Threat Research

Some Kind of Monster: RaaS Hides Itself Using Traits From Other Malware

Securonix

Monster is a Delphi-based ransomware-as-a-service (RaaS) that hides its capabilities and uses configurable features to customize encryption and evasion, raising the risk of attribution confusion. The BlackBerry analysis details its encryption methods, use of IPLogger for victim tracking, WMI-based discovery, selective targeting of services, and its potential for reappearance as a copycat threat. #MonsterRaaS #IPLogger #RAMP

Keypoints

  • Monster is a 32-bit, Delphi-based RaaS delivered as a standalone binary with a hidden UI that lets operators control selective encryption, self-deletion, and service/process management.
  • It avoids encrypting data in 12 CIS countries by checking the system locale (GetLocaleW) and can track victims’ IPs/locations via an IP Logger web service.
  • Monster uses Windows Management Instrumentation (WMI) to enumerate System Restore points, enabling the attacker to identify and delete restore points to hinder recovery.
  • It enumerates services, processes, files/directories, and network shares, stopping security/backup tools to ensure smoother encryption of valuable files.
  • Encryption combines AES-256 (CBC) for files and RSA to protect session keys, with encrypted data appended to files and a hardcoded server key used in the scheme.
  • Ransom notes are customizable, and a user interface (accessible via Alt+Ctrl+Shift+M) provides operators with functions like mounting hidden partitions, stopping processes, and selective encryption.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – “Monster utilizes WMI to enumerate objects in the System Restore class in order to identify restore points for deletion.”
  • [T1083] File and Directory Discovery – “enumerate a list of services and processes, files and directories, and network shares.”
  • [T1135] Network Share Discovery – “enumerate network shares.”
  • [T1486] Data Encrypted for Impact – “The ransomware encrypts files in blocks… AES-256 in CBC mode, and asymmetric encryption used to protect the session key.”
  • [T1070.004] Indicator Removal on Host: File Deletion – “Monster deletes items in the Recycle Bin.”
  • [T1490] Inhibit System Recovery – “to identify restore points for deletion.”
  • [T1016] System Network Configuration Discovery – “IP Logger domain… track their target’s IP addresses and location via the IP Logger web service.”

Indicators of Compromise

  • [SHA256] Monster-related hashes – 99cb1513a0b129c85d10b008919e821584a2c17e17473c44e187a4e74b0af3ad, ef514a1192de894b489a74ff911f229f5767277b9a196849219f63b589ab9473
  • [Domain] iplogger[.]org – used for victim registration and tracking
  • [IP] 148[.]251[.]234[.]83 – IP address referenced in IoCs
  • [URL] qtox[.]github[.]io – associated URL
  • [Imphash] 55987a431e619a936b03bdae679cd0a5
  • [File name] We can recover your data.mht – ransom note file
  • [SHA256] f447ca210f01966185a107226d91c9121952e567f02c2c60f700aec74503ed1c – hash related to the mht note
  • [File name] WE CAN RECOVER YOUR DATA.txt – ransom note file
  • [File name] C:ProgramDataInstalledUpdates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}.exe – sample targeted payload filename pattern

Read more: https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware