The ransomware team identified as Kasseika has turn out to be the most current to leverage the Provide Your Possess Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood.
The tactic allows “menace actors to terminate antivirus processes and solutions for the deployment of ransomware,” Craze Micro mentioned in a Tuesday investigation.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Kasseika, first learned by the cybersecurity business in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter, which emerged in the aftermath of DarkSide’s shutdown.
There is proof to counsel that the ransomware strain could be the handiwork of an expert danger actor that acquired or obtained access to BlackMatter, given that the latter’s source code has hardly ever publicly leaked publish its demise in November 2021.
Attack chains involving Kasseika commence with a phishing email for initial entry, subsequently dropping remote administration tools (RATs) to obtain privileged entry and move laterally within the concentrate on network.
The risk actors have been observed making use of Microsoft’s Sysinternals PsExec command-line utility to execute a destructive batch script, which checks for the existence of a approach named “Martini.exe,” and if observed, terminates it assure there is only 1 occasion of the course of action running the machine.
The executable’s main obligation is to down load and operate the “Martini.sys” driver from a remote server in get to disable 991 security equipment. It is truly worth noting that “Martini.sys” is a authentic signed driver named “viragt64.sys” that has been added to Microsoft’s vulnerable driver blocklist.
“If Martini.sys does not exist, the malware will terminate itself and not carry on with its intended program,” the scientists stated, indicating the vital part performed by the driver in protection evasion.
Adhering to this step, “Martini.exe” launches the ransomware payload (“smartscreen_guarded.exe”), which will take treatment of the encryption method employing ChaCha20 and RSA algorithms, but not in advance of killing all procedures and companies that are accessing Windows Restart Manager.
A ransom notice is then dropped in every listing that it has encrypted and the computer’s wallpaper is modified to screen a notice demanding a 50 bitcoin payment to a wallet address within 72 several hours, or risk paying an more $500,000 every single 24 hours once the deadline elapses.
On leading of that, the victims are envisioned to article a screenshot of the productive payment to an actor-controlled Telegram group to receive a decryptor.
The Kasseika ransomware also has other tips up its sleeves, which includes wiping traces of the exercise by clearing the system’s function logs utilizing the wevtutil.exe binary.
“The command wevutil.exe successfully clears the Software, Security, and Procedure event logs on the Windows process,” the researchers reported. “This method is applied to run discreetly, earning it much more complicated for security resources to detect and answer to malicious things to do.”
The development arrives as Palo Alto Networks Unit 42 comprehensive BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion attacks pursuing the launch of a cost-free decryptor in early 2023.
BianLian has been an active and commonplace menace group due to the fact September 2022, predominantly singling out health care, production, qualified, and lawful expert services sectors in the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.
Stolen Distant Desktop Protocol (RDP) qualifications, acknowledged security flaws (e.g., ProxyShell), and web shells act as the most frequent attack routes adopted by BianLian operators to infiltrate corporate networks.
What is more, the cybercrime crew shares a custom .NET-centered resource with one more ransomware team tracked as Makop, suggesting prospective connections involving the two.
“This .NET software is dependable for retrieving file enumeration, registry, and clipboard facts,” security researcher Daniel Frank claimed in a new overview of BianLian.
“This device contains some terms in the Russian language, these as the quantities one particular to four. The use of these types of a tool indicates that the two teams may possibly have shared a software set or utilised the companies of the very same developers in the previous.”
Uncovered this posting interesting? Stick to us on Twitter and LinkedIn to examine additional exclusive information we post.
Some components of this post are sourced from:
thehackernews.com