Trend Micro : LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

In December 2021, we observed a post on a cybercrime forum from a malicious actor claiming to operate the LV ransomware and searching for network access brokers. The malicious actor expressed interest in obtaining network access to Canadian, European and U.S. entities after which monetizing them by deploying the ransomware.

Reported LV ransomware breaches have been increasing because the second quarter of 2022, which aligns with the malicious actor’s efforts to expand its affiliates program. The chart shown in figure 3 illustrates this increase in activity.

Based on data from Trend Micro™ Smart Protection Network™ and other internal sources, Europe was the region with the very best variety of breach alerts, while the US and Saudi Arabia were the countries with the very best variety of reported incidents brought on by the ransomware payload. The attacks spanned multiple industry verticals – with manufacturing and technology being probably the most affected industries – demonstrating the group’s opportunistic approach.

This section details the tools, tactics, and procedures (TTPs) utilized by the affiliate that infiltrated one among the targeted victims’ environments, as observed from an incident response viewpoint.

The ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities have been observed to be exploited by malicious actors to focus on government institutions. Similarly, the initial access portion of this attack began on the exchange servers within the targeted environment, when an online shell file was dropped in the general public access folders in early September 2022 via ProxyShell exploitation.

The attacker then executed a persistent malicious PowerShell code that was used to download and execute one other PowerShell backdoor file within the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7.

The identical IP address that hosted the malicious PowerShell code was also found serving a tunneling tool that we consider was used for data exfiltration.

Based on our evaluation of the Web Information Services (IIS) access logs on the infected Exchange servers, the next IP addresses were exploiting the Proxyshell vulnerability throughout the same timeframe because the intrusion.

• 138[.]199[.]47[.]184
• 195[.]242[.]213[.]155
• 213[.]232[.]87[.]177
• 91[.]132[.]138[.]213
• 91[.]132[.]138[.]221

For the credential access and lateral movement phases, the attackers used Mimikatz to dump credentials, while NetScan and Advanced Port Scanner were used for discovery. Based on the event logs collected from one among the infected Exchange servers, there have been many successful logins using compromised user accounts a day before the ransomware infection occurred on September 8, 2022.

Once the attacker gained access to the domain controller via distant desktop protocol (RDP) using the compromised account of the domain administrator, the ransomware samples were dropped on the server and a malicious group policy containing a malicious scheduled task was created on Sep 9, 2022 to execute ransomware from the shared folder hosted on the Domain Controller server.

The domain controller server was utilized by the attackers to create a malicious group policy object (GPO) on Sep 9, 2022. The GPO then created a malicious scheduled task that ran the malicious batch files “1.bat” and “install.bat” to deploy the ransomware on the remaining of the machines which might be connected to the domain controller. The batch file “install.bat” was used to disable the safety agent services found on the targeted machines.

After deploying the ransomware, the attacker deleted the scripts folder that contained the malicious file samples.

The dropped ransom note showed that the files were encrypted with the l7dm4566n extension on the precise machine we analyzed.

The PowerShell command executed after the Microsoft Exchange exploitation is accountable for downloading and executing one other PowerShell script from the command-and-control (C&C) server 185[.]82[.]219[.]201. The downloaded PowerShell can be executed directly from memory to bypass detection.

This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a tough coded C&C server IP address and port number to hook up with, with data passed to the “Rc4_crypt” function before connection.

We found multiple variants from this backdoor on VirusTotal with different hardcoded C&C IP addresses and ports (that is included in IOCs section).

Sample similarity evaluation

The LV ransomware payload that we observed within the recent attacks is sort of an identical to the old samples that were analyzed in previous research last 12 months – there have been no recent capabilities added to the actual ransomware payload after unpacking. It also uses the identical basic packer function utilized by the old samples.

The packed executable stores the LV ransomware binary as an RC4-encrypted data inside a piece named “enc.”

After unpacking the brand new payloads and comparing them to the old payloads from the previous research, we determined that each payloads were an identical, indicating that the threat actor behind the LV ransomware didn’t enhance the most important capabilities of their payload, but as a substitute expanded the affiliate programs as shown in the primary section. The similarity results between each samples (shown in Figure 25) indicate that each have the identical capabilities.

By partnering with threat actors which have access to networks via the underground, the LV ransomware has been in a position to goal multiple regions and industries. This development shows that the impact of a ransomware variant isn’t solely reliant on the addition of latest capabilities, but in addition on other aspects equivalent to a greater reach and higher distribution networks.

Ransomware operators commonly employ vulnerability exploitation techniques as a part of their routines. Organizations should consider allocating enough resources into recurrently patching and updating their infrastructure and software, especially if it involves addressing major vulnerabilities equivalent to ProxyShell. Moreover, regular auditing and taking inventory of assets and data helps make sure that enterprises are up to this point on what is going on inside their system. Finally, implementing data protection, backup, and recovery measures ensures that data isn’t lost even when a successful ransomware infection occurs.

A multilayered approach can assist organizations guard all possible entry points into the system for endpoints, emails, web, and networks. Security technologies that may detect malicious components and suspicious behavior that enterprises can consider include:

• Trend Micro Vision One™, which provides multilayered protection and behavior detection, helping block suspicious behavior and tools before the ransomware can damage the system.
• Trend Micro Cloud One™ – Workload Security, which protects systems against each known and unknown threats that exploit vulnerabilities. Cloud One uses technologies equivalent to virtual patching and machine learning to further protect a company from attacks.
• Trend Micro™ Deep Discovery™ Email Inspector, which employs custom sandboxing and advanced evaluation techniques to effectively block malicious emails, equivalent to phishing emails that usually function entry points for ransomware.
• Trend Micro Apex One™, which offers automated threat detection and response against advanced threats equivalent to fileless threats and ransomware.
  

Indicators of Compromise