Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
Mandiant
Written by: Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.
The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.
The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.
Email Campaign TTPs
Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:
- Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
- This document contains an in-line link to a URL hosting a malware payload.
- Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
- Some email communications have included the recipient’s name or employer name in the subject line and/or email body.
Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:
- Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
- The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
- In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
- Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).
Figure 1: Email containing internal references to target an organization’s name
Figure 2: Google Docs PDF document containing a target organization’s logo
Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.
Post-Compromise TTPs
Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.
Establish Foothold
Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.
Maintain Presence
Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.
- The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
- Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
- We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
- The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
- In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.
Escalate Privileges
The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts.
- The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
- Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller.
- In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.
Reconnaissance
The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.
- BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
- Get-GPPPassword
- Invoke-AllChecks
- Invoke-BloodHound
- Invoke-EternalBlue
- Invoke-FileFinder
- Invoke-HostRecon
- Invoke-Inveigh
- Invoke-Kerberoast
- Invoke-LoginPrompt
- Invoke-mimikittenz
- Invoke-ShareFinder
- Invoke-UserHunter
- Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfig, findstr, and cmd.exe.
- The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
- WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
- The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt.
- The actors used the Nltest command to list domain controllers.
Lateral Movement
Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.
- The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments.
- The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols.
- The actors used the Windows net use command to connect to Windows admin shares to move laterally.
Complete Mission
Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.
- In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
- The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
- The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
- The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.
Hunting Strategies
If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.
- Isolate and perform a forensic review of any impacted systems.
- Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
- Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
- Reset credentials for any user accounts associated with execution of the malware.
- Perform an enterprise wide review for lateral movement authentication from the impacted systems.
- Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.
An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.
Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnkFigure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders
SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.
- Display name may be “Adobe Update”, “System autoupdate” or another generic value.
- Notify state may be set to Fail (Status 2).
- FileList URL value may be set to the local host or a URL that does not exist.
- The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
- The Retry Delay value will be set.
WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr
Value: Path to the backdoorFigure 4: Example registry RUN key used by WINEKEY to maintain persistence
The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.
- The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
- All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.
Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.
Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.
The following are additional strategies that may aid in identifying associated activity:
- Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
- During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
- While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.
Hardening Strategies
The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.
- Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
- Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
- Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
- Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
- Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.
For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.
Campaign Indicators
Sample Email Subjects / Patterns
- <(first|last)-name>: Important Information
- <Company Name>
- <Company Name> complaint
- <(first|last)-name>
- <(first|last)-name>
- Agreement cancellation message
- Agreement cancellation notice
- Agreement cancellation notification
- Agreement cancellation reminder
- Agreement suspension message
- Agreement suspension notice
- Agreement suspension notification
- Agreement suspension reminder
- Arrangement cancellation message
- Arrangement cancellation notice
- Arrangement cancellation notification
- Arrangement cancellation reminder
- Arrangement suspension message
- Arrangement suspension notice
- Arrangement suspension notification
- Arrangement suspension reminder
- Contract cancellation message
- Contract cancellation notice
- Contract cancellation notification
- Contract cancellation reminder
- Contract suspension message
- Contract suspension notice
- Contract suspension notification
- Contract suspension reminder
- debit confirmation
- FW: <Name> Annual Bonus Report is Ready
- FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
- RE: <(first|last)-name>
- RE: <(first|last)-name>: Your Payslip for October
- RE: <Company Name> - my visit
- RE: <Company Name> Employee Survey
- RE: <Company Name> office
- RE: <Name> about complaint
- RE: <Name> bonus
- RE: <Name> termination list
- RE: <Name>
- RE: <Company Name> office
- RE: <(first|last)-name>
- RE: <(first|last)-name> <(first|last)-name>: complaint
- RE: <(first|last)-name>: Subpoena
- RE: <(first|last)-name>
- RE: <(first|last)-name>: Your Payslip for September
- RE: about complaint
- RE: Adopted Filer Forms
- RE: Business hours adjustment
- RE: Business hours realignment
- RE: Business hours rearrangement
- RE: Business hours restructuring
- RE: Business schedule adjustment
- RE: Business schedule realignment
- RE: Business schedule rearrangement
- RE: Business schedule restructuring
- RE: call me
- RE: changes
- RE: complaint
- RE: Complaint in <Company Name>.
- RE: Complaint on <Name>
- RE: customer request
- RE: debit confirmation
- RE: document copy
- RE: documents list
- RE: Edgar Filer forms renovations
- RE: employee bonuses
- RE: Filer Forms adaptations
- RE: my call
- RE: New filer form types
- RE: office
- RE: our meeting
- RE: Payroll Register
- RE: report confirmation
- RE: situation
- RE: Subpoena
- RE: termination
- RE: till 2 pm
- RE: Urgent <Company Name> Employee Internal Survey
- RE: visit
- RE: what about your opinion?
- RE: what time?
- RE: why
- RE: why this debit
- RE: Working schedule adjustment
- RE: Working schedule realignment
- RE: Working schedule rearrangement
- RE: Working schedule restructuring
- RE: Your Payslip for September
Example Malware Family MD5s
- KEGTAP
- df00d1192451268c31c1f8568d1ff472
- BEERBOT
- 6c6a2bfa5846fab374b2b97e65095ec9
- SINGLEMALT
- 37aa5690094cb6d638d0f13851be4246
- STILLBOT
- 3176c4a2755ae00f4fffe079608c7b25
- WINEKEY
- 9301564bdd572b0773f105287d8837c4
- CORKBOT
- 0796f1c1ea0a142fc1eb7109a44c86cb
Code Signing Certificate CNs
- ARTBUD RADOM SP Z O O
- BESPOKE SOFTWARE SOLUTIONS LIMITED
- Best Fud, OOO
- BlueMarble GmbH
- CHOO FSP, LLC
- Company Megacom SP Z O O
- ESTELLA, OOO
- EXON RENTAL SP Z O O
- Geksan LLC
- GLOBAL PARK HORIZON SP Z O O
- Infinite Programming Limited
- James LTH d.o.o.
- Logika OOO
- MADAS d.o.o.
- MUSTER PLUS SP Z O O
- NEEDCODE SP Z O O
- Nordkod LLC
- NOSOV SP Z O O
- OOO MEP
- PLAN CORP PTY LTD
- REGION TOURISM LLC
- RESURS-RM OOO
- Retalit LLC
- Rumikon LLC
- SNAB-RESURS, OOO
- TARAT d.o.o.
- TES LOGISTIKA d.o.o.
- VAS CO PTY LTD
- VB CORPORATE PTY. LTD.
- VITA-DE d.o.o.
UNC1878 Indicators
A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.
BEACON C2s
