Categories
Cyber Security

New Model Of Apostle Ransomware Reemerges In Focused Assault On Larger Schooling

SentinelLabs has been monitoring the exercise of Agrius, a suspected Iranian menace actor working within the Center East, all through 2020 and 2021 following a set of harmful assaults beginning December 2020. Since we last reported on this threat actor in Might 2020, Agrius lowered its profile and was not noticed conducting harmful exercise. This modified lately because the menace actor seemingly initiated a ransomware assault on the Israeli college Bar-Ilan using the group’s customized Apostle ransomware.

Though the total technical particulars of the incident weren’t disclosed publicly, some info was launched to the general public, most notably the ransom demand textual content file dropped on sufferer machines. The .txt file matches that from a brand new model of Apostle compiled on August 15, 2021, the day of the assault.

The brand new model of Apostle is obfuscated, encrypted and compressed as a useful resource in a loader we name Jennlog, because it makes an attempt to masquerade payload in assets as log recordsdata. Earlier than executing the Apostle payload, Jennlog runs a set of checks to confirm that it’s not being executed in an evaluation atmosphere primarily based on an embedded configuration. Following the evaluation of the Jennlog loader, SentinelLabs retrieved a further variant of Jennlog, used to load and run OrcusRAT.

Jennlog Evaluation

Jennlog (5e5e526a69490399494dcd7195bb6c67) is a .NET loader that deobfuscates, decompresses and decrypts a .NET executable from a useful resource embedded inside the file. The assets inside the loader seem to appear to be log recordsdata, and it accommodates each the binary to run in addition to a configuration for the malware’s execution.

Jennlog makes an attempt to extract two completely different assets:

  • helloworld.pr.txt – shops Apostle payload and the configuration.
  • helloworld.Certificates.txt – accommodates None. If configured to take action, the malware compares the MD5 worth of the system info (used as system fingerprint) to the contents of this useful resource.

The payload hidden in “helloworld.pr.txt” seems to appear to be a log file at first sight:

Contents of “helloworld.pr.txt” useful resource embedded inside Jennlog

The payload is extracted from the useful resource by trying to find a separator phrase – “Jennifer”. Splitting the contents of the useful resource ends in an array of three strings:

  1. Decoy string – Most definitely there to make the log file look extra genuine.
  2. Configuration string – Used to find out the configuration of the malware execution.
  3. Payload – An obfuscated, compressed and encrypted file.

Configuration

The configuration of Jennlog consists of 13 values, 12 of which are literally used on this model of the malware. Within the variants we had been in a position to retrieve, all of those flags are set to 0.

Jennlog configuration values

One of the attention-grabbing flags discovered right here is the certificates flag. If this flag is ready, it would trigger the malware to run solely on a particular system. If this method doesn’t match the configured MD5 fingerprint, the malware both stops operation or deletes itself using the perform ExecuteInstalledNodeAndDelete(), which creates and runs a BAT file as noticed in different Agrius malware.

Jennlog ExecuteInstalledNodeAndDelete() perform

Following all of the configuration based-checks, Jennlog continues to unpack the principle binary from inside the useful resource “helloworld.pr.txt” by performing the next string manipulations within the perform EditString() on the obfuscated payload:

  • Substitute all “nLog” with “A”.
  • Reverse the string.
  • Take away all whitespaces.

This manipulation will end in a protracted base64-encoded deflated content material, which is inflated utilizing the perform stringCompressor.Unzip(). The inflated content material extremely resembles the contents of the unique obfuscated payload, and it’s deobfuscated once more utilizing the EditString() perform.

The deobfuscation of the inflated content material is carried out in a reasonably peculiar method, being run as a “catch” assertion after trying to show a string containing a URL to int, which is able to at all times end in an error. The area introduced within the URL was by no means purchased, and extremely resembles different Agrius malware unpurchased domains, usually used as “Tremendous Relays”. Right here, nevertheless, the area just isn’t truly contacted.

Execution of EditString() perform as a catch assertion

Following a second run of the EditString() perform, Jennlog decodes the extracted content material and decrypts it utilizing an implementation of RC4 with a predefined key. The extracted content material discovered on this pattern is a brand new model of the Apostle ransomware, which is loaded into reminiscence and ran utilizing the parameters given to Jennlog at execution.

Apostle Ransomware Evaluation

The brand new variant of Apostle (cbdbda089f7c7840d4daed22c34969fd876315b6) embedded inside the Jennlog loader was compiled on August 15, 2021, the day the assault on Bar-Ilan college was carried out. Its execution movement is extremely much like the variant described in earlier experiences, and it even checks for a similar Mutex because the earlier ransomware variant.

The message embedded inside it, nevertheless, is sort of completely different:

Ooops, Your recordsdata are encrypted!!! Don't fret,You may return all of your recordsdata! 
If you wish to restore theme, Ship $10000 price of Monero to following tackle :  
43JuFUyzfcKQwTzCTHpQoA8uLGtbwFBLyeeXoYEEU5dZLhLT1cZJDk4cytjcgQT7kdjSerJqpEp2gUcH91bjLcoq2bqik3j 
Then comply with this Telegram ID :  hxxps://t[.]me/x4ran

That is the very same message that was launched to the media within the context of the Bar-Ilan ransomware incident, as reported on ynet:

Ransom demand textual content file as seen in Bar-Ilan college

Aside from the ransom demand observe, the wallpaper image used on affected machines was additionally modified, this time presenting a picture of a clown:

New Apostle variant wallpaper picture

OrcusRAT Jennlog Loader

A further variant of Jennlog (43b810f918e357669be42030a1feb727) was uploaded to VirusTotal on July 14, 2021 from Iran. This variant is extremely much like the one used to load Apostle, and accommodates an analogous configuration scheme (all set to 0). It’s used to load a variant of OrcusRAT, which is extracted from the recordsdata assets in an analogous method.

The OrcusRAT variant (add7b6b60e746c36a66f5ec233873372) extracted from inside it was submitted to VT on June 20, 2021 utilizing the identical submitter ID from Iran. It appears to hook up with an inner IP tackle – 192.168.178.114, indicating it might need been used for testing. It additionally contained the next PDB path:

C:UsersdouDesktoprepoarcu-winsrcOrcusobjDebugOrcus.pdb

Conclusion

Agrius has proven a willingness to strategically wipe methods and has continued to evolve its toolkit to allow ransomware operations. Presently, we don’t know if the actor is dedicated to financially-motivated operations, however we do know the unique intent was sabotage. We anticipate the type of subterfuge seen right here to be deployed in future Agrius operations. SentinelLabs continues to trace the event of this nascent menace actor.

Technical Indicators

Jennlog Loader (Apostle Loader)

  • 5e5e526a69490399494dcd7195bb6c67
  • c9428afa269bbf8c48a08a7109c553163d2051e7
  • 0ba324337b1d76a5afc26956d4dc9f57786483230112eaead5b5c92022c089c7

Apostle – Bar-Ilan variant

  • fc8221382521a40ec0042431a947a3ca
  • cbdbda089f7c7840d4daed22c34969fd876315b6
  • 44c13c46d4f597ea0625f1c87eecffe3cd5dcd257c5fac18a6fa931ba9b5f97a

Jennlog Loader (OrcusRAT Loader)

  • 43b810f918e357669be42030a1feb727
  • 3de36410a99cf3bd8e0c56fdeafa32bbf7625af1
  • 14659857df1753f720ac797a43a9c3f3e241c3df762de7f50bbbae00feb818c9

OrcusRAT

  • add7b6b60e746c36a66f5ec233873372
  • a35bffc49871bb3a48bdd35b4a4d04d208f23487
  • 069686119adc13e1785cb7a425611d1ec13f33ae75962a7e50e00414209d1809

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *