Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware that primarily affected users in the United States, with very few infections in the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras, and Thailand.
Based on the payload file names used in the campaign, the campaign actor is sometimes referred to as Tortilla. This is a new actor who has been active since July 2021. Tortilla had previously experimented with other payloads, such as the PowerShell-based netcat clone Powercat, which has been known to provide attackers with unauthorised access to Windows machines.
We think that the initial infection vector is the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of the China Chopper web shell.
The diagram follows the four stages
- Stage 1 – Downloaders
- The Stage 1 downloaders associated with this campaign are signed with the same digital signature, the validity of which we cannot verify. The thumbprint of the signature is:21D354A27519DD62B328416BAB01767DA94786CB. The same certificate is used by the actor to sign samples from previous campaigns executed from July 2021.
- Stage 2 – Main Module Loader
The final payload is contained in the second stage, the main ransomware loader. It’s a 32-bit.NET executable posing as a legitimate stock management system (SMS) application, not the SMS messaging protocol. ConfuserEx, a free and open-source.NET application protector, is included in the module. A process launched by the Exchange IIS worker process downloads this stage.
- Stage 3 – Intermediate Unpacker
- The intermediate unpacker is a DLL, whose binary is stored as an encoded text in PasteBin. The library is associated with the classes that check the existence of sandboxes and virtual machine environments by enumerating their services to identify if it is running in a virtualized environment.
- Stage 4 – Babuk Ransomware Payload
- The payload launches the command shell in the background and executes the command to delete the volume shadow copy of the victim’s machine using vssadmin.exe.
Talos reported that , “The Babuk ransomware module, which runs within the process AddInProcess32, enumerates the processes running on the victim’s server and attempts to disable a number of backup-related processes, such as the Veeam backup service.” It also deletes volume shadow service (VSS) snapshots from the server with the vssadmin utility, ensuring that encrypted files cannot be restored from VSS copies. The ransomware module encrypts the victim’s files and appends the file extension.babyk to the encrypted files.”
Finally concluded that, the case with ransomware, sound backup practises as well as the deployment of centralised logging and XDR tools to the most critical resources within organisational networks are the cornerstones of defence. Furthermore defenders are urged to apply the most recent security patches to all externally facing servers as well as critical assets in the internal network.
Indicators Of Compromise:
URLs from related campaigns