Threat Research

An Analysis of the BabLock Ransomware

Securonix

BabLock (aka Rorschach) is a stealthy, fast-moving ransomware with a multi-component attack chain that blends elements from LockBit but appears to be from a different actor. The analysis details its extension variation scheme, loading chain, and anti-analysis techniques, as well as its similarities and potential origins. #BabLock #Rorschach #DarkLoader #LockBit #VMProtect

Keypoints

  • BabLock is a multi-component ransomware inspired by LockBit but likely not authored by the LockBit group.
  • It uses a distinctive extension scheme by appending 00-99 to the extension, enabling up to 100 variations per infection.
  • The main package typically includes config.ini, a DarkLoader DLL, a non-malicious loader, and a CMD launcher using a password.
  • DarkLoader decrypts config.ini and loads the ransomware via DLL sideloading using legitimate executables, with VMProtect packing for anti-virtualization.
  • The ransomware uses a memory-injection technique by hooking Ntdll.RtlTestBit to jump to its code, and prompts notepad.exe to start the encryption with specific command lines.
  • It relies on publicly available tools (Chisel and Fscan) and can leverage Active Directory group policies to facilitate lateral movement.
  • Shadow copies are deleted to hinder recovery, using vssadmin to delete all shadow copies.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – DarkLoader DLL is loaded by sideloading using legitimate executables to load the ransomware. “DarkLoader is executed via DLL sideloading using legitimate executables.”
  • [T1059] Command-Line Interface – Notepad is launched and encryption proceeds via command lines; “the DLL decrypts config.ini and then executes notepad.exe with a certain set of command lines.”
  • [T1055] Process Injection – Notepad.exe is injected with an API call thread to RtlTestBit, patched to jump to the malicious routine. “The notepad.exe file is injected with an API call thread to RtlTestBit, which has been patched/hooked to jump to the malicious routine”
  • [T1497] Virtualization/Sandbox Evation – The decrypted BabLock payload is packed with VMProtect for anti-virtualization. “the decrypted BabLock ransomware is always packed with VMProtect for anti-virtualization.”
  • [T1027] Obfuscated/Compressed Files and Information – The config.ini is decrypted by a specially crafted loader designed for these campaigns. “The config.ini file is decrypted by a specially crafted loader designed specifically for these campaigns (detected as Trojan.Win64.DarkLoader)”
  • [T1490] Inhibit System Recovery – Shadow copies are deleted to hinder recovery using vssadmin. “vssadmin.exe delete shadows /All /Quiet”

Indicators of Compromise

  • [File Name] config.ini – The main encrypted ransomware file in the package. The disk-stored configuration is decrypted by the loader.
  • [File Name] notepad.exe – Used as a launcher/executor for the decrypt/encrypt sequence.
  • [File Name] DarkLoader.dll – The sideloaded DLL that decrypts config.ini and orchestrates the infection.
  • [File Name] Trojan.Win64.DarkLoader – Detection label for the loader component.
  • [Executable] vssadmin.exe – Command-line tool used to delete shadow copies to hinder recovery.
  • [API/Function] Ntdll.RtlTestBit – Hooked API involved in redirecting execution to the malicious routine.
  • [Command/Cipher] –run – The 4-digit password required to start the encryption process.

Read more: https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint