Triage Thursday

Triage Thursday Ep. 89

Blog.

Welcome to another entry in our Triage Thursday blog series, where we go over the main updates and detection changes in the previous week. We’ll be keeping it fairly brief today, but will cover some background on the main additions.

In the news today:

As always you can contact us any time directly through the website, on Twitter, or using the Feedback option on an analysis report page.

Not signed up yet? Head over to tria.ge to register for a free account.


Azov Ransomware

Towards the end of October a new family was seen in the wild being distributed by the Smokeloader family. Dubbed Azov due to its references and supposed opposition to the Russian occupation of Crimea (‘supposed’ as there appears to be no real activist justification for the targets affected), it was originally identified as ransomware but subsequent analysis has shown that it is in fact effectively a file wiper with no way to recover the locked data.

According to the alert published by NJCCIC and analysis by BinaryDefense the samples will encrypt all files on disk which do not have the .exe, .dll, or .ini extensions, processing them in chunks of 666 bytes at a time. However there is no decryption key and the attackers cannot be contacted to negotiate a ransom or any file recovery.

According to BinaryDefense the files were also configured to only begin encryption after a specific time on October 27th 2022, and include a file infector component which backdoors all executables on the system. This means the ransomware will be run any time a user or process launches one of those files.

Analyses:

ScreenCap Keylogger

In October SentinelOne reported on a new Chinese APT that had begun launching campaigns against telecommunications and IT service providers in the Middle East and Asia. The group - assigned the identifier WIP19 - has been using a stolen digital signature to sign their malware samples and help them bypass detections, with a few different tools being identified by SentinelOne’s research.

One of these new tools is a keylogger called ScreenCap which has was observed being deployed in a slightly unusual way. Using a rarely exploited but previously known quirk of Windows, the attackers can drop the DLL to the c:\windows\linkinfo.dll path and the Explorer process will load it the next time it launches. To activate the functionality the attackers can manually restart explorer.exe to trigger the loading process.

The malware carries out both keylogging and screen capture functions:

SentinelOne reports that the family is often very targeted with clear indications of the intended recipient included in the binaries. It seems that it is used manually as part of a larger infection chain.

We have taken a look at the available sample and implemented initial detections.

Analysis:

Ratmilad Android Spyware

Ratmilad was reported by Zimperium labs in early October, having been seen targeting Android devices in the Middle East. It is distributed via direct APK downloads and has not been spotted on any appstores, with download links distributed via social media and messaging apps.

The payloads reported by Zimperium have been concealed as apps supposedly intended to spoof mobile phone numbers to help with verifying social media accounts. They require the user to grant very extensive permissions on the device, and once enabled the app will sideload the Ratmilad spyware.

According to Zimperium’s report the app can access the following data once fully installed:

It can also:

Based on the public sample we were able to acquire we have implemented detection and a configuration extractor to dump C2 for the family, and will update further if needed.

Analysis:

You may also like: