Analyzing the Fileless SOREBRECT Ransomware

by Buddy Tancio (Threats Analyst) Fileless threats and ransomware aren’t new, but a malware that incorporates a combination of their characteristics can be dangerous. Take for instance the fileless, code-injecting ransomware we’ve uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B. We first encountered SOREBRECT during our monitoring in the beginning of second quarter this year, affecting the systems and networks of organizations in the Middle East. Extracting and analyzing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Its abuse of the PsExec utility is also notable; SOREBRECT’s operators apparently use it to leverage the ransomware’s code injection capability. SOREBRECT’s stealth can pose challenges While file encryption is SOREBRECT’s endgame, stealth is its mainstay. The ransomware’s self-destruct routine makes SOREBRECT a fileless threat. The ransomware does this by injecting code to a legitimate system process (which executes the encryption routine) before terminating its main binary. SOREBRECT also takes pains to delete the affected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps (i.e. appcompat/shimcache and prefetch). These deletions also deter analysis and prevent SOREBRECT’s activities from being traced. When we first saw SOREBRECT in the wild, we observed a low distribution base that was initially concentrated on Middle Eastern countries like Kuwait and Lebanon. By the start of May, however, our sensors detected SOREBRECT in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Affected industries include manufacturing, technology, and telecommunications. Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service.

Figure 1: SOREBRECT’s attack chain

SOREBRECT’s code injection makes it a fileless threat SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. The misuse of PsExec to install SOREBRECT indicates that administrator credentials have already been compromised, or remote machines were exposed or brute-forced. SOREBRECT isn’t the first family to misuse PsExec—SAMSAM, Petya, and its derivative, PetrWrap (RANSOM_SAMSAM and RANSOM_PETYA, respectively), for instance, use PsExec to install the ransomware on compromised servers or endpoints. SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging. Why PsExec? While attackers can both use Remote Desktop Protocol (RDP) and PsExec to install SOREBRECT in the affected machine, its code injection capability makes the attack more effective. Compared to using RDP, utilizing PsExec is simpler and can take advantage of SOREBRECT’s fileless and code injection capabilities. PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs. In SOREBRECT’s case, it makes more sense for the attackers to use PsExec since once the main binary is executed, the svchost.exe process injected with malicious code can still carry out the payload. To cover its tracks, SOREBRECT also utilizes wevtutil.exe to delete the system’s event logs, and vssadmin to delete shadow copies. The svchost.exe process that was injected with malicious code executes the payload—encrypting the files of the local machine and network shares. SOREBRECT uses the Tor network protocol to anonymize its connection to its command-and-control (C&C) server.

Figure 2: SOREBRECT appends encrypted files with a .pr0tect extension Figure 3: One of SOREBRECT’s ransom notes

SOREBRECT can also encrypt network shares SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It does so by scanning the network for asset discovery and enumerating open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network. Once a live host is identified, it initiates a connection after discovering the shares. Authentication would succeed if it’s an open share. If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted.

Figure 4: SOREBRECT’s network scanning activity to enumerate machines with open shares Figure 5: SOREBRECT initiating a connection on the share on a live host

Adopt best practices for securing systems and networks Given the potential damage SOREBRECT can cause to an enterprise’s servers and endpoints, IT/system administrators and information security professionals who secure them can adopt these best practices for defending against ransomware:

Restrict user write permissions. A significant factor that exposes network shares to ransomware is the tendency to give users full permissions. Limiting them will prevent ransomware from carrying out its file-encrypting routines across the network. Reviewing the permissions for each user in the Domain is a good starting point. This entails assessing each user account/group within the Active Directory and only providing the necessary privilege levels. Configuring the security of shared files and folders on a network is also recommended (don’t set up folders that anyone can easily access, for instance).
Limit privilege for PsExec. PsExec is commonly used in enterprise networks, providing system administrators flexibility with how they interact with remote machines. As pointed out by its creator, however, in cybercriminals’ hands it can provide a way to interface and laterally move within remote systems using compromised credentials. This would ultimately enable them to install and propagate threats such as ransomware. Limiting and securing the use of tools and services such as PsExec and providing permission to run them only to administrator accounts that really need it help mitigate threats that misuse PsExec.
Back up files. Cybercriminals use the potential loss of important and personal data as a fear-mongering tactic to coerce victims into paying the ransom. Organizations and end users can back up files to remove their leverage: keep at least three copies, with two stored in different devices, and another to an offsite or safe location.
Keep the system and network updated. Ensuring that the operating system, software, and other applications are current with the latest patches deters threats from using security gaps as their doorways into the systems or networks. This has been exemplified by malware such as WannaCry, UIWIX, and Adylkuzz that exploited a vulnerability. Employing virtual patching in the absence of patches can also be considered.
Foster a cybersecurity-aware workforce. User education and awareness helps improve everyone’s security posture. Like other malware, ransomware’s points of entry is typically through email and malicious downloads or domains. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices.
Deploy multilayered security mechanisms. As ransomware matures in the threat landscape, we can only expect it to diversify in terms of attack methods and targets. There is no silver bullet for ransomware, which is why enterprises need a defense-in-depth approach to security where proactive security mechanisms are arrayed. Data categorization and network segmentation help mitigate damage in case of exposure. While advanced sandboxing provides a way to quarantine and analyze unknown or dubious files, application control and behavior monitoring prevent suspicious files from executing and block unwanted modifications to the system.

Trend Micro Ransomware Solutions Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro™ Deep Discovery™ Inspector detects ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers–regardless if they’re physical, virtual, or in the cloud. For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

PROTECTION FOR ENTERPRISES

Email and Gateway Protection
Trend Micro^TM Cloud App Security, Trend Micro^TM Deep Discovery^TM Email Inspector and InterScan^TM Web Security addresses ransomware in common delivery methods such as email and web.
Spear-phishing protection

Malware sandboxing

IP/Web reputation checking

Document exploit detection

Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
High-fidelity machine learning

Ransomware behavior monitoring

Application control

Vulnerability shielding

Web security provision

Network Protection
Trend Micro^TM Deep Discovery^TM Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Network traffic scanning

Malware sandboxing

Lateral movement prevention

Server Protection
Trend Micro^TM Deep Security^TM detects and stops suspicious network activity and shields servers and applications from exploits.
Web server protection

Vulnerability shielding

Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

Protection for Small-Medium Businesses
Trend Micro Worry-Free^TM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Ransomware behavior monitoring

IP/Web Reputation

Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
IP/Web Reputation

Ransomware Protection

Related Hashes: Detected as RANSOM_SOREBRECT.A (SHA256):

4854A0CA663588178B56754CD50626B2E8A121F66A463E1C030836E9BD5B95F8
AC4184EEC32795E1CBF2EFC5F4E30D0CBE0B7F982BC2060C180BE432994DCEFF
05CEFE71615F77D9A386BF6F48AD17ACA2BAE433C95A6F2443184462832A3E90

Detected as RANSOM_SOREBRECT.A (SHA-1):

36fa4c4a7bd25f086394b06fe50e41410f78dbb3
9f327c5168b07cec34e1b89aba5f45b78f20e753

Detected as RANSOM_SOREBRECT.B (SHA256):

4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

With additional analysis/insights from Jay Yaneza Updated on June 17, 2017, 06:54 PM (UTC-7): We updated the appropriate name of the process that was injected.

Analyzing the Fileless SOREBRECT Ransomware

PROTECTION FOR ENTERPRISES

Email and Gateway Protection

Endpoint Protection

Network Protection

Server Protection

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

Protection for Small-Medium Businesses

Protection for Home Users

Authors

Trend Vision One™ - Proactive Security Starts Here.

Resources

Support

About Trend

Country Headquarters