Makop ransomware continues to exploit exposed RDP services and weak credentials, then stages network scanners, LPE exploits, AV killers and credential dumpers before deploying its encryptor. Recent activity shows the operators have added loader-based delivery (GuLoader) and tailored AV uninstallers to evade defenses and increase success rates. #Makop #GuLoader
Keypoints
- Initial access is primarily via exposed RDP using brute-force or dictionary attacks (NLBrute observed).
- Operators stage off-the-shelf tools for discovery (NetScan, Advanced IP Scanner, Masscan) and lateral movement before encryption.
- Multiple local privilege escalation (LPE) exploits are maintained in the toolkit (numerous CVEs including CVE-2017-0213, CVE-2018-8639, CVE-2021-41379).
- Defense evasion includes disabling security products (Defender Control, tailored Quick Heal uninstaller), abusing signed vulnerable drivers (ThrottleStop.sys, hlpdrv.sys) and using process killers (Process Hacker, IOBitUnlocker).
- GuLoader has been observed delivering secondary payloads alongside traditional toolsets, marking an evolution in Makop’s delivery methods.
- Majority of observed victims are in India (55%), with additional incidents in Brazil, Germany and other countries, indicating opportunistic targeting of weaker security postures.
MITRE Techniques
- [T1133 ] External Remote Services – Used to gain initial access by exploiting exposed RDP services (‘exploit publicly exposed and insecure remote desktop protocol (RDP) services.’)
- [T1110 ] Brute Force – Operators perform brute-force or dictionary attacks against RDP credentials (‘commonly rely on brute-force or dictionary attacks to crack weak or reused credentials.’)
- [T1046 ] Network Service Scanning – Network scanning tools are staged for discovery to map hosts and services (‘NetScan was used most often, with Advanced IP Scanner serving as an alternative’).
- [T1021 ] Remote Services (Lateral Movement) – Tools and scans are used to locate and access additional hosts to move laterally (‘helping attackers map targets for lateral movement.’)
- [T1562.001 ] Disable or Modify Security Tools – AV killers and uninstallers are used to neutralize endpoint defenses (‘Defender Control 2.0 disables Microsoft Defender protections with a single action’).
- [T1068 ] Exploitation for Privilege Escalation – Multiple LPE vulnerabilities are exploited to gain system privileges (listing of CVEs used as primitives: ‘Multiple local privilege escalation (LPE) vulnerabilities … CVE-2016-0099 … CVE-2022-24521’).
- [T1003 ] OS Credential Dumping – Credential dumpers extract credentials from Windows memory and local stores to expand access (‘Mimikatz extracts plaintext passwords, hashes and authentication tokens directly from Windows memory’).
- [T1105 ] Ingress Tool Transfer – Loaders like GuLoader are used to transfer and drop secondary payloads onto victims (‘GuLoader is a loader type of malware that … is used to deliver additional payloads.’)
Indicators of Compromise
- [File hash ] Makop encryptor sample – 8ccb30606e3229ff88b3b67a5f4b2b087cab290ce7eedfcb24d1d3954b01d5f9, f43b86ff36… and many other hashes reported.
- [File name ] Common encryptor filenames – bug_osn.exe, taskmgr.exe (also variants like .taskmgr.exe, bugbug.exe).
- [File path ] GuLoader and payload drop locations – %USERPROFILE%Music1BUGTreasureRoberts.exe, %USERPROFILE%Music1BUG.mc_fxt.exe.
- [Driver filename ] Vulnerable signed drivers used for BYOVD/AV bypass – ThrottleStop.sys, hlpdrv.sys.
- [CVE / LPE exploit ] Local privilege escalation vulnerabilities observed – CVE-2016-0099, CVE-2017-0213, CVE-2018-8639 (and several other CVEs used as LPE primitives).
- [Tool / malware name ] Tools and loaders observed in campaigns – GuLoader, NLBrute, Mimikatz (plus NetScan, Advanced IP Scanner noted).