Melbana Energy Limited - Change of Company Address


Overview

The Trend Micro research team recently analyzed an infection related to the LV ransomware group, a ransomware as a service (RaaS) operation that has been energetic since late 2020, and is reportedly based on REvil (aka Sodinokibi). The precise nature of the connection between the LV ransomware and REvil groups can’t be definitively established or verified – the LV ransomware’s developers don’t appear to have had access to the Revil source code, and sure modified REvil binary script as a substitute. Based on previous research, the group that operates REvil is alleged to have either sold the source code, had the source code stolen from them, or shared the source code with the LV ransomware group as a part of a partnership. We consider that the threat actor that operates LV ransomware just replaced the configuration of a REvil v2.03 beta version to repurpose the REvil binary for ransomware operations.

The group’s namesake ransomware has been seeing a reemergence since second quarter of 2022, with our investigation revealing a surge within the variety of breaches being undertaken by the ransomware group. Moreover, an alert issued by the German Federal Office for Information Security in August 2022 reveals that the ransomware’s operators were blackmailing the semiconductor company Semikron by threatening to leak allegedly stolen data.

On this blog entry, we are going to provide details on a recent intrusion performed by a bunch affiliate that involved the compromise of the company environment of a Jordan-based company. On this incident, the attackers used the double-extortion technique to blackmail their victims, threatening to release allegedly stolen data along with encrypting the victim’s files.


The LV ransomware’s primary targets

In December 2021, we observed a post on a cybercrime forum from a malicious actor claiming to operate the LV ransomware and searching for network access brokers. The malicious actor expressed interest in obtaining network access to Canadian, European and U.S. entities after which monetizing them by deploying the ransomware.

Figure 2. A post from a malicious actor claiming to operate the LV ransomware searching for network access brokers (original language and translated versions)

Reported LV ransomware breaches have been increasing because the second quarter of 2022, which aligns with the malicious actor’s efforts to expand its affiliates program. The chart shown in figure 3 illustrates this increase in activity.

Figure 3. The variety of incidents which might be reportedly related to LV ransomware have been on the rise

Based on data from Trend Micro™ Smart Protection Network™ and other internal sources, Europe was the region with the very best variety of breach alerts, while the US and Saudi Arabia were the countries with the very best variety of reported incidents brought on by the ransomware payload. The attacks spanned multiple industry verticals – with manufacturing and technology being probably the most affected industries – demonstrating the group’s opportunistic approach.

Figure 4. The regions most affected by LV ransomware in 2022

Figure 5. The countries most affected by LV ransomware in 2022

Figure 6. The sectors most affected by LV ransomware in 2022


Observed infection chain

This section details the tools, tactics, and procedures (TTPs) utilized by the affiliate that infiltrated one among the targeted victims’ environments, as observed from an incident response viewpoint.

The ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities have been observed to be exploited by malicious actors to focus on government institutions. Similarly, the initial access portion of this attack began on the exchange servers within the targeted environment, when an online shell file was dropped in the general public access folders in early September 2022 via ProxyShell exploitation.

The attacker then executed a persistent malicious PowerShell code that was used to download and execute one other PowerShell backdoor file within the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7.

Figure 7. The persistent PowerShell code as seen from the registry key

Figure 8. The malicious PowerShell code shown running on the Exchange server under the powershell.exe process

The identical IP address that hosted the malicious PowerShell code was also found serving a tunneling tool that we consider was used for data exfiltration.

Figure 9. The IP address 185[.]82[.]219[.]201 shown hosting the Gost tunneling tool

Figure 10. The malicious PowerShell code that was first logged on September 6, 2022

Based on our evaluation of the Web Information Services (IIS) access logs on the infected Exchange servers, the next IP addresses were exploiting the Proxyshell vulnerability throughout the same timeframe because the intrusion.

  • 138[.]199[.]47[.]184
  • 195[.]242[.]213[.]155
  • 213[.]232[.]87[.]177
  • 91[.]132[.]138[.]213
  • 91[.]132[.]138[.]221

For the credential access and lateral movement phases, the attackers used Mimikatz to dump credentials, while NetScan and Advanced Port Scanner were used for discovery. Based on the event logs collected from one among the infected Exchange servers, there have been many successful logins using compromised user accounts a day before the ransomware infection occurred on September 8, 2022.

Once the attacker gained access to the domain controller via distant desktop protocol (RDP) using the compromised account of the domain administrator, the ransomware samples were dropped on the server and a malicious group policy containing a malicious scheduled task was created on Sep 9, 2022 to execute ransomware from the shared folder hosted on the Domain Controller server.

[Link] Figure 11. The malicious scheduled task “GoogleUpdateUX” from Registry hives
[Link] Figure 12. The malicious scheduled task running the malicious batch file “1.bat”

The domain controller server was utilized by the attackers to create a malicious group policy object (GPO) on Sep 9, 2022. The GPO then created a malicious scheduled task that ran the malicious batch files “1.bat” and “install.bat” to deploy the ransomware on the remaining of the machines which might be connected to the domain controller. The batch file “install.bat” was used to disable the safety agent services found on the targeted machines.

[Link] Figure 13. The malicious GPO XML file was found on the domain controller group policies folder.

Figure 14. The contents of the “install.bat” file

Figure 15. The contents of the “1.bat” file

After deploying the ransomware, the attacker deleted the scripts folder that contained the malicious file samples.

Figure 16. Master file table (MFT) record showing the deletion of the “scripts” folder

The dropped ransom note showed that the files were encrypted with the l7dm4566n extension on the precise machine we analyzed.

[Link] Figure 17. A sample ransom note dropped on the infected machines

Figure 18. The attack timeline


The Powershell backdoor

The PowerShell command executed after the Microsoft Exchange exploitation is accountable for downloading and executing one other PowerShell script from the command-and-control (C&C) server 185[.]82[.]219[.]201. The downloaded PowerShell can be executed directly from memory to bypass detection.

[Link] Figure 19. The second downloaded PowerShell backdoor

This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a tough coded C&C server IP address and port number to hook up with, with data passed to the “Rc4_crypt” function before connection.

We found multiple variants from this backdoor on VirusTotal with different hardcoded C&C IP addresses and ports (that is included in IOCs section).


Sample similarity evaluation

The LV ransomware payload that we observed within the recent attacks is sort of an identical to the old samples that were analyzed in previous research last 12 months – there have been no recent capabilities added to the actual ransomware payload after unpacking. It also uses the identical basic packer function utilized by the old samples.

Figure 20. The packer function in the brand new samples

The packed executable stores the LV ransomware binary as an RC4-encrypted data inside a piece named “enc.”

[Link] Figure 21. The PE sections of the brand new LV ransomware samples
[Link] Figure 22. The actual payload before and after decryption

After unpacking the brand new payloads and comparing them to the old payloads from the previous research, we determined that each payloads were an identical, indicating that the threat actor behind the LV ransomware didn’t enhance the most important capabilities of their payload, but as a substitute expanded the affiliate programs as shown in the primary section. The similarity results between each samples (shown in Figure 25) indicate that each have the identical capabilities.

Figure 23. Similarity results from bindiff comparing the old and recent payloads

[Link] Figure 24. Results from bindiff showing the interior functions for implementing the LV ransomware

Conclusion and Recommendations

By partnering with threat actors which have access to networks via the underground, the LV ransomware has been in a position to goal multiple regions and industries. This development shows that the impact of a ransomware variant isn’t solely reliant on the addition of latest capabilities, but in addition on other aspects equivalent to a greater reach and higher distribution networks.

Ransomware operators commonly employ vulnerability exploitation techniques as a part of their routines. Organizations should consider allocating enough resources into recurrently patching and updating their infrastructure and software, especially if it involves addressing major vulnerabilities equivalent to ProxyShell. Moreover, regular auditing and taking inventory of assets and data helps make sure that enterprises are up to this point on what is going on inside their system. Finally, implementing data protection, backup, and recovery measures ensures that data isn’t lost even when a successful ransomware infection occurs.

A multilayered approach can assist organizations guard all possible entry points into the system for endpoints, emails, web, and networks. Security technologies that may detect malicious components and suspicious behavior that enterprises can consider include:

  • Trend Micro Vision One™, which provides multilayered protection and behavior detection, helping block suspicious behavior and tools before the ransomware can damage the system.
  • Trend Micro Cloud One™ – Workload Security, which protects systems against each known and unknown threats that exploit vulnerabilities. Cloud One uses technologies equivalent to virtual patching and machine learning to further protect a company from attacks.
  • Trend Micro™ Deep Discovery™ Email Inspector, which employs custom sandboxing and advanced evaluation techniques to effectively block malicious emails, equivalent to phishing emails that usually function entry points for ransomware.
  • Trend Micro Apex One™, which offers automated threat detection and response against advanced threats equivalent to fileless threats and ransomware.


Indicators of Compromise

Filename

SHA-256

Detection name

enc_.exe

fc0d749c75ccd5bd8811b98dd055f9fa287286f7

Ransom.Win32.LVRAN.YMCIKT

enc_.exe

B8FF09ABEAD5BAF707B40C84CAF58A3A46F1E05A

Ransom.Win32.LVRAN.YMCIKT

2.txt

2e02a6858b4e8dd8b4bb1691b87bc7d5545297bc

Trojan.BAT.LVRAN.YMCIL

3.txt

f25c9b5f42b19898b2e3df9723bce95cf412a8ff

Trojan.BAT.LVRAN.YMCIL

l7dm4566n-README.txt

027889533afe809b68c0955a7fc3cb8f3ae33c08

Ransom.Win32.LVRAN.YMCIK.note

1.bat

3ffc87d9b429b64c09fcc26f1561993c3fb698f4

Trojan.BAT.LVRAN.YMCIL

no.txt

1b67e4672b2734eb1f00967a0d6dd8b8acc9091e

Trojan.Win32.LVRAN.YMCIL

Shortcuts.xml

9cb059d2c74266b8a42017df8544ea76daae1e87

Trojan.XML.LVRAN.YMCIK

powershell code.txt

97822c165acd1c0fd4ff79bbad146f93f367e18c

Trojan.Win32.FRS.VSNW0CI22

Backdoor PowerShell variant

9e0026572e3c839356d053cb71b8cbbbacb2627b

Trojan.Win32.FRS.VSNW04J22

Backdoor PowerShell variant

b7d57bfbe8aa31bf4cacb960a390e5a519ce2eed

Trojan.Win32.FRS.VSNW04J22

Backdoor PowerShell variant

3e4a30a16b1521f8a7d1855b4181f19f8d00b83b

Backdoor.PS1.SYSTEMBC.THIBOBB

Backdoor PowerShell variant

49c35b2916f664e690a5c3ef838681c8978311ca

Backdoor.PS1.LVRAN.YMCIO

URL

WRS Rating

URL Catergory

182[.]82[.]219[.]201

Dangerous

Malware Accomplice

185[.]82[.]217[.]131

Dangerous

Malware Accomplice

LEAVE A REPLY

Please enter your comment!
Please enter your name here