Welcome back to another entry in our Triage Thursday blogpost series! If you aren’t sitting in a dark room with a big box of popcorn watching the ransomware apocalypse, read on below or details on what’s been happening with Triage this week - I promise we only mention REvil once (or twice):
- Updated REvil configuration extractor
- New Vidar configuration extractor
- Added support for LZMA (.lz) archive files
- Family signatures for the new Lu0bot trojan
- Detection tweaks for EvilQuest
In other news, we are also still looking to add a new Go developer to the Hatching team. If you’d like to be involved in the next steps of Triage’s journey - or know someone who might be - you can find the full job listing here. Feel free to reach out with any questions.
As always we also welcome any feedback or questions about our changes or just samples you come across during your analysis. If you notice anything not behaving as expected please do reach out and report it to us. You can contact us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Updated REvil Configuration Extractor
Not long after the Kaseya incident, we noticed the relevant sample had been uploaded to Triage by one of our users. Although it was being generally well detected as ransomware, our configuration extractor for REvil/Sodinokibi was not triggering properly. We took a look at the sample and realised that the file structure had changed, and the PE sections we expected were no longer present.
Over the weekend we updated our #REvil configuration extractor to fully support the #Kaseya sample(s).— Hatching (@hatching_io) July 5, 2021
You'll now get details including full C2 domains, campaign ID and various configuration settings dumped for easy access in the report.
Check it out: https://t.co/zkQ7dDY9Be https://t.co/NhvsL0rExS
We pushed an update to fix this last weekend, and more recently have made additional tweaks to the extractor based on some more samples we spotted while looking into the family. This increases reliablility quite a bit, so now all Sodinokibi samples should be reported fully again.
New Vidar Configuration Extractor
Vidar is a widespread stealer family which has been around in the wild since late 2018. It was originally a fork of Arkei stealer and bears significant similarities in terms of code and string reuse. The family is still actively developed and used in 2021, often being deployed alongside other threats as well as in standalone campaigns by various threat groups/actors.
We've added a new configuration extractor for #Vidar to dump the version, botnet ID, and C2 URL.#Vidar samples on Triage have been reprocessed to reflect the change, which added a 4th config to yesterday's little gift from #Smokeloader 👇— Hatching (@hatching_io) July 7, 2021
More examples: https://t.co/iV5uE4ea0E https://t.co/9B3yum8gjN pic.twitter.com/5o0dusaNzl
We added behavioural detection for the family back in October last year, but as it has continued to be highly relevant we recently reviewed available samples to implement a full configuration extractor too. We have reprocessed the samples already on Triage, so you can find plenty of examples using our search feature with “family:vidar”.
Added Support for LZMA Archives
We’re always looking to improve our support for relevant files on Triage, and recently support for the LZMA format was requested by one of our users. LZMA - also referred to as Lzip or just LZ - is a file compression and archiving format primarily used by Linux and Mac systems, although it also available on Windows through programs like 7zip.
We have now implemented support for this format, so you can upload Lzip files just like any other archive.
If you come across any other file types/formats which you think should be supported but aren’t currently, please do feel free to reach out.
Family Signatures for Lu0bot Trojan
Lu0bot appears to likely still be in active development, as the current codebase is extremely messy with large chunks commented out and mostly lacking primary functionality. However it is an interesting addition to the landscape, leveraging Node.js to run various modules and scripts to gather system information.
However, although it is undeveloped the structure of the malware means that it can be updated in-place on infected systems, with the ability to download new modules or code updates being baked into the base payload. This high level of modularity means that it’s very likely one to watch in the coming weeks/months. It is being sold through common forums so will be highly accessible to those looking for a new option.
We have reviewed available samples and deployed signatures to provide initial coverage. We’ll be continuing to keep an eye on this one and will make additional changes as needed to keep up with its own development process.
Detection Tweaks for EvilQuest
EvilQuest is a macOS ransomware which generally impersonates legitimate software installers/updaters distributed as cracked software from major torrent sites. Using this distribution approach is quite productive in macOS’s closed ecosystem, as users are less cautious of popups about unsigned software when they have already been trying to install a pirated program.
We added detection for EvilQuest at the end of June, but we’ve since noticed a few versions which weren’t being properly handled. This week we’ve tweaked our rules to accommodate the observed samples, and as usual will make further changes if/as needed.