Rewterz Threat Alert – Iran’s Latest Mint Sandstorm APT Campaign Targets Universities and Research Organizations – Active IOCs
January 24, 2024Rewterz Threat Alert –RedLine Stealer – Active IOCs
January 24, 2024Rewterz Threat Alert – Iran’s Latest Mint Sandstorm APT Campaign Targets Universities and Research Organizations – Active IOCs
January 24, 2024Rewterz Threat Alert –RedLine Stealer – Active IOCs
January 24, 2024Severity
High
Analysis Summary
A newly discovered ransomware operation dubbed “Kasseika” has been seen deploying Bring Your Own Vulnerable Driver (BYOVD) attacks to encrypt files after disabling antivirus software. The ransomware exploits the Martini driver, part of TG Soft’s VirtIT Agent System, to disable the security solutions protecting the targeted machine.
Security analysts first discovered Kasseika in December 2023 and found that the ransomware strain has many similar features to BlackMatter, like attack chains and source code. BlackMatter’s source code was never leaked in public after it shut down in 2021. Still, it seems likely that Kasseika was developed by the former members of the threat group or sophisticated ransomware actors who bought its code.
The attack chain initializes with a phishing email that is targeted at employees of an organization in an attempt to steal their account credentials, later to be used for initial access to the corporate network. Once the initial access is obtained, the ransomware operators exploit the Windows PsExec tool to execute malicious .bat files on the compromised and other systems that they have accessed through lateral movement. The batch file is responsible for checking if a “Martini.exe” process is present to terminate it to avoid getting interfered with. Finally, it downloads the vulnerable “Martini.sys” driver onto the machine. This driver is important for the execution of Kasseika as it will not proceed further if the Martini service creation fails or is not found on the system.
Using BYOVD tactics and exploiting vulnerabilities in the loaded driver allows the ransomware to get privileges to terminate 991 processes from a hardcoded list, most of them being antivirus solutions, security and analysis tools, and system utilities. Kasseika finally executes Martini.exe to kill antivirus processes and launches the main ransomware binary (smartscreen_protected.exe). Then it executes a “clear.bat” script to remove attack traces.
Researchers said that Kasseika uses the ChaCha20 and RSA encryption algorithms in its attack and renames the encrypted files with a pseudo-random string, just like BlackMatter. The ransomware leaves a ransom note in every directory telling the victim that it has encrypted their files, as well as changes the computer’s wallpaper to display a note about the ransomware attack.
In the end, Kasseika deletes all the system event logs after the encryption is done by using commands like “wevutil.exe” to erase evidence of its activities and make it difficult to analyze. The attacks that were observed by the experts showed that the victims were given 72 hours to pay a ransom of 50 Bitcoins ($2,000,000), with a warning of another $500,000 being added to the amount for every delay of 24 hours. The victims are also required to post a screenshot of the payment as proof to a private Telegram group to receive the decryptor, the maximum deadline being set to 120 hours or 5 days.
Impact
- Financial Loss
- Sensitive Data Theft
- File Encryption
Indicators of Compromise
MD5
- e0bac7cc1e2b02dda06b8a09f07abee6
- c98a5a4bfd53c87c5aac5659f7f505c1
- 713b1c97b09d0e633ede2f62556e78b9
SHA-256
- 22f8fa1b42e487f6f6d6c6a62bba65267e2d292f80989031f8529558c86a9119
- ae635a4dd36a2bf7047b6a63605a9d20aae4bcc313d93068e5e0b6676a32a39f
- c33acab1ddbee95302f0d54feb1c49c40dec807cec251fb6d30d056f571155e0
SHA-1
- e7bf904f19581c7eebbbe06f997c3b3f7c1b7739
- 82110672dbde14a73aca43e15e4c85291fe1606f
- c67835ca9504049a350fdb023ec7975cccce1674
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Enable two-factor authentication.
- In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Updates for operating systems, applications, and firmware should be installed as soon as possible.
- Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
- To create safe distant connections, consider installing and utilizing a virtual private network (VPN).