SentinelLabs has been monitoring the exercise of Agrius, a suspected Iranian menace actor working within the Center East, all through 2020 and 2021 following a set of harmful assaults beginning December 2020. Since we last reported on this threat actor in Might 2020, Agrius lowered its profile and was not noticed conducting harmful exercise. This modified lately because the menace actor seemingly initiated a ransomware assault on the Israeli college Bar-Ilan using the group’s customized Apostle ransomware.
Though the total technical particulars of the incident weren’t disclosed publicly, some info was launched to the general public, most notably the ransom demand textual content file dropped on sufferer machines. The
.txt file matches that from a brand new model of Apostle compiled on August 15, 2021, the day of the assault.
The brand new model of Apostle is obfuscated, encrypted and compressed as a useful resource in a loader we name Jennlog, because it makes an attempt to masquerade payload in assets as log recordsdata. Earlier than executing the Apostle payload, Jennlog runs a set of checks to confirm that it’s not being executed in an evaluation atmosphere primarily based on an embedded configuration. Following the evaluation of the Jennlog loader, SentinelLabs retrieved a further variant of Jennlog, used to load and run OrcusRAT.
5e5e526a69490399494dcd7195bb6c67) is a
.NET loader that deobfuscates, decompresses and decrypts a
.NET executable from a useful resource embedded inside the file. The assets inside the loader seem to appear to be log recordsdata, and it accommodates each the binary to run in addition to a configuration for the malware’s execution.
Jennlog makes an attempt to extract two completely different assets:
helloworld.pr.txt– shops Apostle payload and the configuration.
helloworld.Certificates.txt– accommodates None. If configured to take action, the malware compares the MD5 worth of the system info (used as system fingerprint) to the contents of this useful resource.
The payload hidden in “
helloworld.pr.txt” seems to appear to be a log file at first sight:
The payload is extracted from the useful resource by trying to find a separator phrase – “
Jennifer”. Splitting the contents of the useful resource ends in an array of three strings:
- Decoy string – Most definitely there to make the log file look extra genuine.
- Configuration string – Used to find out the configuration of the malware execution.
- Payload – An obfuscated, compressed and encrypted file.
The configuration of Jennlog consists of 13 values, 12 of which are literally used on this model of the malware. Within the variants we had been in a position to retrieve, all of those flags are set to 0.
One of the attention-grabbing flags discovered right here is the certificates flag. If this flag is ready, it would trigger the malware to run solely on a particular system. If this method doesn’t match the configured MD5 fingerprint, the malware both stops operation or deletes itself using the perform
ExecuteInstalledNodeAndDelete(), which creates and runs a BAT file as noticed in different Agrius malware.
Following all of the configuration based-checks, Jennlog continues to unpack the principle binary from inside the useful resource “
helloworld.pr.txt” by performing the next string manipulations within the perform
EditString() on the obfuscated payload:
- Substitute all “
nLog” with “
- Reverse the string.
- Take away all whitespaces.
This manipulation will end in a protracted base64-encoded deflated content material, which is inflated utilizing the perform
stringCompressor.Unzip(). The inflated content material extremely resembles the contents of the unique obfuscated payload, and it’s deobfuscated once more utilizing the
The deobfuscation of the inflated content material is carried out in a reasonably peculiar method, being run as a “catch” assertion after trying to show a string containing a URL to int, which is able to at all times end in an error. The area introduced within the URL was by no means purchased, and extremely resembles different Agrius malware unpurchased domains, usually used as “Tremendous Relays”. Right here, nevertheless, the area just isn’t truly contacted.
Following a second run of the
EditString() perform, Jennlog decodes the extracted content material and decrypts it utilizing an implementation of RC4 with a predefined key. The extracted content material discovered on this pattern is a brand new model of the Apostle ransomware, which is loaded into reminiscence and ran utilizing the parameters given to Jennlog at execution.
Apostle Ransomware Evaluation
The brand new variant of Apostle (
cbdbda089f7c7840d4daed22c34969fd876315b6) embedded inside the Jennlog loader was compiled on August 15, 2021, the day the assault on Bar-Ilan college was carried out. Its execution movement is extremely much like the variant described in earlier experiences, and it even checks for a similar Mutex because the earlier ransomware variant.
The message embedded inside it, nevertheless, is sort of completely different:
Ooops, Your recordsdata are encrypted!!! Don't fret,You may return all of your recordsdata! If you wish to restore theme, Ship $10000 price of Monero to following tackle : 43JuFUyzfcKQwTzCTHpQoA8uLGtbwFBLyeeXoYEEU5dZLhLT1cZJDk4cytjcgQT7kdjSerJqpEp2gUcH91bjLcoq2bqik3j Then comply with this Telegram ID : hxxps://t[.]me/x4ran
That is the very same message that was launched to the media within the context of the Bar-Ilan ransomware incident, as reported on ynet:
Aside from the ransom demand observe, the wallpaper image used on affected machines was additionally modified, this time presenting a picture of a clown:
OrcusRAT Jennlog Loader
A further variant of Jennlog (
43b810f918e357669be42030a1feb727) was uploaded to VirusTotal on July 14, 2021 from Iran. This variant is extremely much like the one used to load Apostle, and accommodates an analogous configuration scheme (all set to 0). It’s used to load a variant of OrcusRAT, which is extracted from the recordsdata assets in an analogous method.
The OrcusRAT variant (
add7b6b60e746c36a66f5ec233873372) extracted from inside it was submitted to VT on June 20, 2021 utilizing the identical submitter ID from Iran. It appears to hook up with an inner IP tackle –
192.168.178.114, indicating it might need been used for testing. It additionally contained the next PDB path:
Agrius has proven a willingness to strategically wipe methods and has continued to evolve its toolkit to allow ransomware operations. Presently, we don’t know if the actor is dedicated to financially-motivated operations, however we do know the unique intent was sabotage. We anticipate the type of subterfuge seen right here to be deployed in future Agrius operations. SentinelLabs continues to trace the event of this nascent menace actor.
Jennlog Loader (Apostle Loader)
Apostle – Bar-Ilan variant
Jennlog Loader (OrcusRAT Loader)