Threat players have deployed new ransomware on the back of a set of PowerShell scripts developed for making encryption, exploiting flaws in unpatched Exchange Servers to attack the corporate network, according to recent research.
REvil threat players may be behind a set of PowerShell scripts developed for encryption & weaponised to exploit vulnerabilities in corporate networks, the ransom note suggests.
Researchers from security firm Sophos detected the new ransomware, called Epsilon Red, in an investigation of an attack on a US-based company in the hospitality sector, Sophos Principal Researcher Andrew Brandt wrote in a report published online.
The name – created by the attackers themselves, who may be the same crew behind the REvil ransomware – is a reference to an obscure enemy character in the X-Men Marvel comics. The character is a “‘super soldier’ alleged to be of Russian origin” armed with 4 mechanical tentacles – which seems to represent the way the ransomware spreads its hooks into a corporate network, Brandt wrote.
While the malware itself is a “bare-bones” 64-bit Windows executable programmed in the Go programming language, its delivery system is a bit more sophisticated, relying on a series of PowerShell scripts that “prepared the attacked machines for the final ransomware payload & ultimately delivered & initiated it,” he observed.
The potential link to the REvil group came in the ransom note left on infected computers, which “resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections” that make it more readable to native English speakers, Brandt wrote.
However, the name of the ransomware & the tooling appeared to be unique to the particular attacker, & there were no further similarities to the typical REvil attack vector.
The victim in the attack observed by Sophos ended up paying a ransom of 4.29 Bitcoin on May 15, the equivalent of about $210k at that time, according to the report.
The 1st point of entry for the attack was an unpatched enterprise Microsoft Exchange server, from which attackers used Windows Management Instrumentation (WMI) – a scripting tool for automating actions in the Windows ecosystem, primarily used on servers – to install other software onto machines inside the network that they could reach from the Exchange server.
It’s not entirely clear if attackers used the infamous Exchange Proxy Logon exploit that was a major issue for Microsoft earlier in 2021. However, the unpatched server used in the attack was indeed vulnerable to this exploit, Brandt observed.
Epsilon Red Payload
During the attack, threat players launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1, as well as some that were named with a single letter from the alphabet, to prepare the attacked machines for the final ransomware payload. The scripts also delivered & initiated the Epsilon Red payload, he explained.
The PowerShell scripts use a “rudimentary form of obfuscation” that didn’t hinder Sophos researchers’ analysis but “might be just good enough to evade the detection of an anti-malware tool that’s scanning the files on the hard drive for a few minutes, which is all the attackers really need,” Brandt noted.
The ransomware itself is a file called RED.exe that’s compiled using a tool called MinGW and packed with a modified version of the runtime packer UPX. The payload includes some code from an open-source project on GitHub called “godirwalk,” enabling it to scan the hard drive on which it is running for directory paths & to compile them into a list, Brandt outlined.
“The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously,” he wrote.
The executable itself is a small file & “a simple program,” used only to perform the encryption of the files on the targeted system without making network connections or having any critical functions, all of which are outsourced to the PowerShell scripts, Brandt observed.
Because the point of entry was an unpatched Microsoft Exchange Server vulnerable to ProxyLogon, Sophos recommends that administrators update all servers to the patched version as soon as possible to mitigate an attack.