CYFIRMA highlights Good Day ransomware, an ARCrypter family member that disguises as a Microsoft Windows Update and employs stealthy techniques (like VSS deletion and debug-detection) while encrypting files and exfiltrating data. The report also covers related campaigns (DUCKTAIL), Lazarus Group activity, Play Ransomware trends, and broader geopolitical cybersecurity developments. #GoodDay #ARCrypter #Cloak #DuckTail #LazarusGroup #PlayRansomware #TwistedWeb #CVE-2023-46137 #TurkEkonomiBank #PlanetMinecraft
Keypoints
- Good Day ransomware disguises itself as WindowsUpdate.exe and is delivered via a dropper or script, following ARCrypter patterns (“The ransomware disguises itself as a Microsoft Windows Update executable named “WindowsUpdate.exe.” The ransomware is intended to be executed using a dropper or script, a tactic consistent with previous ARCrypter operations.”)
- Persistence and anti-analysis: it creates a RUN key for persistence and includes debug-detection to evade analysis, plus attempts to delete Volume Shadow Copies (VSS) to hinder recovery (“establishes persistence by creating an entry in the RUN key of the registry” and “The ransomware makes efforts to detect its presence within specific debuggers” and “delete Volume Shadow Copies (VSS).”)
- Gathers system information via WMIC, enabling targeted encryption and reconnaissance prior to impact.
- Tor-based victim portals and a link to Cloak’s data sales indicate a nexus between Good Day and extortion-database activities (“unique TOR-based victim portals for each target” and connection to Cloak’s data sales).
- DUCKTAIL campaign uses compromised LinkedIn accounts to deliver a ZIP containing self-contained .NET malware; Telegram-based C2 and browser data theft highlight social-engineering-focused identity theft.
- Lazarus Group’s campaign against a software vendor exploits VMware Horizon vulnerabilities, deploying SIGNBT and LPEClient with memory injection and registry-based persistence, illustrating persistent espionage activity.
- Twisted Web vulnerability CVE-2023-46137 (HTTP request smuggling) is identified as a risk with potential phishing and cache-poisoning implications, underscoring ongoing vulnerability exploitation.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The ransomware is intended to be executed using a dropper or script. Quote: ‘The ransomware is intended to be executed using a dropper or script, a tactic consistent with previous ARCrypter operations.’
- [T1129] Shared Modules – Execution model involves modular components typical of ARCrypter-style droppers. Quote: ‘The Ransomware disguises itself as a Microsoft Windows Update executable named “WindowsUpdate.exe.”’
- [T1055] Process Injection – Privilege escalation/maintenance via process interaction. Quote: ‘Privilege Escalation… T1055: Process Injection’ (as mapped in the article).
- [T1027] Obfuscated Files or Information – Advanced obfuscation techniques observed in Good Day samples. Quote: ‘Good Day ransomware demonstrates advanced obfuscation techniques by disguising itself as a Microsoft Windows Update executable.’
- [T1027.005] Obfuscated Files: Indicator Removal from Tools – Obfuscation combined with anti-analysis behaviors; quote: ‘Obfuscated Files or Information: Indicator Removal from Tools’ (as per mapping).
- [T1036] Masquerading – Disguises as Windows Update executable to avoid user suspicion. Quote: ‘disguising itself as a Microsoft Windows Update executable’.
- [T1070.004] Indicator Removal: File Deletion – Attempts to delete VSS to hinder recovery. Quote: ‘The ransomware also attempts to delete Volume Shadow Copies (VSS).’
- [T1497] Virtualization/Sandbox Evasion – Detects debuggers to evade analysis. Quote: ‘detect its presence within specific debuggers…’
- [T1010] Application Window Discovery – Discovery of active windows/environments to inform behavior (mapped from Defender/Evasion context). Quote: ‘Discovery’ references in the table.
- [T1057] Process Discovery – Gathers process-related information (context: WMIC queries). Quote: ‘gathers information from infected systems through WMIC queries.’
- [T1082] System Information Discovery – Collects system information to tailor actions. Quote: ‘gathers information from infected systems through WMIC queries.’
- [T1083] File and Directory Discovery – Identifies files/folders to exclude or target. Quote: ‘The Ransomware includes a predefined list of folders and files that it should not encrypt.’
- [T1518.001] Security Software Discovery – Detects security tools to avoid analysis (exploited in evasion logic). Quote: ‘Software Discovery: Security Software Discovery’ (from mapping).
- [T1090] Proxy – Uses TOR-based victim portals and channels for C2/operations. Quote: ‘TOR-based victim portals for each target.’
- [T1486] Data Encrypted for Impact – Files encrypted with new extensions; quote: ‘Following encryption, affected files receive new names with extensions like .crYptA or .crYptB…’
- [T1490] Inhibit System Recovery – VSS deletion and other recovery-blocking steps. Quote: ‘The ransomware attempts to delete Volume Shadow Copies (VSS).’
Indicators of Compromise
- [URL/Domain] – TOR-based portals and C2 channels: ea.gr8people.com, api.telegram.org/bot6263348871:AAFc1F8GffaY0Bc8rWsvD2BzfK9yD- zrvRQ/sendMessage, and related Telegram endpoints
- [URL] – Phishing and distribution links: https://ea.gr8people.com (phishing site impersonating Electronic Arts)
- [URL] – C2 exfiltration: https://api.telegram.org/bot6263348871:AAFc1F8GffaY0Bc8rWsvD2BzfK9yD- zrvRQ/sendDocument
- [Domain/URL] – ZIP payload delivery: OneDrive hosting Senior_Manager_EA_Sport.zip
- [File name] – Senior_Manager_EA_Sport.zip; Job_Description_of_Senior_Manager.pdf
- [File path] – C:UsersAppDataLocalTempic300; C:UsersAppDataLocalTempJob_Description_of_Senior_Manager.pdf
- [Mutex] – ICollectVASD (memory mutex used to ensure single run)
- [Misc/Other] – WindowsUpdate.exe as a disguise; VSS deletion remnants; WMIC-based data collection
Read more: https://www.cyfirma.com/news/weekly-intelligence-report-03-nov-2023/