The ransomware group is known as Kasaka has become the latest group to exploit bring-your-own-vulnerability driver (BYOVD) attacks to disable security-related processes on infected Windows hosts, joining other groups such as Akira, AvosLocker, BlackByte and RobbinHood.
Trend Micro said in an analysis on Tuesday that this tactic allows “threat actors to terminate anti-virus processes and services to deploy ransomware.”
Kasaka, discovered for the first time The cybersecurity company’s mid-December 2023 show overlaps with the now-defunct BlackMatter, which emerged after DarkSide shut down.
There is evidence that the ransomware virus may be the work of an experienced threat actor who obtained or purchased access to BlackMatter, as the latter’s source code was never publicly leaked after its demise in November 2021.
The attack chain involving Kasseika begins with a phishing email used for initial access, followed by a dropped remote administration tool (RAT) to gain privileged access and move laterally within the target network.
It was observed that threat actors leveraged Microsoft’s Sysinternals PsExec command line utility to execute a malicious batch script, which checks for the presence of a process named “Martini.exe” and, if found, terminates the process to ensure that There is only one instance. The processes that run the machine.
The main responsibility of this executable file is to download and execute the “Martini.sys” driver from the remote server to disable the 991 security tool. Notably, “Martini.sys” is a legitimately signed driver named “viragt64.sys” that has been added to Microsoft’s vulnerable driver block list.
“If Martini.sys is not present, the malware will terminate itself and will not continue executing its intended routine,” the researchers said. This indicates that drivers play a crucial role in defense evasion.
After this step, “Martini.exe” will launch the ransomware payload (“smartscreen_protected.exe”), which uses ChaCha20 and RSA algorithms to handle the encryption process, but not before killing all accessing Windows reboot management Server processes and services.
A ransom note is then placed into each directory it encrypts, and the computer’s wallpaper is modified to display a note demanding payment of 50 Bitcoins to the wallet address within 72 hours, or else face being charged every 24 hours once the deadline passes. Risk of paying an additional $500,000.
Most importantly, victims should post a screenshot of a successful payment to an actor-controlled Telegram group to receive the decryptor.
The Kasseika ransomware also has other tricks, including clearing traces of activity by clearing the system’s event logs using the wevtutil.exe binary.
“The wevutil.exe command can effectively clear application, security, and system event logs on Windows systems,” the researchers said. “This technique is used with caution and makes it more challenging for security tools to identify and respond to malicious activity. .”
Palo Alto Networks Unit 42 details the BianLian ransomware gang’s shift from a dual ransomware scheme to encryption-free ransomware attacks after releasing a free decryptor in early 2023.
Bianlian has been an active and pervasive threat group since September 2022, primarily targeting healthcare, manufacturing, professional and legal services in the United States, United Kingdom, Canada, India, Australia, Brazil, Egypt, France, Germany and Spain industry.
Stolen Remote Desktop Protocol (RDP) credentials, known security vulnerabilities (such as ProxyShell), and web shells are the most common attack vectors used by carriers to penetrate enterprise networks.
Additionally, the cybercriminal group shared a custom .NET-based tool with another ransomware group tracked as Makop, suggesting a potential link between the two.
“This .NET tool is responsible for retrieving file enumeration, registry and clipboard data,” security researcher Daniel Frank said in a new overview from BianLian.
“This tool contains some Russian words, such as the numbers one through four. The use of a tool like this suggests that the two organizations may have shared a toolset or used the services of the same developer in the past.”
