[ad_1]
SolidBit Ransomware Enters the RaaS Scene and Takes Purpose at Players and Social Media Customers With New Variant
This weblog entry provides a technical evaluation of a brand new SolidBit variant that’s posing as completely different functions to lure players and social media customers. The SolidBit ransomware group seems to be planning to broaden its operations by way of these fraudulent apps and its recruitment of ransomware-as-a-service associates.
By: Nathaniel Morales, Ivan Nicole Chavez, Monte de Jesus, Lala Manly, Nathaniel Gregory Ragasa
August 02, 2022
Learn time: ( phrases)
Pattern Micro researchers just lately analyzed a pattern of a brand new SolidBit ransomware variant that targets customers of common video video games and social media platforms. The malware was uploaded to GitHub, the place it’s disguised as completely different functions, together with a League of Legends account checker instrument (Determine 1) and an Instagram follower bot, to lure in victims.
The League of Legends account checker on GitHub (Figures 2 and three) is bundled with a file that incorporates directions on use the instrument (Determine 4), however that’s the extent of the pretense: It has no graphic consumer interface (GUI) or another habits associated to its supposed operate. When an unsuspecting sufferer runs the appliance, it robotically executes malicious PowerShell codes that drop the ransomware. One other file that comes with the ransomware is known as “Supply code,” however this appears to be completely different from the compiled binary.
Determine 1. The icon of one of many malicious functions, named “Rust LoL Accounts Checker”
Determine 2. The SolidBit ransomware variant masquerading as a League of Legends account checker instrument on GitHub
Determine 3. Particulars in regards to the fraudulent League of Legends account checker posted on Github
Determine 4. One of many information bundled with SolidBit’s fraudulent League of Legends account checker on GitHub
Among the many information bundled with the account checker, we additionally discovered an executable file named Rust LoL Accounts Checker.exe (Determine 5) protected by Safengine Shielden, which obfuscates samples and functions to make reverse engineering and evaluation harder. When this file is executed, an error window seems and claims that debugging instruments have been detected (Determine 6), which can be one of many malware’s anti-virtualization and anti-debugging capabilities.
Determine 5. File properties of Rust LoL Accounts Checker.exe discovered utilizing Detect It Straightforward
Determine 6. A pop-up window that seems when Rust LoL Accounts Checker.exe is executed
If customers click on on this executable file, it would drop and execute Lol Checker x64.exe, which runs the malicious PowerShell codes that drop and execute the SolidBit ransomware. After pivoting the binary file in VirusTotal and AnyRun, we discovered that Rust LoL Accounts Checker.exe downloads and executes Lol Checker x64.exe utilizing the next command:
cmd /c begin “” %TEMPpercentLoL Checker x64.exe
When Lol Checker x64.exe is executed, it would start disabling Home windows Defender’s scheduled scans and any real-time scanning of the next folders and file extensions:
%UserProfile%,
%AppData%,
%Temp%,
%SystemRoot%,
%HomeDrive%,
%SystemDrive%
.exe
.dll
The file disables these scans through the use of the next PowerShell command:
cmd /c powershell -Command “Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Drive” & powershell -Command “Add-MpPreference -ExclusionExtension @(‘exe’,’dll’) -Drive” & exit;
After efficiently disabling Home windows Defender from scanning these directories, the file will drop and execute the file Runtime64.exe, which we analyzed because the SolidBit ransomware, utilizing the next command immediate:
cmd /c begin “” %TEMPpercentRuntime64.exe
Ransomware evaluation of SolidBit’s new variant
This new model of SolidBit ransomware is a .NET compiled binary (Determine 7). After opening Runtime64.exe utilizing the debugger and .NET meeting editor DnSpy, we discovered that this file was obfuscated. We used a .NET deobfuscator and unpacker instrument referred to as de4dot to make the strings readable (Determine 8).
Determine 7. Properties of the binary utilizing Detect It Straightforward Software
Determine 8. A comparability of the file earlier than (left) and after (proper) it was deobfuscated utilizing de4dot
The ransomware creates a mutex and can terminate if one other copy of itself is discovered already working on the machine (Determine 9).
Determine 9. The mutex created by SolidBit ransomware
It’s going to additionally create a registry key to a listing named “SoftwareMicrosoftWindowsCurrentVersionRun” with the worth “UpdateTask” as its autostart mechanism (Determine 10).
Determine 10. The registry key for SolidBit’s autostart mechanism
Previous to encryption, the ransomware will test if the listing is within the root path and avoids the next information and directories, as proven in Determine 11:
ProgramData
$Recycle.Bin
AMD
appdatalocal
appdatalocallow
autorun.inf
boot.ini
boot.ini
bootfont.bin
bootmgfw.efi
bootsect.bak
desktop.ini
Paperwork and Settings
iconcache.db
Intel
MSOCache
ntuser.dat
ntuser.dat.log
ntuser.ini
NVIDIA
PerfLogs
ProgramData
Program Recordsdata
Program Recordsdata (x86)
thumbs.db
usersall customers
Home windows
Home windows.outdated
Determine 11. SolidBit ransomware checking for information to be averted
This SolidBit variant makes use of 256-bit Superior Encryption Customary (AES) encryption to encrypt the information in its sufferer’s pc (Determine 12). A key that’s appended within the encrypted information’ content material (Determine 13) will act as SolidBit’s an infection marker. The important thing got here from a hard-coded string from the binary that was encrypted by way of Rivest-Shamir-Adleman (RSA) encryption and was encoded to Base 64. The ransomware can even append the .SolidBit file extension to the encrypted information and modifications their file icons (Determine 14). Its encryption routine solely encrypts information with particular file extensions.
Determine 12. SolidBit ransomware’s encryption routine
Determine 13. The encrypted content material of the file
Determine 14. A file encrypted by SolidBit ransomware
This SolidBit variant can even terminate a number of providers, delete any shadow copies (Determine 15) and backup catalogs (Determine 16), and delete 42 providers within the sufferer’s pc.
Determine 15. SolidBit’s deletion of shadow copies
Determine 16. SolidBit’s deletion of the backup catalog
It’s going to additionally drop a file, RESTORE-MY-FILES.txt, that incorporates directions on how a sufferer will pay the ransom to each listing (Determine 17) and reveals a pop-up window on the sufferer’s machine (Determine 18).
Determine 17. Dropped ransom be aware by SolidBit ransomware
Determine 18. The pop-up window that SolidBit ransomware reveals on the sufferer’s display screen
SolidBit as a LockBit imitator
SolidBit has been suspected of being a LockBit ransomware copycat, as the 2 share similarities of their chat assist websites’ formatting (Determine 19) and the file names of their ransom be aware (Determine 20).
Determine 19. Similarities between the chat assist websites of LockBit (left) and SolidBit (proper)
Determine 20. The ransom notes of LockBit (left) and SolidBit (proper)
Nevertheless, SolidBit ransomware is compiled utilizing .NET and is definitely a variant of Yashma ransomware, also referred to as Chaos (Determine 21). It is doable that SolidBit’s ransomware actors are at present working with the unique developer of Yashma ransomware and certain modified some options from the Chaos builder, later rebranding it as SolidBit (Determine 22).
Determine 21. The capabilities of SolidBit ransomware (left) and Yashma ransomware (proper)
Determine 22. SolidBit ransomware (left) and Yashma ransomware (proper) checks information in a focused system’s directories
The brand new SolidBit pattern is bigger than its predecessors at 5.56 MB, in comparison with the 159 KB of earlier SolidBit variants. Its use of a pretend League of Legends Account Checker software to drop its ransomware payload is a brand new method in its arsenal.
SolidBit posing as social media instruments
Along with the fraudulent League of Legends account checker software, the aforementioned GitHub account has uploaded this new SolidBit variant disguised as different professional functions named “Social Hacker” (Determine 23) and “Instagram Follower Bot” (Determine 24). Nevertheless, the account has been taken down on the time of this writing.
Determine 23. File properties of the brand new SolidBit ransomware variant disguised as an software named Social Hacker
Determine 24. File properties of the brand new SolidBit ransomware variant disguised as an software referred to as Instagram Follower Bot
Each these malicious functions show an error message when executed on a digital machine (Determine 25). They exhibit the identical habits because the pretend League of Legends account checker, whereby they drop and execute an executable that can, in flip, drop and execute the SolidBit ransomware payload (Determine 26).
Determine 25. The error message proven when the Social Hacker and Instagram Follower Bot functions are run on a digital machine
Determine 26. The execution move of the three malicious functions that comprise the brand new SolidBit variant
SolidBit as ransomware-as-a-service
The malicious actors behind SolidBit aren’t simply turning to malicious apps as a way of spreading the ransomware. A researcher discovered that the SolidBit ransomware group additionally posted a job commercial on an underground discussion board on June 29 to recruit potential associates for his or her ransomware-as-a-service (RaaS) actions. These associates, who’re tasked with penetrating a sufferer’s system and distributing SolidBit, stand to achieve 80% of the ransomware payout as a fee.
Warding off ransomware assaults
The malware authors behind SolidBit ransomware seem like gearing as much as broaden their operations by way of recruiting ransomware-as-a-service companions who will facilitate a wider scale of an infection, on high of the distribution strategy of their newly discovered variant. The massive fee share that SolidBit’s authors supply is more likely to entice different opportunistic menace actors, so we anticipate extra exercise from this ransomware group within the close to future.
Whereas it isn’t new for ransomware to disguise itself as a professional program or a instrument as a social engineering lure, SolidBit’s new variant targets video games and functions with a big consumer base. This enables SolidBit’s ransomware actors to solid a large web of potential victims, and customers who’re might not be well-versed in safety hygiene, reminiscent of youngsters or youngsters, may fall sufferer to fraudulent functions and instruments, as was the case in earlier Minecraft and Roblox malware infections.
Finish customers and organizations alike can mitigate the danger of ransomware an infection by following these safety finest practices:
Allow multifactor authentication (MFA) to forestall attackers from performing lateral motion inside a community.
Adhere to the 3-2-1 rule when backing up vital information. This includes creating three backup copies on two completely different file codecs, with one of many copies saved in a separate location.
Patch and replace programs frequently. It’s vital to maintain one’s working system and functions updated, which is able to stop malicious actors from exploiting any software program vulnerabilities.
Organizations also can profit from safety options that provide multilayered detection and response reminiscent of Pattern Micro Imaginative and prescient One™, which has multilayered safety and habits detection capabilities that assist block suspicious habits and instruments earlier than ransomware can do any injury. Pattern Micro Apex One™ additionally supplies next-level automated menace detection and response to guard endpoints in opposition to superior points, like fileless threats and ransomware.
Indicators of compromise (IOCs)
View the total record of IOCs right here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]