• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Ransomware  /  Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic
Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic
18 November 2020

Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

Written by Priyanka Shinde
Priyanka Shinde
Cybersecurity, Ransomware
Estimated reading time: 5 minutes

Ransomware has come a long way in cyberspace by continuous improvement in its techniques and tactics in encrypting system files. Over the years ransomware has improvised itself by moving from PE to non-PE and standalone payloads, by using different compilers and complex packers. To deal with such variations, behaviour-based detection and Anti-ransomware solutions plays a vital role as the activity of the ransomware is targeted which no one can avoid.

Ransomware authors have now started injecting their malicious payloads into Windows genuine system processes, which are usually white-listed, encrypting the files by bypassing security solutions — they have always been found hunting for vulnerable apertures and abusing them the moment it gets publicly exposed.

Recently, we observed a similar strain of ransomware (named as Thanos Ransomware) trying to evade traditional Anti-Ransomware solutions by implementing different techniques which include process injection and the latest RIPlace tactic.

Last year researchers at Nyotron had furnished proof of concept (POC) of RIPlace tactic that can potentially encrypt files without getting identified by the anti-ransomware or Endpoint Detection and Response (EDR) solutions.

Technical Analysis

The Thanos Ransomware has been found to use multiple features, in an attempt to bypass Anti-Virus (AV) products.

The Infection Vector is not clear yet but there is a PowerShell script that contains another double Base64 encoded PowerShell which contains inline C# code. The first script executes the embedded PowerShell script and creates processes of “notepad” in hidden mode. The C# code present in the second script is basically taken from the Urban Bishop code of the Sharp-Suite framework present on Github. The PID of the notepad processes created is passed to this C# code as the argument. After this, the script is distributed laterally to all the machines connected in the network.

Fig.1 Flow of execution of different modules
Fig.1 Flow of execution of different modules

 

Fig.2 First PowerShell script containing encrypted script and process creation code
Fig.2 First PowerShell script containing encrypted script and process creation code

The function call contains Base64 encoded shellcode (shown in Fig.3), which is then injected to the notepad process. The shellcode contains encoded .Net payload. This payload is the variant of Thanos ransomware which encrypts files on the targeted machine.

Fig.3 Encrypted shellcode in the C# code
Fig.3 Encrypted shellcode in the C# code

There are different modules in the Thanos framework. Some of the interesting ones being-

1. AntiKill – As shown in fig. 4, uses the function named, IamInmortal() to make the process immortal by making changes in the process security descriptor.

Fig.4 AntiKill code in .Net payload
Fig.4 AntiKill code in .Net payload

2. Anti-Analysis – Used to identify the presence of debugger or virtual environment and if found so, terminating the sample.

Fig.5 Anti-analysis code in .Net payload
Fig.5 Anti-analysis code in .Net payload

3. Anti-Sniffer – Stops following processes that are usually used for analysis-

4. AwakeMe – Responsible for implementing Wake-on-LAN. (A detailed description of Wake-on-LAN can be found in our earlier blog)

5. Encryptions – Contains all the encryption-related functions like AES-CBC encryption, decryption, reading data from files, writing data to files.

6. CryptographyHelper – RSA encryption implemented.

7. NetworkSpreading – Downloads an application of Power Admin i.e exe (this allows to execute Windows program on a remote machine) and executes the current sample on remote machines.

8. MutexHelper – It checks for the presence of below mutex to check whether the sample has already been executed on the system –

“Global\\3747bdbf-0ef0-42d8-9234-70d68801f407”

9. ProcessCritical – Checks whether the process is running with admin privileges.

10. RIP – Implementation of RIPlace tactic which is discussed later.

11. Shortcut – Creates shortcut at Startup folder with the target filename as the ransom note kept at the %Temp% folder.

12. WakeOnLan – Implements Wake-on-LAN by taking IP addresses of all the machines connected to the current machine.

The inclusion of such different modules varies in different samples.

Utmost precaution is taken and so it tries to hide the following processes-

 Taskmgr

taskmgr

ProcessHacker

procexp

The self-copy is also dropped at StartupFolder — it also tries to stop various services related to different AVs, running on the system by net.exe, using the commands shown in fig.6-

Fig.6 Tries to stop different services
Fig.6 Tries to stop different services

It further deletes the shadow copy using vssadmin.exe, deletes all the backup files present on different drives, including the recycle bin using

cmd.exe /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin

Encryption

The files are encrypted and the filename is appended with the extension ‘.locked’. The encryption is performed only for the files with the extensions given below-

bco, one, dat, txt, vib, vbm, vbk, jpeg, gif, lst, tbl, cdx, log, fpt, jpg, png, php, cs, cpp, rar, zip, html, htm, xlsx, xls, avi, mp4, ppt, doc, docx, sxi, sxw, odt, hwp, tar, bz2, mkv, eml, msg, ost, pst, edb, sql, accdb, mdb, dbf, odb, myd, php, java, cpp, pas, asm, key, pfx, pem, p12, csr, gpg, aes, vsd, odg, raw, nef, svg, psd, vmx, vmdk, vdi, lay6, sqlite3, sqlitedb, accdb, java, class, mpeg, djvu, tiff, backup, pdf, cert, docm, xlsm, dwg, bak, qbw, nd, tlg, lgb, pptx, mov, xdw, ods, wav, mp3, aiff, flac, m4a, csv, sql, ora, mdf, ldf, ndf, dtsx, rdl, dim, mrimg, qbb, rtf, 7z

Fig.7 Encrypted files
Fig.7 Encrypted files

The files are encrypted with AES-CBC and the key used in encryption is then encrypted with RSA and is appended in the Ransom note (as shown in Fig.8). The complete file is encrypted if the file size is less than 10MB, otherwise, only file data up to the size of 10MB is encrypted.

Fig.8 Ransom Note
Fig.8 Ransom Note

But the most important and a novel technique used by Thanos to evade anti-ransomware solutions is the RIPlace tactic that assets Microsoft Windows file Rename functionality! It helps the ransomware to hide from modern anti-ransomware solutions.

In this technique, a malware can call DefineDosDevice, a genuine function that creates a symlink and can give an arbitrary name (for example, ‘Resolve’ in this case) to the target/destination file path. When we make a call to rename function, the filter driver fails to parse the destination path in the callback function when using the common routine FltGetDestinationFileNameInformation. So, instead of returning the new path, it returns an error, however, the Rename call gets succeeded.

Fig.9 RIPlace Tactic
Fig.9 RIPlace Tactic

Along with this, taking it further, Thanos may attempt to overwrite the MBR, trying to display the below message-

Conclusion

There have been several techniques used by ransomware families to evade the AV products earlier, increasing the complexity, the speed of their operations, termination of the analysis tools, but this time it has become more advanced, challenging for anti-ransomware technologies. The use of almost all the possible anti-analysis techniques and then hiding the new extensions of the encrypted files from the anti-ransomware solutions makes the task much more difficult.

IOCs:

7BDD4B25E222B74E8F0DB54FCFC3C9EB

AF0E33CF527B9C678A49D22801A4F5DC

A15352BADB11DD0E072B265984878A1C

BE60E389A0108B2871DFF12DFBB542AC

 98880A1C245FBA3BAE21AC830ED9254E

 E01E11DCA5E8B08FC8231B1CB6E2048C

 

 Previous PostSeqrite Endpoint Security 7.6 supports macOS Big Sur 11
Next Post  IT-OT confluence creates cybersecurity gaps for enterprises
Priyanka Shinde

About Priyanka Shinde

Priyanka Shinde is working as Senior Security Researcher in Quick Heal Security Labs. She has experience in cyber-security domain and expertise in reversing various...

Articles by Priyanka Shinde »

Related Posts

  • Uncovering LockBit Black’s Attack Chain and Anti-forensic activity

    February 1, 2023
  • Calling from the Underground: An alternative way to penetrate corporate networks

    January 11, 2023
  • Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT

    June 3, 2022

No Comments

Leave a Reply.Your email address will not be published.
Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • Uncovering LockBit Black’s Attack Chain and Anti-forensic activity Uncovering LockBit Black’s Attack Chain and Anti-forensic activity February 1, 2023
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..
  • Jayesh Kulkarni
    Jayesh Kulkarni

    Jayesh is working as a Security Researcher for a couple of years. He likes to...

    Read more..
Stay Updated!
Topics
apt (11) Cyber-attack (32) cyber-attacks (56) cyberattack (11) cyberattacks (12) Cybersecurity (301) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall (11) hackers (11) IoT (10) malware (64) malware attack (23) malware attacks (12) MDM (25) Microsoft (14) Network security (18) Patch Management (12) phishing (18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (15) windows (11)
Products
  • Seqrite MSSP Portal
  • HawkkScan
  • HawkkProtect
  • HawkkHunt XDR
  • HawkkEye
  • HawkkEye Endpoint Security Cloud
  • HawkkEye mSuite
  • HawkkEye Workspace
  • Endpoint Security (EPS)
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category

© 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.