name == "netsh.exe"

Final Process Tree Representation from EDR

Hunting Revil based on Detected Behaviours
Now that we understand the Dynamic Nature of the execution lifecycle of this Revil Ransomware sample. let's get down to the actual business of crafting detections & Hunting the behaviours.
Let's Start with Executable Written in temporary Location. This is a Hunt, It can be structured as well as unstructured as well.
Original Initial Access: Compromised Software Supply Chain: T1195.002
Suspicious File-Write Operations(Dropper)
Executables/DLL (MZ) file write in temporary Location (unstructured)
MsMpEng.exe Binary dropped in Temporary Location (Structured)
Mpsvc.dll library Dropped in temporary locations (Structured)
DLL Side-Loading :
DLL library Loaded from a temporary Location
Registry Value Modification
Abnormally High Disk Write Operation - Data Encryption
Un-usual Child-Parent Process Relationship
Reference Jupyter Notebook for Threat Detection & Hunting for this Sample study is under-way
Last updated
Was this helpful?