Sodinokibi Malware Analysis

Contents

Executive summary ................................................................................................ 2

Malware Analysis ................................................................................................... 3

General Ransomware Characteristics to Look Out For............................................ 3

Common Infection Vectors (e.g., vulns. exploits) ................................................... 3

Common Capabilities ............................................................................................. 4

Common TTPs to Look Out For............................................................................... 5

Process Flow .......................................................................................................... 6

Incident Response Flow ......................................................................................... 8

IOCS ..................................................................................................................... 11

Executive summary

On May 19, 2021, a customer reported a ransomware attack in their

environment, which was later determined to be the Sodinokibi

ransomware.

The attack had already initiated when the customer first reported this to us

(until then they wasn’t a customer of Cynet or VincaCyber).

We at once deployed Cynet on the customer environment, and reported

the incident to Cynet CyOps to assist us with the incident response.

The ransomware files had been been found on more than 250 hosts, also

one user of the company (Domain User) has compromised by the attack.

The attack included 2 files, one used as a beacon and a downloader for the

second (the ransomware payload).

All the files are detected by Cynet, with the operations performed by them

(execution of Powershell command and persistence by scheduled task).

The origin of the files and the attack has not been confirmed since Cynet

wasn’t deployed before the incident.

Malware Analysis

• Sodinokibi is likely being distributed by attackers affiliated with those that

distributed the infamous GandCrab ransomware family, which is supposed to be

retired soon according to the underground forum where GandCrab first appeared.

• Sodinokibi ransomware exploits an Oracle WebLogic vulnerability (CVE-2019-2725)

to gain access to the victim’s machine. Once it’s in, the malware tries to execute

itself with elevated user rights in order to access all files and resources on the system

without any restriction.

• This ransomware strain uses AES and Salsa20 algorithms to encrypt user’s files, AES

is used to encrypt session keys and data that is sent to the control server, user files

are encrypted using Salsa20 encryption.

• Sodinokibi uses an Elliptic-curve Diffie-Hellman key exchange algorithm to generate

and propagate encryption keys.

• Once it infiltrates a machine, it wipes out all of the files in the backup folder.

• Currently, the ransomware demands 0.32806964 BTC (≈ $2,500) to regain access to

the encrypted files. They claim that this amount should be paid within four days or

the ransom demand will be doubled.

General Ransomware Characteristics to Look Out For

Ransomware attackers, including Sodinokibi actors, tend to be sophisticated, stealthy and

prevalent. Most times, they seek to gain access to a victim organization’s network by

either exploiting a vulnerability or acquiring and abusing valid account credentials.

Obtaining that initial set of account credentials typically comes through phishing attacks or

purchases in dark web cyber-crime forums. Ultimately, once an attacker gains an initial

foothold, they seek to move laterally and acquire as many privileged account credentials

as possible. The use of some malware or penetration testing tools is a common practice.

Common Infection Vectors (e.g., vulns. exploits)

• Phishing/malware

• Vulnerability exploitation

• Open/poorly secured RDP

Common Capabilities

• Antivirus and sandbox evasion/anti-debug, anti-analysis tricks

• Binary file is encrypted

• CRC32 checks

• Process injection tactics

• API hashing/dynamic API resolution

• Mount and encrypt virtual disks (e.g. virtual machine files like VHD, VHDX)

• UAC bypass

• Wake-on-Lan (WoL)

• Process doppelgänging

• Deploy and execute ransomware inside its own virtual machine container

• Disable Windows driver signature enforcement

• Kill specific running processes and services

• Delete data, e.g., various logs (attack evidence), volume shadow copies, backups, etc.

• Disable/delete various system security settings (e.g., Windows firewall, Windows Defender definitions, etc.)

• Evade detection, e.g., msbuild.exe, Heaven’s Gate technique, use memory mapped I/O to encrypt each file, etc.

• Rapid, multithread encryption

Common TTPs to Look Out For

• Harvesting privileged account credentials, admins of varying sorts.

• Use of legitimate, remote access software like AnyDesk, NetSupport Manager, etc.

• Use of PuTTY Link (aka Plink) to tunnel RDP sessions and establish connections to other devices on the network with randomized source and destination ports.

• Creation of one or more user accounts and/or groups, group policies (GPOs).

• Attempts to encrypt network shares; creates new tasks, registry keys

• Attacker will target systems with V-sphere/ESXi/Nagios, NAS (data exfil), network shares (data exfil), Exchange server (monitor and steal internal communications) and consolidated backups (which can frustrate recovery efforts) especially during the internal reconnaissance phase.

• Internal network scans looking for IP ranges with the following services/ports:

o 10.0.0.0-10.0.255.255

o HTTP and proxy (ports 80, 443, 3128, 8080)

o FTP and SFTP (port 21, 115)

o Database servers (ports 1433, 3050, 3306)

o Remote management (ports 22, 23, 3389, and 4899)

• Log deletion using publicly available code.

• Lateral movement — many times, a primary subgoal is to move to a domain controller (DC).

o PSremoting session started; PowerShell downloads scripts and files; privileged account used (i.e., Domain Admin); ADrecon executed (reconnaissance); Scheduled Task executes script from SystemApps; lateral movement via Cobalt SMB beacon.

o Once on a DC, attackers attempt to disable Windows security settings like MS firewall settings for all domain-joined computers via new GPO.

o Deployment and detonation of ransomware on all domain-joined computers via GPO.

• Watch for any network activity to/from cloud storage platforms as a way by which data is being exfiltrated.

Process Flow

When running the file, it enumerates and modifies the internet settings registry keys:

In addition, the file enumerates the files on the system:

The file beaconing to a C2 server and sending the enumerated data, also allow the

attacker to download a payload:

Conclusion: The file is a beacon that enumerates the system files & registry keys, modify

the network settings, and sending the collected data to a C2 server which allows the

attacker to download a payload into the compromised machine, then it’ll destroying

the file using PowerShell in order to evade analysis.

The file then is executing PowerShell command:

The command explained:

Incident Response Flow

First, a beacon file has been executed with the ability to gather information about

the host, modify system settings and allow the attacker to deploy the

ransomware.

Following analysis and the findings from investigation on the customer

environment, we’ve applied the following action:

- Defined Threat Hunting policy and auto-remediation for detecting and deleting

the ransomware payload and the beacon.

- Enumerating and deleting persistence within the scheduled tasks using custom

remediation script.

- Analysis of the files related to the attack (in the process flow section).

- Disable the domain admin which has compromised by the attacker, Cynet also

triggers the user activities (logged in to more than 10 hosts):

- Further investigation has revealed that the user logged in to more than 173

machines only on 19th May 2021, the user also has relations to the malicious

beacon file, so the assumption is that the attacker has compromised the user

and with it and spread the ransomware, the user is also a domain admin.

IOCS

Description value

Beacon File

(SHA256)

277bbabf2bcffc0f950a23b40620b7ffe5bc2093a4028f39018f243c3ca6ebce

Sodinokibi

Ransomware

(SHA256)

934c557e52bd47fa312ea4098e05781145d0b81c9dc543ef42b266813bdb05d4

Attacker C2

Server

51.161.82.135

Registry Key “HKLM\Software\Classes\CLSID\{914C40FA-9CB5-9C25-D55F- A404A3CFD6B9}\ProgID\{914C40FA-9CB5-9C25-D55F-A404A3CFD6B9}”

Scheduled

Tasks Name

\Comp_sys, \Comp_sys_h, \User_userlogon, \User_userlogon_h