On June 7, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the known techniques used by the CL0P Ransomware group identified through FBI investigations as recently as June 2023.
The CL0P Ransomware Gang, also known as TA505 and Graceful Spider, is a financially motivated and highly sophisticated criminal adversary that has been active since at least 2014. Known for its involvement in multiple high-profile incidents, TA505 is considered a major player in the e-crime scene having left a significant impact on the global cybersecurity landscape.
This actor is the operator of the Clop ransomware, which has been active since February 2019. Emerging as an evolved variant of CryptoMix ransomware, Clop is offered as a Ransomware-as-a-Service (RaaS) and has been used in large-scale spear-phishing campaigns that use a verified, digitally signed binary to bypass system defenses.
Clop was previously known for its use of the “double extortion” tactic, which is based on the action of exfiltrating the victim’s information and encrypting local information. In this way, if the victim refuses to pay the ransom, the adversary will not restore access and will publish the stolen information on a dedicated data leak site. In its recent activities, as of 2021, TA505 has opted for performing data exfiltration rather than encryption.
AttackIQ has released a new attack graph that seeks to emulate the full capabilities of the TA505’s toolkit to help customers validate their security controls and their ability to defend against a highly adaptable threat that has been able to stay ahead of the evolving cybersecurity landscape.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against an adversary that has played various roles through the years.
- Assess their security posture against multiple tools and techniques that TA505 has successfully utilized in numerous intrusions.
- Continuously validate detection and prevention pipelines against a highly prolific and sophisticated cybercriminal.
[CISA AA23-158A] #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
This attack graph emulates a ransomware and exfiltration attack using TA505’s larger toolkit involving several malware pieces such as Truebot, FlawedGrace, and SDBot. The final goal is to exfiltrate sensitive data and initiate a ransomware event on the infected system.
The first stage of the attack involves the delivery of the LEMURLOOT webshell used by TA505 which facilitates the delivery of another downloader known as Truebot. The malware is delivered as a DLL file executed using the native Windows utility RunDll32
.
Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in independent scenarios to test both network and endpoint controls and their ability to prevent the delivery of known malicious files.
System Binary Proxy Execution: Rundll32 (T1218.011): RunDll32
is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes RunDll32
with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.
The next stage emulates the discovery techniques available in Truebot. Details about the local system’s running processes, configuration information, and hostname are first collected. Then Active Directory information is collected before finally taking a screenshot of the logged in user’s desktop. This data is then sent to the actor’s command and control server using HTTP.
Process Discovery (T1057): Window’s built-in tasklist
command is executed as a command process and the results are saved to a file in a temporary location.
System Information Discovery (T1082): The native hostname
and systeminfo
commands are used to get the infected host’s computer name and basic details about the system.
Domain Trust Discovery (T1482): PowerShell is used to enumerate details on the connected domain and forests of the infected host.
Screen Capture (T1113): This scenario executes a PowerShell script that utilizes the Graphics.CopyFromScreen
Method from the System.Drawing
namespace to collect screenshots from the compromised system.
Application Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made by Truebot when delivering the initial profiling data by making an HTTP POST to an AttackIQ server that mimics the URL format and data sent by a real infection.
After submitting the profiling data, Truebot is used to download and execute the second stage malware FlawedGrace. This malware family can be executed by either injecting shellcode into the memory of a running process or by exploiting DLL side loading. At this point, persistence is established using the Windows registry.
Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
DLL Side-Loading (T1574.002): A legitimate executable is executed that loads a DLL file stored in the same directory that has been replaced with an AttackIQ dll file.
Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
registry keys that Windows uses to identify what applications should be run at system startup.
FlawedGrace then performs its own set of discovery commands to gain further intelligence about the infected environment. Some of the same information is collected again in addition to details about the local administrator accounts and network configurations. Finally, the actor will attempt to identify additional hosts available to their initial infection vector.
System Owner/User Discovery (T1033): query user
and whoami
are called to determine what account is the webshell currently operating under.
Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in finding out the memberships of privileged local groups like Remote Desktop Users and Local Administrators. They accomplish this by executing net localgroup
lookups.
Windows Management Instrumentation (WMI) (T1047): WMI is a native Windows administration feature that provides a method for accessing Windows system components. This scenario executes the computersystem get domain
command to retrieve the host’s connected Active Directory domain.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig
, arp
, route
, and nltest
.
Remote System Discovery (T1018): This scenario executes the net view
command to gather additional hosts available to the infected asset.
The next stage continues FlawedGrace’s discovery actions with a focus on understanding what additional devices may be connected, details on what anti-virus is installed, and then attempting to collect both keystrokes and clipboard data from the logged in user.
Peripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as logical drives, physical memory, network cards through the execution of commands and binaries.
Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct
class.
Input Capture: Keylogging (T1056.001): A keylogger is executed that hooks API callbacks to collect keystrokes typed by a logged in user.
Clipboard Data (T1115): This scenario copies data stored in the clipboard through the execution of a PowerShell script.
Now armed with additional details about the infected environment, the actor will download and execute SDBot so they can begin to collect and exfiltrate data. Additionally, this stage will begin to map out additional options for spreading further into the victim’s network.
Data from Removable Media (T1025): The native utility fsutil
is used to identify any additional hard disks connected to the host. PowerShell is then used to iterate through every removable media device and harvest a list of files.
Network Share Discovery (T1135): The native net
tools are used to list all of the local mapped network shares with net share
.
Exfiltration Over C2 Channel (T1041): Data is sent to an AttackIQ controlled server using HTTP POST
requests.
Entering the final stage of the attack, the actor brings down two final payloads: Cobalt Strike and their bespoke Cl0p Ransomware. They will attempt to move laterally to additional hosts using Remote Desktop before finally engaging the ransomware to encrypt files.
Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in similar ransomware families.
Extending The Attack Graph
In addition to the attack graph, AttackIQ has released two additional scenarios that can be used to validate the security posture of your network controls. The following scenarios are PCAP Replay scenarios that replay the network traffic that was observed in first the exploitation of the MOVEit vulnerability and then the follow up actions using the LEMURLOOT webshell to achieve persistence and exfiltrate data.
- PCAP Replay – MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)
- PCAP Replay – LEMURLOOT WebShell Exploiting MOVEit Transfer Vulnerability (CVE-2023-34362)
Emerging Threats has released a series of Suricata and Snort signatures that be used to detect and prevent both the exploit attempts and webshell interactions.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ highly recommends reviewing their signatures and adapting to your environment first to see if you have any existing impact before reviewing the results from the attack graphs.
As these attacks were initiated through the exploitation of externally facing vulnerability, having a robust asset and software inventory and a functional vulnerability management program is paramount to reducing risk.
1a. Mitigations
- M1048 – Application Isolation and Sandboxing
- M1050 – Exploit Protection
- M1030 – Network Segmentation
- M1026 – Privileged Account Management
- M1051 – Update Software
- M1016 – Vulnerability Scanning
2. Data Encrypted for Impact (T1486)
It should go without saying that as a last resort, preventing your systems and files from being encrypted should be a top priority. Ensuring that you have the layered endpoint defenses including Antivirus and EDR solutions is critical.
2a. Detection
Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.
There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.
Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:
Via vssadmin.exe:
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
Via PowerShell:
Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”
Detecting suspicious Data Exfiltration:
Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.
Detecting Ransomware-like File Encryption:
Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator. To increase the fidelity a bit, you could include file modification file extension to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert as it will most likely stop the spread of the Ransomware.
2b. Mitigation
MITRE ATT&CK Recommends the following mitigations:
3. Process Injection (T1055) and DLL Side-Loading (T1547.002):
Many of the malware families used by TA505 are using techniques that obscure the true source of malicious activity. By either injecting into another process or using side-loading to load malicious code into a legitimate process actors can try to hide in normal system operating noise or abuse overzealous whitelisting:
3a. Detection
Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. It would be uncommon for these processes to be executing additional process or performing discovery techniques. You can look for similar activity using a signature like:
Parent Process Name CONTAINS (‘explorer.exe’ OR ‘svchost.exe’)
Command Line CONTAINS (‘set’ OR ‘whoami’ OR ‘ping’ OR ‘dir’)
3b. Mitigation
Wrap-up
In summary, this attack graph will help organizations evaluate security and incident response processes and support the improvement of your security control posture against a highly prolific and sophisticated cybercriminal. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.