Threat Research

Rorschach – A New Sophisticated and Fast Ransomware – Check Point Research

Securonix

Two sentences summarizing the article: Check Point researchers identified a new ransomware strain named Rorschach that was deployed against a US-based company, notable for its lack of branding and autonomous capabilities. The malware combines novel evasion, ultra-fast hybrid cryptography, and domain-wide propagation techniques, including DLL side-loading of a signed Cortex XDR tool.
#Rorschach #Babuk

Keypoints

  • Rorschach is a previously unnamed ransomware strain observed against a US-based company, with no clear attribution to a known group.
  • It is highly autonomous, capable of self-spreading on Domain Controllers via Group Policy deployment and clearing event logs.
  • The ransomware is extremely fast, highly customizable, and uses direct syscalls to improve encryption speed and evade defenses.
  • Deployment relies on DLL side-loading of a signed Cortex XDR Dump Service Tool, a loading method that leverages a legitimate security product.
  • Rorschach employs a hybrid cryptography scheme (Curve25519 and eSTREAM hc-128) for rapid encryption with per-victim keys.

MITRE Techniques

  • [T1574.001] DLL Side-Loading – The ransomware is deployed using DLL side-loading of a Cortex XDR Dump Service Tool. Quote: “deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product.”
  • [T1055] Process Injection – The main payload is injected into notepad.exe to begin ransomware logic. Quote: “injected into notepad.exe, where the ransomware logic begins.”
  • [T1106] Native API – Rorschach uses direct system calls via the syscall instruction to manipulate files, bypassing standard APIs. Quote: “uses direct system calls using the ‘syscall’ instruction.”
  • [T1070.001] Clear Windows Event Logs – The malware runsWevutil to clear Application, Security, System, and Windows PowerShell logs. Quote: “Run wevutil.exe to clear the following Windows event logs: Application, Security, System and Windows Powershell.”
  • [T1562.004] Disable Firewall – The malware disables the Windows firewall using netsh.exe. Quote: “Disable the Windows firewall, using netsh.exe.”
  • [T1497] Virtualization/Sandbox Evasion – The sample is protected by VMProtect and other packing techniques to hinder analysis. Quote: “VMProtect… results in a crucial portion of the code being virtualized.”
  • [T1486] Data Encrypted for Impact – The ransomware uses a fast hybrid-cryptography scheme (Curve25519 + hc-128) for encryption. Quote: “The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes.”

Indicators of Compromise

  • [File] cy.exe – 2237ec542cdcd3eb656e86e43b461cd1 – PA Cortex Dump Service Tool (benign file)
  • [File] winutils.dll – 4a03423c77fe2c8d979caca58a64ad6c – Loader and injector into notepad.exe
  • [File] config.ini – 6bd96d06cd7c4b084fe9346e55a81cf9 – Encrypted ransomware payload

Read more: https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint