Suspected Ransomware Attack with Custom-Made Tool

Security researchers from Security Joes detected an intriguing case of an alleged ransomware attack that used custom-made tools usually used by APT groups. Moreover, a potential attribution has been made.

What’s going on?

• The researchers?observed?the attack in a client’s network in the gaming/gambling industry. The threat actors were targeting the industry across Central America and Europe.
• The attackers used a combo of custom-made, as well as open-source tools.
• Most notably, they used an altered version of Ligolo—Sockbot—a reverse tunneling tool that is available on GitHub. Along with it, they used another custom tool to dump credentials from LSASS.
• Some off-the-shelf open-source tools used by them, such as Cobalt Strike, Mimikatz, and Soft Perfect, are typically used by several other threat actors.
• They used legitimate accounts and stolen credentials to log into the victim accounts.

About Sockbot

• The adversaries altered Ligolo with additions that eliminated the use for command-line parameters and contained various execution checks to avoid running multiple instances.
• A customized Ligolo version is not a common addition in any threat actor’s arsenal; the only exception being?MuddyWater APT.
• This modification allows threat actors to boost their security while executing the attack without risking any attempt of eavesdropping from investigators.?

Attribution

The researchers have?attributed?this attack to a Russian-speaking ransomware group based on the overlap of tools and a common ransomware toolkit. Furthermore, the “AccountRestore” binary contains hardcoded references in Russian.

The bottom line

Since the usage of the Ligolo fork is pretty unique to this incident, it is surmised that the actors are taking tools used by other groups and adding their own signatures to them. The strategies used by them highlight that they are sophisticated, persistent, and possess impressive red teaming and programming skills.