Threat Research

BlackBit Ransomware Being Distributed in Korea – ASEC BLOG

Securonix

ASEC reports BlackBit ransomware being distributed in Korea, masquerading as svchost.exe and active since September of last year. It obfuscates with .NET Reactor and shows traits similar to LokiLocker; the campaign includes persistence, recovery prevention, and Defender/firewall evasion. #BlackBit #LokiLocker #AhnLab #ASEC #svchost.exe #winlogin.exe #RestoreMyFiles

Keypoints

  • ASEC reports BlackBit ransomware distributed in Korea disguised as svchost.exe, ongoing since Sept last year.
  • It uses .NET Reactor to obfuscate its code, showing similarities to LokiLocker.
  • The malware persists by copying to startup and AppData as winlogin.exe and registering a scheduled task.
  • It prevents recovery by deleting Recycle bin and volume shadow copies and related backups.
  • It modifies network settings and disables Windows Defender to leak information and hinder detection.
  • A list of targeted processes is terminated to evade VM/sandbox checks and expand encryption.
  • After encryption, it creates Restore-My-Files.txt and the ransom note; AhnLab notes detection aliases and IOC 3a7c3e8a378cd7a4fd83910937c23b19.

MITRE Techniques

  • [T1036] Masquerading – The ransomware is distributed disguised as svchost.exe. “discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring.”
  • [T1027] Obfuscated/Compressed Files or Information – The ransomware uses .NET Reactor to obfuscate its code. “The ransomware uses .NET Reactor to obfuscate its code, likely to deter analysis.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – It copies itself to the startup path and the %AppData% path using the file name “winlogin.exe” and registers itself to the task scheduler. “In order to ensure persistence, the ransomware copies itself to the startup path and the %AppData% path using the file name “winlogin.exe” and registers itself to the task scheduler.”
  • [T1053] Scheduled Task – It registers a scheduled task to run at logon. “schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:UsersrapitAppDataRoamingwinlogon.exe /RU SYSTEM /RL HIGHEST /F”
  • [T1486] Data Encrypted for Impact – It begins to encrypt files after initial steps. “the ransomware begins to encrypt files.”
  • [T1490] Inhibit System Recovery – It deletes backups to prevent recovery. “After the process for maintaining persistence is finished, the ransomware deletes files in Recycle.bin and volume shadow to prevent users from recovering their files after the encryption process.”
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – It terminates Defender-related processes to hinder protection. “terminates the following processes” (e.g., Windows Defender-related processes in the context)
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – It disables firewall/network controls. “netsh advfirewall set currentprofile state off” and “netsh firewall set opmode mode=disable”

Indicators of Compromise

  • [Hash] context – 3a7c3e8a378cd7a4fd83910937c23b19
  • [File name] context – winlogin.exe (used for startup persistence) and Restore-My-Files.txt (ransom note)
  • [Process] context – wxserverview, qbcfmonitorservice, and 2 more processes (terminated during infection)
  • [Command] context – vssadmin delete shadows /all /quiet, wbadmin DELETE SYSTEMSTATEBACKUP, wmic shadowcopy delete, wbadmin delete catalog -quiet
  • [Network/Firewall] context – netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable
  • [Registry] context – HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr = 1
  • [Registry] context – HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableBehaviorMonitoring, DisableOnAccessProtection, DisableScanOnRealtimeEnable, DisableAntiSpyware

Read more: https://asec.ahnlab.com/en/51497/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint