Introduction:

In this writeup, we will examine the technical details behind a recent incident that revealed a potential relationship between Trickbot actors and a group deploying 777 Ransomware. This includes a possible implication that Trickbot actors have shifted focus towards compromising vendors, rather than the well-documented tactics of using malspam such as Emotet for distribution. In addition, we explore 777 Ransomware’s techniques of leveraging a primarily fileless approach for their payload execution. This analysis is relevant to a 777 Ransomware that appends the victim’s phone number to affected files. Additionally, a targeted ransom note appears on the victim’s desktop and contains excerpts from previously documented instances of Defray/777/Target777 Ransomware.

Trickbot Privilege Escalation Phase:

Trickbot actor’s techniques for persistence and privilege escalation have remained relatively constant for some time. The differentiation here is that Pondurance traced Trickbot access to a vendor-managed system with vendor-dedicated credentials. From there, Trickbot actors continued with their usual techniques of leveraging Remote Desktop Protocol (RDP), their traditional Trickbot payload, and ultimately concluded with running PowerShell Empire using default configurations on Domain Controllers. All observed Trickbot artifacts were located on servers, with zero workstations showing evidence of compromise. Since the Trickbot group has been well-documented for their tactics when distributing Ryuk ransomware, we will move ahead to analyzing the fileless approach of 777.

777 Ransomware Actors:

Pondurance observed 777 actors initiating their access by pivoting through servers with established Trickbot backdoors leveraging the same accounts as the Trickbot actors. The 777 actors further implement persistence through two different techniques: WMI permanent consumer event subscriptions and Registry ImagePath keys that launch an executable from a network share. The WMI permanent consumer event subscription launches a base64 PowerShell script. The executables located on network shares invoke a .dat file that is hosted in the same directory. Both paths of persistence result in back-to-back executions of shellcode.

windows service

Figure 1 – tool.exe installed as service through a remote share

Shellcode #1 Analysis:

The initial PowerShell script base64 decodes to an additional layer of obfuscation that leveraged GZIP and base64. The resulting script contains an additional base64-encoded string followed by a call to xor using decimal 35 and calls to func_get_proc_address, kernel32.dll, and VirtualAlloc. As a result, Pondurance prepared to analyze the string as shellcode.

Powershell Command XOR 35

Figure 2 – Deobfuscated PowerShell Command reveals a xor 35 and calls to API’s leveraged for code execution

 
This first shellcode was determined to be consistent with launching Command and Control (C2) leveraging a Cobalt Strike malleable C2 profile with default Amazon values. The Command and Control connects to fearlesslyhuman[.]org through HTTP POST’s with default values and also initiates a GET request from the same domain. For the GET request, a buffer for InternetReadFile() is set to 600,000 bytes and is passed into the VirtualAlloc() call. Pondurance observed 213kb of additional shellcode pulled down in this request. Similarly, the remote share chain results in the same requests, however the initial shellcode used 0xfa for xor operations.

Shellcode #2 Analysis:

Pondurance observed the second piece of shellcode performing Process Injection through common techniques involving CreateToolhelp32Snapshot, Thread32First, Thread32Next, VirtualAllocEx, VirtualProtect, and CreateRemoteThread. Through memory analysis, Pondurance identified multiple instances of rundll32.exe as the target process.

Shellcode API calls

Figure 3 – Listing of various API calls by the Shellcode, including common API’s for process injection

 
The victim processes were injected with a variety of payloads, including Bloodhound, PupyRAT with a LaZagne plugin, a Shifu-related keylogging payload, and the Ransomware payload itself. Additional TLS-encrypted Command and Control was established to tedxns[.]com, teamchuan[.]com, and planlamaison[.]com which contained configuration marked for a fileless approach, as well as including the option to execute Mimikatz. Additionally, this payload targets passwords for a variety of applications including Cyberduck, KeePass and CoreFTP.

Credentials Harvested C2

Figure 4 – Command and Control from memory showing configurations

 

Indicators of Compromise:

https://fearlesslyhuman[.]org
https://tedxns[.]com
https://teamchuan[.]com
https://planlamaison[.]com