Saturday, September 19, 2020

Toolmarks

 I recently ran across an interesting article from Sophos, indicating that the Maze ransomware threat group had taken a page from the Ragnar ransomware threat group.  The article stated that the Maze group was seen delivering the ransomware in a virtualize environment as a means of defense evasion.

In describing the attack, the article includes the following:

...before they launched it, they executed a script that disabled Windows Defender’s Real-Time Monitoring feature.

Immediately following this, the article includes the contents of the batch file that perform this function, and we can see that the command is:

cmd.exe /c powershell.exe -exec Bypass /c Set-MpPreference -DisableRealtimeMonitoring 1

We know the impact of this command; Windows Defender real-time monitoring is disabled, and the Registry value is set to "1".  Also, the key LastWrite time will be updated to when this command was executed.  This is important because these toolmarks are different from other methods used to disable Windows Defender. For example, some threat actors have been observed using 'net stop' commands to stop the service, or using external tools, such as ProcessHacker or Defender Control.  Other actors have been observed enabling the DisableAntiSpyware value, or adding exclusions to the Registry. Some actors use Powershell or WMI, others use reg.exe. Whichever means that is used leaves different toolmarks.

Some folks (i.e., my wife) like analogies, so here's one...you usually access your home by putting a key in the lock, a key you own that is designed to open the door.  However, there are other ways to accomplish the same activity (i.e., opening the door).  You can use lock picks, a crowbar, or a 12 lb sledge. If the door has glass panels, maybe you can break one, reach inside and unlock the door.  However, the point is that all of these methods, while accomplishing the same goal, leave different toolmarks. These toolsmarks can be used to illustrate "humanness" in an attack, can be used to clarify and extend attribution, and can be used in proactive protection measures, such as EDR monitoring, and EDR threat hunting.  They can also be used in DFIR threat hunting, to facilitate the analysis process.

All of this is extremely valuable and can should be exploited to maximize its effect.

As far as the virtual machines go, the toolmarks differed between the Maze and Ragnar threat groups, as well.  The article sums those differences up by stating:

The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. This significantly increased the size of the virtual disk, but also adds some new functionality that wasn’t available in the Ragnar Locker version. 

Finally, as I read through the article, it occurred to me that, based on how the article was written, it seemed that the threat group knew something about the infrastructure.  Either the story of the attack was heavily edited, or the threat group had prior knowledge of the infrastructure.  Well, as it turned out:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network...

All of the information in the Sophos articles is extremely valuable, because it not only reinforces Microsoft's perspective on "human-operated ransomware attacks", but also reinforces that they're preventable.