Research Saturday 2.26.22
Ep 221 | 2.26.22

Noberus ransomware: Coded in Rust and tailored to victim.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dick O'Brien: So, you know, we do – like a lot of other vendors, we do find lots of new ransomware families, but this one in particular stood out to us for a number of reasons. We thought it seemed to be a relatively sophisticated, and so we thought it was it was something to watch and something we should maybe publish about.

Dave Bittner: That's Dick O'Brien. He's a Principle Editor with Symantec's Threat Intelligence Research Team. The research we're discussing today is titled "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware."

Dave Bittner: Well, the the information that you published here is in two parts, and you start off here going through the anatomy of a specific attack. It's quite an interesting narrative here. Can we walk through it together? What exactly happened to the organization that found themselves the target of this group?

Dick O'Brien: Yeah, it's an interesting attack in terms of, I mean, it demonstrates that whoever was behind this – now, we don't know whether it was the ransomware authors themselves or an affiliate – really knew their way around a network and knew how to deploy this ransomware. And also, they were, I guess, quite confident in themselves, because in this case, the organization seemed to have discovered the attack and made efforts to kick them off the network. And they came back with another strain of the ransomware and managed to succeed. And usually when an attacker's discovered, that's it – the attackers disappear and they try something else.

Dick O'Brien: So, how they got onto the network is a little bit unclear. We saw the first signs of suspicious activity seem to date from November 3rd, and it seemed to kind of come from a remote machine on the network. So it could be the case of it was a machine that we didn't ourselves have visibility on because maybe our software wasn't running on it or else that the attackers may have compromised, or they may have added a new machine to the domain and then used that to start the attack.

Dave Bittner: And so once they were in the network, how did they go about spreading around and also maintaining persistence?

Dick O'Brien: They use a lot of the tools and techniques that we'd see targeted ransomware attackers use. There's a number of steps that they all need to take. It would escalate privileges in order to gain admin privileges, stealing credentials, and then moving laterally across the network. One of the steps that we saw them take was they managed to disable a remote admin feature, and that effectively took away the safeguards against pass-the-hash attacks. They also used PowerShell via PsExec to disable Windows Defender. They didn't disable it as such, they just modified it in a way that it was disabled, so they added executable files to the exclusion list. And then used PsExec again to deploy the ransomware across the network.

Dave Bittner: At what point did the targeted organization detect that something was going on?

Dick O'Brien: I believe it was during the ransomware deployment stage. And the reason I say this because they had to recompile a new version of the ransomware. So it was obviously once they started rolling out the ransomware itself that they noticed that the attack was underway. You know, the ransomware itself kind of does a fair bit of work, so there may have been a kind of window for the organization to notice the attack and close it down before the ransomware could finish doing its work.

Dave Bittner: Is there any sense for how long they were in the network before they actually started encrypting files?

Dick O'Brien: Yeah, I mean, it's – obviously, the first time we're sure of malicious activity was November 3rd, and the actual encryption, I believe, occurred on November 18th. So nearly two weeks, which is, you know, a long time to be on a network. And you know, we might get to it later, but they made the most of that time of the network, because they seem to have done pretty extensive reconnaissance and they knew an awful lot about the organization they were attacking.

Dave Bittner: Well, let's dig into that. How were they going about that reconnaissance and what sort of information were they gathering?

Dick O'Brien: Obviously, I mean, you know, we don't have visibility into every single thing that they did. But when we analyzed the ransomware sample that was used against the victim, it had a number of interesting features. And that was that not only were administrative credentials for that organization baked into the sample, but they'd also had an application kill list. Now, an application kill list is not unusual. These are this a list of applications that they want to shut down before encryption launches. But it seemed to be unique to that organization. So they had gone about it and gathered that they realized what applications were running in that environment, and they added it to the kill list. So the ransomware, it was kind of highly tailored to the victim.

Dave Bittner: Well, let's dig into some of the technical details of this particular ransomware operator. One of the things that you all noted was that they were doing their development in Rust.

Dick O'Brien: Yeah, yeah. I mean, that's one of the things that caught our attention. I gather Rust is a really hot programming language right now. It's quite popular. I think one of the reasons it's quite popular is that people believe that it can be used to create kind of quite clean, efficient applications. And I guess there is an obvious appeal to ransomware operators, with that, because speed is of the essence in ransomware attacks. As I mentioned earlier, the average piece of ransomware has a lot of work to do. You know, it has to try and delete the backups, it might have to exfiltrate data, and then it has to encrypt a whole bunch of files on each computer. So it's quite labor intensive, and I guess the quicker it can accomplish those tasks, the better. And maybe the ransomware developer – I guess, like any other software developers – said, well, let's see what Rust has to offer and whether it gives us any advantages.

Dave Bittner: Yeah, I guess not surprising that they would be using the latest, greatest hot tools.

Dick O'Brien: Yeah, I mean, you know, ransomware is very much a marketplace like anything else, and you see people try to experiment with new techniques and new technologies.

Dave Bittner: Well, let's walk through the technical details together. The information that you all published has an extensive step-by-step description here. Can you take us through what exactly happens here?

Dick O'Brien: Yeah. I mean, it does a lot of things before it starts encrypting. As I mentioned earlier, it removes shadow copies, and then it issues the command to collect a universal identifier from the infected machine. And that's something we can maybe talk a little bit more about later, because I think it's one of the more interesting features of this ransomware. It then attempts to mount hidden partitions, and then it also then attempts to propagate itself via network shares. And it looks for available shares by using the "net use" command. Then it'll take the aforementioned administrative credentials that is baked into the ransomware or maybe leverage them to use to propagate via network shares.

Dick O'Brien: The next step it takes is to kill processes on the machine. There's a kind of a generic list of processes that it will try and kill, but it will also, as I mentioned earlier, kill a custom list that are specific to that organization. Then it begins encryption. Like most ransomware, it doesn't try and encrypt everything on the hard drive. It excludes certain directories and file names. And that's really just to kind of speed up the encryption process to make sure that they're just encrypting valuable data as opposed to, you know, stuff that the user doesn't really care about.

Dave Bittner: You mentioned it was interesting the way it was working with UIDs. What caught your eye there?

Dick O'Brien: Yes, this was quite an interesting feature because it has a unique ID for each infection. This creates an access token that creates a unique address for the victim to visit in order to negotiate with the attackers or pay the ransom. And this something I haven't seen before, anyway. I'm not saying for sure that nobody else has done it, but it's certainly something unique that we've seen. It means that only somebody with access to the infected computer can get the address to visit to negotiate with the attackers.

Dick O'Brien: And we think that this has been caused by the fact that there's been some level of frustration expressed by ransomware attackers in recent times that outsiders – neither the victim nor their representative – are kind of crashing these ransomware negotiations and disrupting them. And it could be reporters, indeed, looking at ransomware negotiations and reporting on them. What usually happens is that somebody might upload a sample of the ransomware to VirusTotal or something like that, and the Tor site that's used for negotiation is in that sample, and then it becomes public information, and anybody who has the address can visit it. So this kind of creates an address that is unique to the victim and is only accessible to the victim as well. But yeah, it's a little bit of an innovation, and it also suggests that the people who developed this ransomware knew what they were doing and are maybe kind of experienced operators in the space, knew that this was a problem to be addressed and this was their way of dealing with it.

Dave Bittner: Do you have any indications of who might be behind this?

Dick O'Brien: No. You know, not in terms of, like, identities. We have been informed by third parties that it has been advertised on Russian-speaking cybercrime forums, so there's, you know, there's some suggestion there that the authors are Russian speaking, but you know, that's not hard and fast evidence or anything like that. But the fact is, you know, it's being advertised in the cybercrime community, and the fact that there's a fair bit of sophistication behind it, I'd say, you know, it isn't these people's first rodeo, so to speak.

Dave Bittner: Yeah, I think that's an interesting aspect of this. I mean, it sounds to me like this particular group is on the higher level of sophistication in your estimation.

Dick O'Brien: Definitely. So I think it's one to watch. Now, whether they gain traction or not is another question. You know, there's a number of factors I believe that would kind of decrease the success of ransomware. But you know, if you're looking at up-and-coming ransomware families, this one I would definitely be watching in the coming months.

Dave Bittner: Are there any specific recommendations here, based on the information you gathered, for organizations to best protect themselves against this group?

Dick O'Brien: I think the advice in regard to Noberus would be kind of the same with regard to all of the other high-level ransomware threats. And that is that you need to adopt defense-in-depth because, you know, you can't rely on any single strategy because these guys are, you know, it's human-operated ransomware. They, you know, if they find themselves stymied at one point, they will usually attempt a different tactic. So you really need to kind of consider your protection across the entire chain.

Dick O'Brien: In terms of vectors – how they get down to networks – I would say that a lot of the more frequently seen threats we've seen are being spread in collaboration with botnets. Trickbot, Emotet is back again, it's is also being involved in ransomware. IcedID. It's like that, you know, they have kind of the reach to get into organizations. You know, they're able to – they have a high level of spamming infrastructure behind them. And what they seem to do is that they have now have a close relationship with ransomware organizations and they sell off the choicest victims to ransomware attackers, who then kind of proceed to elaborate to unfurl the attack further. So that's one major infection vector.

Dick O'Brien: The other one we've seen a lot of is exploitation of vulnerabilities and public-facing applications. It's not done by all ransomware groups, but a select few seem to specialize in it. That's your, I guess, your point of entry, then once they're on the network, I think I would advise any organization to kind of familiarize themselves with the techniques that ransomware groups use to steal credentials, to move across the network, and escalate privileges. So you will see the use of some malicious tools. But there's an awful lot of living-off-the-land type activity or abuse of legitimate tools. We've seen an awful lot of remote access or remote desktop tools being deployed in ransomware attacks, for example.

Dick O'Brien: So, with that in mind, keep a close eye on what applications are running on your network. And if there's applications that you do not expect to see running on your network or are not authorized to run on your network, like remote access programs, you need to kick them off immediately. I would advise close monitoring of any PowerShell usage. Also implement multi-factor authentication for admin privileges and things like that. You know, and then you kind of you get on to your security software stage, and I'm not even going to give you – I'm not going to give the hard sell on our products, but obviously, you know, a good AV solution, and a good EDR solution are critical in terms of being able to identify and remediate ransomware attacks.

Dave Bittner: Our thanks to Dick O'Brien from Symantec for joining us. The research is titled, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.