*This article is an abstract of the English technical report.
For a long time, ransomware gang focusing mainly with the Microsoft Windows operating system.UNIX or Linux -based dedicated ransomware was occasionally seen, but the cross -platform ransomware had not yet occurred.However, cyber criminals have never been asleep and noticed in recent months that some ransomwear gangs are trying to create binary in cross -platform Golang (GO).
When Babuk announced that it was developing a cross -platform binary for Linux / Unix and ESXI or VMware systems in the underground forum, our worst fears were confirmed.Many of the core -backed systems of companies are running in these* NIX operating systems.In the case of virtualization, consider the ESXI that hosts multiple servers or virtual desktop environments.
In my previous blog, I briefly touched on this with many coding mistakes that the Babuk team committed.
Babuk is relatively new in this scene, but despite many problems with binary, its variants are often infected with famous companies.
In the first BABUK blog, McAfee Advanced Threat Research (ATR) and the industry in the industry explained some of the Windows binary issues.Babuk seems to have adopted a live beta test for victims regarding the development of Golang binaries and decoding tools.Some of the victims that were encrypted so that it could not be repaired due to the failure of binary or decoding function was seen.
Even if the victim succumbed to the request and had to pay a ransom, the file could not be regained.We strongly hope that low quality coding will affect Babuk, its variants and affiliates.Affiliates are implementing actual infringement and are currently facing victims who cannot recover data even if they are paid.As a result, the dynamics of crime change from extortion to destruction, and the profitability is significantly reduced from the perspective of criminals.
Figure 1: Post from Babuk about Linux version of ransomware
Before explaining the overview of the methodology used by Babuk's threat actor, you need general background knowledge about how ransomware attacks and which groups are behind the attack.
The following explains the general phase of ransomware attack and the Ransomware-as-A-Service model used in Babuk ransomware.Next, it shows what a typical BABUK ransomware attack looks, and the specific threats, tactics, and procedures used by the Babuk threatening actor.Finally, the technical analysis of ransomware used by the attacker shows that many flaws have been found in the code that leads to the destruction of the victim's data.
Ransomware attack phase
Various procedures that the attacker perform during cyber attacks can be classified into three major categories.Use this to explain typical attacks of Babuk's threat actor.
• Initial access (in) • Network propagation (Through) • Actions for the goal (out)
Figure 2: Ransomware attack phase
Ransomware (Ransomware-AS-A-Service) supply chain as a service
Recently, "Ransomware as a service" has been frequently confirmed in the cyber criminal industry. RaaS is a business model that is becoming more popular among ransomware developers [1]. RaaS is a service provided by ransomware developers that can rent ransomware for cyber criminals. RaaS aims to simplify ransomware attacks for criminals who have lack of technical skills to build their own ransomware in exchange for some of the ransom obtained by criminals. With this business model, many ransomware developers can cooperate with other skilled cyber criminals that can distribute ransomware to large -scale networks that can already be accessed. BABUK ransomware used such a model before stopping ransomware operation at the end of April 2021.
RaaS has transformed the mechanism of ransomware attack, and some different actors are involved.In general, such an attack supply chain can be divided into four stages as shown below.
Figure 3: Supply chain keym
| Technique | Tactic | Observable |
| Exploit public-facing application (T1190) | Initial access | CVE-2021-27065を使用したExchangeサーバーの悪用 |
| Valid accounts (T1078) | Persistence | グループは、ほとんどのアクティビティで正当なドメイン管理者の資格情報を利用 |
| Create account (T1136) | Persistence | Petrという名前のドメインアカウントを作成 |
| Exploitation for privilege escalation (T1068) | Privilege escalation | ドメイン管理者アカウントを取得するためのZerologonエクスプロイト、追加のアカウントクレデンシャルを取得するためのMimikatz |
| Impair Defenses (T1562) | Defense Evasion | アンチウイルスソリューションを無効にするためのGMERルートキットリムーバーの使用 |
| Account discovery (T1087) | Discovery | ADFindを使用して、ドメイン内のすべてのアカウントを一覧表示 |
| Remote System Discovery (T1018) | Discovery | ADFindを使用して、ドメイン内のすべてのシステムを一覧表示 |
| Remote System Discovery (T1018) | Discovery | ネットワーク上のシステムを識別するためのNetScanの使用 |
| File and Directory Discovery (T1083) | Discovery | ネットワーク共有にあるファイルを見つけるためのLANSearchProの使用 |
| Remote Services (T1021) | Lateral Movement | システム間を移動するためのRDPとSSHの使用 |
| Lateral Tool Transfer (T1570) | Lateral Movement | Linuxシステムにファイルを転送するためのWinSCPの使用 |
| Multi-Stage Channels (T1104) | Command and Control | 環境内で持続性を得るためのCobalt strikeの使用 |
| Archive Collected Data (T1560) | Collection | 抽出前にデータをアーカイブするためのWinRARの使用 |
| Exfiltration Over Web Service, Transfer Data to Cloud Storage (T1567.002) | Exfiltration | MegaSyncアプリケーションを使用したMEGAへのデータ抽出、およびGoogleChromeを使用したGoogleドライブへのデータ抽出 |
| Data Encrypted for Impact (T1486) | Impact | ランサムウェアを使用してシステムを暗号化 |
Figure 4: Mitre Matrix
in
During the Babuk attack by NorthWave, the attacker abused the vulnerabilities of the server (in this case, CVE-2021-27065) connected directly to the Internet and accessed the victim's network.This vulnerability was actively abused by Hafnium threat actor before the patch was applied by Microsoft.After the patch was issued, this vulnerability was detected by some threat groups, and some surveys confirmed that this vulnerability was misused by various ransomware threat actors.
When he entered the victim's network, the attacker became dormant for more than a week.This is probably because the parties who got access to the network were the first access brokers to sell access to ransomware related companies.
Through
As mentioned above, the attacker did not start reconnaissance and horizontal movements in the victim's system, from the first infringement to one week later.The following paragraphs describe the methods used by threat actors to completely control the environment.
After obtaining access, the attacker placed a Cobaltstrike backdoor on the system.COBALT STRIKE is frequently used by the attacker to ensure persistence in the victim's network.NorthWave has discovered that the attacker has placed a Cobaltstrike backdoor on several major systems in the network.In addition, NorthWave discovered that the attacker uses GMER, a root kit deletion tool.This tool may have been used to delete or disable virus solutions for the victim's system.It turned out that the attacker had downloaded Metasploit, but did not actually use it during the attack on the victim.
The attacker used the custom version of ZER0DUMP [2] to obtain the qualification information of the domain administrator.This tool promotes privileges by using Zerologon [3] Exploit to expose the domain controller at risk.The attacker did not create a new domain account and did not change the qualifications of the existing account.Instead, the attacker chose to use the original qualification information to use an existing domain administrator account.The attacker used Mimikatz to access other domain qualification information on the victim's network.After the attack, the attacker chose to create a new local administrator account for some systems as an additional permanent means.
The horizontal movement between Windows systems was realized using RDP.In the connection to the Linux system, the attacker used SSH (using Putty).The files to the Linux system were used using WinSCP from the Windows system.The tools used in the Windows system have been downloaded from the Internet.The attacker hosted most tools using the "Temp.sh" and "WDFiles.ru" files, which host the website.Other tools have been downloaded directly from GitHub or each developer's website.The attacker downloaded tools to scan vulnerable systems against EternalBlue Exploit, but did not seem to use it during the attack.
Environmental reconnaissance was performed using Adfind, Netscan, and Lan SearchPro.ADFIND is a tool that is often seen in the survey, so that Treat Actor can dump all systems and users in the domain.NetScan is a management tool that runs a scan and can map a network that is logged on, installed software, and other information on remote machines.Lan Search Pro is a utility that users can search for files for local network networks.
Out
Before starting ransomware deployment on the victim's network, the attacker stole the data.The attacker uses Winrar to compress the data and steal the data stolen into the file server, which is the source of the data.Next, the attacker stealed this data into both the mega -drive and Google Drive.The extraction of the data to MEGA was performed using the MEGASYNC application, and the data to Google Drive was performed through the Chrome browser.
The attacker completely controlled the environment, steals data from the victim, first deletes the backup -related files, and then deploys ransomware on the backup system to destroy the victim's backup.。
Finally, the attacker used a backup to confirm that there was no way for the victim to recover from the attack, then moved to the victim's ESXi host and developed a pre -conile ransomware binary.Ransomware binaries proceed to encrypt all the victims of the victim.Unfortunately, this ransomwear binaries have been found to have very inadequate implementation and contain some different design flaws that cause irreversible damage to data.This binary is analyzed in the section below.
At the end of April, BABUK announced that it would stop the business and switch to another business model.This group no longer encrypts the system, but instead concentrates on data leakage [4] [5] [6].In addition, the group stated that the code will be released to ransomware as an open source project.The attacker stated that it will focus on the release of data from victims who did not respond to ransom requests.In addition, the attacker has shown that it will host and publish data from other groups.Therefore, it seems that the criminals of Babuk's provider are heading for data management.
Figure 5: Post on Babuk's site
Considering that ransomware design is inadequate, it is necessary to save a considerable number of victims because the data is completely lost when Babuk is attacked.As mentioned in the previous section, NorthWave slowly slowly into a double -acute scheme in which a threat actor encrypts the victims and the threat actor encrypts and invades the victim's data.I've seen the shift.It's interesting to see that a threat actor is the only pressure source that extortion the victim is heading to a scheme, which is a leakage of confidential data.
As mentioned above on the website, the Babuk team has become a disclosure of data leakage from the ransomware environment.
図6:Babukの新しいウェブサイト-> Payload.bin
First, at the end of May 2021, we released the long -awaited game Cyberpunk 2077 source code.The team behind the game, CD Projektred, is a sophisticated video game developer, publisher, and distributor.The leak contains the source code of CyberPunk2077 on various video game platforms such as PS5 and PC.
Figure 7: All leaked Cyberpunk2077 source code
Since this first leak, no new movements have been seen from the attacker.
This malware is described in Golang, an open source programming language.This is probably because developers can compile a single code base into all major operating systems.This means that thanks to the static link, the code described in the Linux system Golang can be executed on Windows or Mac systems.This has a great advantage in ransomwear gangs that are trying to encrypt the entire infrastructure consisting of various system architectures.
Babuk sample:
| Filename | Babuk_nas.bin |
| File Type | ELF 32-bit LSB executable |
| File Size | 2MB |
| SHA256 | e43462670c467d4899ce61e2d202d93049499b10fcaaf05d98d53616567a4276 |
| Sections | 23 |
Figure 8: Babuk sample outline
As you know, in the case of Windows, BABUK replaces the CHACHA encryption with the HC-128 algorithm in mid-January, but in the case of the Linux version, we will continue to use CHACHA and CURVE25519 algorithm.
Figure 9: The main GO file used by Babuk
Before starting the encryption process, the sample checks if the processor has allowed the MMX order.This is because GO requires MMX support for correct compilation.
Figure 10: Babuk confirms support for MMX instructions
If you use the MMX instruction, you can execute a single instruction simultaneously to multiple data items only if you can express the program in that format.
It also continues CPU mapping by searching for virtual processors using "GetProccount" and "SCHED_GETAFFINITY" system calls, avoiding multiple calls and accessing the file system.
Figure 11: CPU check flow and mapping
After the processor recognition, set the sample to execute the environment correctly (GCC (GNU compiler collection) setting, gouroutine's default stack size, implementation of synchronous algorithm with atomic, etc.).
Babuk operates many buffers from sacrifice computers.In particular, the memory is released using the Gabage Collector (GC) process, and the other goroutin changes it.For example, if GC has released the memory, Goruin reports all memory writing.The goal is to prevent simultaneous memory changes from being overlooked in the current release phase.To do this, Golang uses a "Writing Barrier" that runs and notifies GC.
このサンプルでは、メモリーに書き込む前に、コードはいくつかの変数をチェックします。
-When "Writing Barrier" is activated and calls "Runtime.gcwriteBarrier":
Figure 12: Writing barrier check
-If the pointer writes, follow the CGO (tool used in Go) used to import the pseudo package "C".GO code can refer to variables such as C.SIZE_T and C.STDOUT.If there is a comment just before the import of "C", the comment (called preamble) will be used as a header.When compiling C parts of the package:
Figure 13: Imported C package
All CGOs are checked using atomic.
This sample implements a "Writing Barrier" slow pass.There is something called a high -speed pass that is encouraged to the Barrier buffer for each P in the writing barrier.This buffer is written in assembly and does not overwrite general -purpose registers, so there is no normal overhead of GO call.When the buffer is full, a low -speed path is used.The writing barrier calls the low -speed path "WBbufFlush" and flashes the buffer to GC work queue.This path spills all registers and prohibits GC safe points that may monitor stack frames.
One of the points to note is that the sample checks the Hugepages size.This is a mechanism to optimize the operation of a memory page larger than the default size.To do this, use the declared variable "SystemPSIZEPATH" to check the path " / sys / kernel / mm / transparent_hugepage / hpage_pmd_size".
var sysTHPSizePath =[]byte(“/sys/kernel/mm/transparent_hugepage/hpage_pmd_size\x00”)Memory allocation:
Next, the sample starts the memory assignment process using some golang functions.First, use "Runtime.mallocinit" to check the physical page size by using "PHYSPAGESIZE" several times to perform mapping and mapping cancellation operations.
Figure 14: Memory allocation+"PHYSPAGESIZE" check
The code sample is as follows:
// Check physPageSize.if physPageSize == 0 {// The OS init code failed to fetch the physical page size.throw(“failed to get system page size”)}if physPageSize > maxPhysPageSize {print(“system page size (“, physPageSize, “) is larger than maximum page size (“, maxPhysPageSize, “)\n”)throw(“bad system page size”)}if physPageSize < minPhysPageSize {print(“system page size (“, physPageSize, “) is smaller than minimum page size (“, minPhysPageSize, “)\n”)throw(“bad system page size”)}if physPageSize&(physPageSize-1) != 0 {print(“system page size (“, physPageSize, “) must be a power of 2\n”)throw(“bad system page size”)}if physHugePageSize&(physHugePageSize-1) != 0 {print(“system huge page size (“, physHugePageSize, “) must be a power of 2\n”)throw(“bad system huge page size”)Next, use "Mallocinit" to reserve virtual memory for future assignments, and initialize the "MHEAP" global variable, which is used as the central storage of all memory -related objects.
As expected, the heap is used to assign a memory by initializing the allocator, and calls the "Fixalloc_alloc" function every time the sample tries to assign a new Mcache or MSPAN.Assign a memory, but instead assign the actual size of the structure (F.Size Bytes) and "_ Fixallocchunk" bytes.The remaining spaces are stored in the allocator.
Finally, the cache is initialized as follows:
_g_ := getg()_g_.m.mcache = allocmcache()The "AllocmCache" function calls "Fixalloc_alloc" to initialize the new Mcache structure.The MCACHE field is initialized only for the currently executed thread and is relocated to another thread every time a process is switched.
A number of settings are made by the sample to prepare the system before encryption.This is not the most interesting part for this sample, so I don't explain it in detail here.
encryption:
The directory and file are listed using the package "FilePath".Strangely, the sample uses the "Readatleast" function to read only the first 250 bytes of each file.This is abnormal and is not documented by the Babuk team.
First, "IO.Readatleast ()" reads as many bytes as much as Byteslice can hold.Here is an example.
byteSlice := make([]byte, 512)minBytes := 8numBytesRead, err := io.ReadAtLeast(file, byteSlice, minBytes)if err != nil {log.Fatal(err)Therefore, theoretically, this sample has an implementation problem.
Next, Babuk instances in Curve25519 for key generations and replacement algorithms for protecting keys and encryption of files.
Figure 15: Instated Curve25519
Next, use the curve25519 algorithm and the keys generated from the SHA256 hash to use the chacha algorithm for the encryption part.
Figure 16: SHA256 used in the generated key
Figure 17: Example of Babuk encryption
This sample encrypts 512 bytes or more, so the encrypted file received does not belong to this sample (Ikmd margin 0x200. Other versions are only 0x250 bytes. In this sample, the file is a file.Finally, the text "chu ..." has not been added).
Decryptor appears to belong to the same sample, but as seen earlier, the maximum number of decrypted bytes is limited, which is strange.
As a whole, the decryption tools are only checked for the extension ".babyk", so they overlook all files that may have changed their names in an attempt to recover the file. Also, the decryption tool checks if the file length exceeds 32 bytes. This is because the last 32 bytes are later combined with other hardcoded values and the final key is obtained. This is a bad design because these 32 bytes can become a trash bin instead of keys because customers make things. By checking the paths checked in malware, it does not work efficiently and analyzes everything instead. Another error we noticed was trying to delete a ransom notes that the decryption tools were not the same as those created by malware in each folder. Perhaps this is meaningless unless Babuk's developer/operator offers a decryption tool that works with different versions or samples.
Another important point is that this sample is designed to be started using a script using an argument as a manual or encrypted path. Using this path, malware calls the OS function of "/path/filepath.walk". This function requires an argument that is a callback function that is executed for each file / folder detected as a new G thread (golang mechanism that speeds up the process). If there is no argument, the malware ends the use of the terminal usage. This callback function confirms that the file/folder does not exist in some of the operating systems (the name of a ransom note), create a ransom note as needed, and encrypts the file. Start the thread. This procedure using G threads makes ransomware encryption very quickly. These control the synchronization with a mutex mechanism (lock and unlock), and in some important parts, all G threads are controlled using the "waiting" command of the GO library. Each encrypted file displays information in the terminal.
A group of criminals that provide BABUK had a lot of damage by operating a defective ransomware, although the activity was short.In this blog, we checked the provider's status and analyzed the ransomware used.Some defects have been identified in which a specific instance fails to fail and cause an inseparable damage.This insufficient design of ransomware seems to be the reason why the attacker has decided to shift to a data management.
YARA rules
rule RANSOM_BabukLocker_NAS_Apr2021 {meta:description = “Rule to detect BabuLocker Linux edition”author = “TS @ McAfee ATR”date = “04-27-2021”hash = “a564da1ed886756e375de5f56241699e”malware_type = “Ransom”strings:$s1 = “BABUK_LOCK_curve25519” wide ascii$s2 = “crypto/chacha20” wide ascii$s3 = “filepath.Walk” wide ascii$s4 = “/sys/kernel/mm/transparent_hugepage/hpage_pmd_size” wide asciicondition:filesize >= 1MB and filesize <= 3MB and4 of ($s*)} IOCS: Babuk Nas Locker
8c6f768c90103857c59f031fb043d314db6a7371908a1f45bc2e86cf2ad682688daf429bb21285cfcf24dcc4797501ee3d4daf73364055ee5b002492ad55a3e1e505b24de50b14aed35cf40725dc0185cab06fed90269d445ec7a4b36de124b6e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55"1" H TP: // Eyasa Y.Uton.L / 81595 /1 / Kei J's R_Ma _ Yeah MCS.pdf
"2" h tps: // Gettu B.M / B00 / Ze R0 MP
"3" h tps: // w w.Sukura.M / B ぉ G / Zero Gon
"4" h tps: // w w.BNe T / Babu K -C ぉ ね S -O -O -O -S -S -S -S -SA
"5" h tps: // Hei MKo M / B ぉ G / Babu K -Lanso M We Ks Ks -Pupa L Shana L -Data
"6" h tps: // w w.B Epin G Koko M Pute R.M / M / Nene WS / Suri TY / Babu K -Ranso M Hore Ah, S -Shu T -D -Poppan ST -P -Pan S -O -Ponゎ /
* The contents of this page are the following reports updated on July 28, 2021.Original text: Babuk: Moving to VM and *NIX Systems Before Stepping Award: McAfee Labs
■ Related site