Keypoints
- Kasseika gained initial access through targeted phishing links and credential harvesting, then used RATs for privilege escalation and lateral movement.
- Attackers abused PsExec to remotely execute a malicious .bat deployment script across the network.
- They used a BYOVD approach with the signed Martini.sys driver (loaded by Martini.exe) to send DeviceIoControl (0x82730030) commands that terminate ~991 processes, including antivirus and analysis tools.
- The deployment script copies payloads from a network share (/E), runs Martini.exe to disable defenses, launches smartscreen_protected.exe (the ransomware), and executes clear.bat to remove traces.
- Ransomware is a Themida-packed 32-bit PE that enumerates Restart Manager registry entries, deletes shadow copies via WMIC, clears event logs with wevtutil.exe, and changes the desktop wallpaper.
- Kasseika builds its encrypted file extension via Base64 transformations of a hard-coded string and encrypts files using ChaCha20 with an RSA-encrypted ChaCha20 matrix, then drops CBhwKBgQD.README.txt as the ransom note.
- The code reuse and pseudo-ransom extensions resemble BlackMatter artifacts, implying access to BlackMatter source code by the operator.
MITRE Techniques
- [T1566] Phishing – ‘targeted phishing links via email for initial access’ (used to obtain credentials and initial foothold)
- [T1021] Remote Services – ‘abused the legitimate Windows RAT PsExec to execute its malicious files’ (PsExec used to remotely run the .bat deployment script)
- [T1211] Exploitation for Defense Evasion – ‘bring-your-own-vulnerable-driver (BYOVD) attacks’ (the Martini signed driver is leveraged to disable security products)
- [T1562] Impair Defenses – ‘terminate at least 991 processes within its list, including antivirus products’ (driver/agent instructs kernel to stop security and analysis processes)
- [T1059] Command and Scripting Interpreter – ‘uses a batch script to load its malicious entities’ (deployment and cleanup implemented as .bat scripts)
- [T1047] Windows Management Instrumentation – ‘SELECT * Win32_ShadowCopies’ (WMIC queries used to enumerate and remove shadow copies)
- [T1070.001] Clear Windows Event Logs – ‘wevutil.exe efficiently clears the Application, Security, and System event logs’ (used to remove forensic traces)
- [T1490] Inhibit System Recovery – ‘deletes the shadow copies of the affected system’ (shadow copies removed to hinder recovery)
- [T1027] Obfuscated Files or Information – ‘packed by Themida’ (Themida packing used to obfuscate the ransomware binary)
- [T1486] Data Encrypted for Impact – ‘retrieves its encryption algorithm key, ChaCha20… uses the modified ChaCha20 matrix to encrypt target files’ (ChaCha20 + RSA used to encrypt victim files)
Indicators of Compromise
- [Driver] signed driver used to disable defenses – Martini.sys (originally labeled viragt64.sys)
- [Executable] loader and ransomware binaries – Martini.exe (loader/driver interface), smartscreen_protected.exe (ransomware binary)
- [File names / ransom artifacts] ransom extension and note – CBhwKBgQD (encrypted extension), CBhwKBgQD.README.txt (ransom note)
- [Scripts] deployment and cleanup scripts – clear.bat (cleanup), malicious .bat used via PsExec to orchestrate payload execution
Kasseika’s technical procedure began with targeted phishing to harvest credentials and deploy remote administration tools. Operators used PsExec to run a malicious batch script remotely; that script copies payloads from a network share (using the /E switch), checks for Martini.exe, and—if needed—downloads and installs the signed driver Martini.sys. Martini.exe opens the driver (CreateFileW) and issues DeviceIoControl calls (control code 0x82730030) to instruct the driver to terminate hundreds of processes (including many antivirus and analysis tools) by invoking kernel termination routines such as ZwTerminateProcess.
After defenses are suppressed, the script launches smartscreen_protected.exe (the Themida-packed ransomware), which enumerates Restart Manager registry sessions to collect files for encryption, deletes shadow copies via WMIC (‘SELECT * Win32_ShadowCopies’), and clears event logs with wevtutil.exe. The ransomware decrypts a hard-coded string with CryptoPP/ Base64-derived rules to form its extension, generates a ChaCha20 key material matrix that is partially RSA-encrypted, and uses the modified ChaCha20 matrix to encrypt files, appending the derived extension and dropping CBhwKBgQD.README.txt in encrypted directories.
Finally, the attacker-run clear.bat removes deployment artifacts and the ransomware changes the victim wallpaper to a ransom notice; the overall chain—BYOVD driver abuse, PsExec-based remote execution, Themida packing, ChaCha20+RSA encryption, shadow-copy deletion, and event-log clearing—reflects coordinated steps to evade detection and maximize impact, and the ransom-note/extension artifacts mirror BlackMatter-era code reuse.