Welcome to another entry in our Triage Thursday update blog series! This week we have few general improvements to our handling and processing mechanisms which you can read about below, including the addition of ssdeep fuzzy hashes to reports.
Of course we also have the usual selection of family updates and additions:
- Live and Replay monitor improvements
- New Blackcat ransomware variant
- Added support for Bandook RAT
- Updated PlugX extractor
- Fixed bug in Gozi extractor
We missed the blogpost last week due to other commitments, but we still released a few updates besides those shown below. You can find some details on them in our Twitter thread below:
No Triage Thursday blog today as we're busy with other things, but we've got a couple of detection changes we wanted to cover briefly anyway— Hatching (@hatching_io) March 24, 2022
A short thread 🧵👇 (1/7)
Also this week we published a job advert for a Compliance Officer to work with us on various aspects of the business related to contracting, ISO27001 and privacy laws like GDPR. If you or someone else you know might be interested in this you can find the full listing on our website.
As always, if you discover any issues or missing detections while using Triage please do send us feedback - it’s a big help in deciding what we should be prioritising. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account!
Live and Replay Monitor improvements
After numerous debates internally on the sustainability of our public sandboxing environment, which performs millions of analyses per year, we have decided to introduce a non-intrusive component to the Live and Replay monitors to help us pay our bills. We know our users will appreciate this small sacrifice to help us sustain the free business model.
Added ssdeep hashes
This has been requested several times by users, so we’re pleased to be bringing this into the reports. You can now find ssdeep hashes for all samples and any files dropped during analysis as part of our reports, both via the API and web interface.
If you’re not familiar with ssdeep, it is a tool for generating hashes which can corelate files even if they have minor changes, which for normal hashing algorithms like SHA would result in entirely different outputs. The approach is officially known as Context Triggered Piecewise Hashing and often referred to as fuzzy hashing, and since release ssdeep has become the defacto standard for this (although some other alternatives do now exist).
You can find more details on ssdeep itself through their webpage here: ssdeep-project.github.io.
If you’ve ever submitted a ransomware sample to Triage you’ll likely be familiar with our ransomnote dumping mechanism, which allows us to display these for most ransomware families and extract relevant IoCs like the web portals or other contact methods used to enable ransom negotiations.
We recently noticed some issues where we were detecting unrelated files as ransomnotes and reporting them as malicious. On inspection these files turned out to be simple dictionary lists which were incorrectly triggering our ransomnote pattern matching. We’ve now reviewed these and made some improvements to our mechanism to exclude results like these and minimise the risk of false-positives.
Added more network signatures
One of our goals for 2022 is to expand and improve our general behaviour signatures, as a lot of our focus has been directed at specific families over the last couple of years. Tactics and techniques - not to mention Triage’s own capabilities - have changed quite a bit since we initially built out the majority of these detections, and we feel it’s time for a review to make sure we’re as up to date as possible.
To this end some of the team have begun going over reports and looking for areas where we could add more detail while sticking to our aim of not making them feel cluttered. This week sees the first batch of signatures being deployed, mainly addressing network-related activity. You should start seeing some new rules popping up, and we’ll be continuing to work on this and other areas over the coming months.
BlackCat ransomware has been around since late 2021, having first been reported by MalwareHunterTeam on Twitter. The first such family to be created in the Rust programming language, it uses the double-extortion approach to exfiltrate sensitive data before encryption and leverage it to blackmail victims in paying the ransom. Making the most of the cross-platform nature of Rust, the family had payloads for Windows and a variety of Linux distributions.
We added detection for the family back in January, and at the time mentioned that it seemed like the developers were probably launching a long term project rather than one of the many here-today-gone-tomorrow ransomware variants that we see week to week. That seems to have remained true since, and we recently noticed a new version which had changes that got around our existing signatures. We have now addressed this with some rule updates to ensure the samples are tagged correctly, but unfortunately configuration extraction is no longer possible with our existing mechanisms due to using a one-time
access_token which is obtained from the C2 infrastructure during execution.
Bandook has a long history as a family, going all the way back to 2007 in its original form. It was mostly inactive for some years, only appearing occasionally in specific campaigns during 2015 (Operation Manul) and 2017 (Dark Caracal), but then popped up again in 2020 with a few new variants. It was seen carrying out a spate of attacks against various entities, including the UK’s National Health Service at the end of 2020. Since the original release - later traced to a Lebanese citizen going by the alias PrinceAli - the source code for several versions of the RAT has been leaked resulting in a large number of customisations and variations in the payloads seen in the wild.
It is a RAT/backdoor capable of receiving commands from C2 infrastructure, effectively providing full remote access to infected machines supported by automated processes to simplify usage. Delivery mechanisms vary somewhat, but mostly revolve around malicious Office documents distributed via phishing emails. These then lead to a Powershell loader which in turn deploys Bandook. For a more detailed look at the technical capabilities, including a breakdown of the commands generally supported, take a look at Checkpoint’s blogpost from 2020.
Due to the general lack of usage over recent years we have not previously implemented detection, but with it becoming a more common sight in the wild we have now reviewed a cross section of the available samples and implemented detections. For a family as large and old as this it’s likely there are variants not covered in these initial signatures but as usual we’ll continue to monitor the files we see and will provide updates as needed.
PlugX has made a couple of appearances lately as we address some new versions and overlaps with other families which complicate detection. It has all the features of a remote access tool and stealer, capable of uploading and downloading files, keylogging, capturing images through attached webcams and running a full cmd.exe shell which can be used by the attacker to execute further commands. Over recent years the family has often been associated with Chinese state threat actors, forming part of a much broader toolset which includes other payloads like Sakula.
In a blogpost from earlier in the month we made some improvements and mentioned that we would be continuing to work on PlugX and a couple of the other related families in the future. As part of that ongoing process this week we have some improvements to address a couple of issues with the PlugX configuration extractor which should make results more accurate going forwards and help to avoid incorrect tagging for it and the other families. We’ll be continuing this going forwards so watch this space!
Analyses: Search family:plugx
The Gozi family - often called Ursnif - if a messy collection of variants and forks which are regularly updated by a wide variety of developers and threat actors. These range from close forks with strong similarities, to more distant variations like RM3 with much more significant changes. As such trying to keep track of the various branches of the family tree can be quite tricky in itself.
We’ve long had detection and configuration extraction for a number of these variants, but it was recently reported to us that we had a bug in the extractor component which was affecting results. It would appear that for some payloads Triage was extracting incorrect values for the RSA key section so we’ve addressed this and made sure that it is now working as intended.
A huge thank you to the user who pointed this out! If you spot anything like this on Triage please don’t hesitate to reach out as it’s a huge help to us as well and we’re always keen to improve the quality of results wherever possible.