Paradise ransomware is being distributed via exploitation of the AweSun vulnerability, with the same actors previously linked to Sunlogin-related BYOVD and Sliver C2 campaigns. The attackers use AweSun-generated cmd/PowerShell to install DP_Main.exe, encrypt files with RSA-1024, and exfiltrate infection details to a C2 server, including ransom notes with contact and payment details. #ParadiseRansomware #AweSun #SunloginVulnerability #SliverC2 #BYOVD #CobaltStrike
Keypoints
- Paradise is installed through an AweSun vulnerability exploitation, with ties to prior Sunlogin and Sliver C2 activity.
- AweSun v1.5/v1.6 (older versions) was used in the attack, suggesting vulnerability exploitation rather than a stand-alone payload
- The ransomware is dropped via cmd and PowerShell generated by AweSun, and Paradise (DP_Main.exe) is installed as part of the campaign.
- Paradise encrypts files using RSA-1024, stores keys in settings files, and excludes common software folders while prioritizing some database paths.
- It registers a Run key for persistence and deletes the volume shadow service to hinder recovery (VSS).
- Data about the infection (PCID, computer name, number of encrypted files, time to encrypt) is sent to a C2 server after encryption.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The AweSun vulnerability exploitation is used to drop Paradise;
“Paradise, which is installed through an AweSun vulnerability exploitation, … installed by the cmd and PowerShell generated by AweSun.” - [T1059.001] PowerShell – PowerShell is used to execute the drop/install payload via AweSun, enabling Paradise installation;
“PowerShell generated by AweSun.” - [T1059.003] Command-Line Interface – Cmd.exe is used to run commands for installation and artifact creation;
“cmd.exe” /C sc delete VSS - [T1060] Registry Run Keys / Startup Folder – Paradise registers the RUN key to achieve persistence;
“register it to the run key.” - [T1490] Inhibit System Recovery – The ransomware deletes the volume shadow service to hamper recovery;
“Deletes volume shadow service.” - [T1486] Data Encrypted for Impact – Paradise encrypts files using a 1024-bit RSA key and applies an extension;
“Paradise generates a 1024-bit RSA key and uses it to encrypt files.” - [T1041] Exfiltration Over C2 Channel – Basic infection data is sent to the C2 server after encryption;
“transfers basic information… to the C&C server.”
Indicators of Compromise
- [URL] Download URL – hxxps://upload.paradisenewgenshinimpact[.]top/DP_Main.exe – Paradise payload download
- [URL] C2 URL – hxxp://upload.paradisenewgenshinimpact[.]top:2095/api/Encrypted.php – Command-and-control
- [Domain] paradisenewgenshinimpact.top – domain context related to the attack infrastructure
- [MD5] 5cbbc1adfd22f852a37a791a2415c92c – File hash associated with related components
- [File] DP_Main.exe – main ransomware payload executable
- [File] DPwelldone.dp, DPRunAsAdmin.dp, id.dp – configuration files used by Paradise
- [File] DecryptionInfo.auth – RSA private key encrypted under master public key
- [Email] [email protected] – ransom contact address
- [Bitcoin] 392vKrpVxMF7Ld55TXyXpJ1FUE8dgKhFiv – Bitcoin wallet for payments
- [Note] DECRYPT MY FILES#.html – ransom note filename/content indicator
Read more: https://asec.ahnlab.com/en/47590/