malware.news
Open in
urlscan Pro
2606:4700:20::681a:769
Public Scan
URL:
https://malware.news/t/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/87047
Submission: On October 04 via api from IN — Scanned from GB
Submission: On October 04 via api from IN — Scanned from GB
Form analysis
1 forms found in the DOMPOST /login
<form id="hidden-login-form" method="post" action="/login" style="display: none;">
<input name="username" type="text" id="signin_username">
<input name="password" type="password" id="signin_password">
<input name="redirect" type="hidden">
<input type="submit" id="signin-button" value="Log In">
</form>
Text Content
Skip to main content Log In * * THREAT ACTOR BELIEVED TO BE SPREADING NEW MEDUSALOCKER VARIANT SINCE 2022 Malware News You have selected 0 posts. select all cancel selecting Oct 3 1 / 1 Oct 3 22h ago MalBot 22h * Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. * Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. * This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLokerKZ.” This variant is compiled with a PDB path containing the word “paid_memes” that is also present in other tools observed during the attacks, presumably by the same author. * Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks. Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled. TRACKING BABYLOCKERKZ ACROSS THE GLOBE Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity. The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased. The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. ATTACKER TTPS AND TOOLS During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack: * c:\users\<user>\music\advanced_port_scanner_2.5.3869.exe * c:\users\<user>\music\hrsword\hrsword install.bat * c:\users\<user>\music\killav\build.004\disabler.exe * c:/users/<user>/music/checker/checker(222).exe * c:/users/<user>/music/checker/invoke-thehash.ps1 * c:/users/<user>/music/checker/checker (222).exe * c:/users/<user>/music/checker/invoke-smbexec.ps1 * c:/users/<user>/music/checker/invoke-wmiexec.ps1 * c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe * c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced_port_scanner.exe * c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced_port_scanner_2.5.3869.tmp These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor. Some of the publicly known tools used by the attacker are: * HRSword_v5.0.1.1.rar: A tool used to disable AV and EDR software. * Advanced_Port_Scanner_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices. * Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner. * Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint. * PCHunter64.exe: A tool similar to processhacker. * Mimikatz: A tool to dump Windows user credentials from memory. While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “paid_memes”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below. CHECKER TOOL Checker (E:\paid_memes\wmi_smb_rdp_checker\Release\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools: * Remote Desktop Plus * PSEXEC * MIMIKATZ And a set of scripts based on the Invoke-TheHash tool. The tool also contains a GUI, as shown below, and a database to store the credentials. As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified. PTH PROJECT The PTH (D:\Projects\paid_memes\PTH\Release\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds: * Invoke-SMBClient.ps1 * Invoke-SMBEnum.ps1 * Invoke-SMBExec.ps1 * Invoke-TheHash.ps1 * Invoke-WMIExec.ps1 These were also used in the checker tool and are part of Invoke-TheHash. According to the author: “Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.” MIMIK TOOL MIMIK (D:\Projects\paid_memes\mimik\Release\stub_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool. The following command lines are examples of commands executed via the tool: * 64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit * C:\Users\user\Desktop\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit * 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit * C:\Users\user\Desktop\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M * C:\Users\user\Desktop\rclone.exe rclone rc operations/stat BABYLOCKERKZ BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as: * No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex. * No MDSLK reg key. * The PAIDMEMES Public and private keys. * The BabyLockerKZ run key. The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post. COVERAGE Ways our customers can detect and block this threat are listed below. Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0 ClamAV detections are also available for this threat: Win.Ransomware.MedusaLocker-10035000-1 Win.Tool.PassTheHash-10034996-0 Win.Ransomware.MedusaLocker-10035000-0 INDICATORS OF COMPROMISE IOCs for this research can be found at our Github repository here BabylockerKZ: 33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f 63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499 270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e 759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906 PTH: 9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7 8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f Checker: d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0 1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be 1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651 6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c 2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac HOHOL1488: dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6 48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54 c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801 012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe 8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625 364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca 5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2 PDB list: d:/projects/paid_memes/virus/release/stub.pdb e:/locker/bin/stub_win_x64_encrypter.pdb i:/locker/bin/stub_win_x64_encrypter.pdb d:/education/locker/bin/stub_win_x64_encrypter.pdb d:/education/locker/bin/stub_win_x86_encrypter.pdb d:/projects/paid_memes/wmi_smb_rdp_checker/release/checker.pdb d:/projects/paid_memes/mimik/release/stub_mimik.pdb i:/locker/x64/release/phantom.pdb d:/projects/paid_memes/pth/release/pth.pdb Registry keys: HKEY_USERS\%SID%\SOFTWARE\PAIDMEMES\PRIVATE HKEY_USERS\%SID%\SOFTWARE\PAIDMEMES\PUBLIC HKEY_CURRENT_USER\SOFTWARE\PAIDMEMES\PUBLIC HKEY_CURRENT_USER\SOFTWARE\PAIDMEMES\PRIVATE HKCU\SOFTWARE\PAIDMEMES\PUBLIC HKCU\SOFTWARE\PAIDMEMES\PRIVATE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ Extension names observed being used by BabyLockerKZ samples: crypto125 crypto1317 crypto165 crypto41 crypto76 encrypted1 hazard11 hazard21 hazard23 hazard24 hazard25 hazard27 hazard31 hazard38 hazard49 hazard55 hazard56 hazard7 infected lock2 lock3 lock5 locked9 lockfiles meduza210 rapid1 rapid10 readtext13 readtext47 readtext49 recovery29 recovery70 virus2 virus3 virus57 Encryption key BabyLockerKZ: PUTINHUILO1337 MUTEX BabyLockerKZ: HOHOL1488 Article Link: Threat actor believed to be spreading new MedusaLocker variant since 2022 5 Reply NEW & UNREAD TOPICS Topic Replies Views Activity 2 wireless protocols expose mobile users to spying — the FCC wants to fix that Malware News 0 367 Mar 28 Over 198GB of BuyGoods.com data exposed by misconfigured database Malware News 0 314 Jan 25 BlackBaud settles FTC charges on ransomware data breach Malware News 0 463 Feb 3 Data breach at Shadow potentially more severe than initially thought Malware News 0 360 Oct 2023 Over 4.4M impacted by SurveyLama breach Malware News 0 469 Apr 5 WANT TO READ MORE? BROWSE OTHER TOPICS IN MALWARE NEWS OR VIEW LATEST TOPICS. Powered by Discourse Invalid date Invalid date