CyberWire Daily - Noberus ransomware: Coded in Rust and tailored to victim. [Research Saturday]
Episode Date: February 26, 2022Guest Dick O'Brien, Principal Editor at Symantec, joins Dave to discuss their team's research, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." Noberus is new ransomwar...e used in mid-November attack, ConnectWise was likely infection vector. Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21. Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files. The research can be found here: Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down threats and vulnerabilities, solving some of
the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So, you know, we do, like a lot of other vendors, we do find lots of new ransomware families,
but this one in particular stood out to us for a number of reasons.
We thought it seemed to be relatively sophisticated,
and so we thought it was something to watch and something we should maybe publish about.
That's Dick O'Brien. He's a principal editor with Symantec's threat intelligence research
team. The research we're discussing today is titled Noberis. Technical analysis shows
sophistication of new rust-based ransomware.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, the information that you published here is in two parts. And you start off here going through the anatomy of a specific attack.
It's quite an interesting narrative here.
Can we walk through it together?
What exactly happened to the organization that found themselves
the target of this group? Yeah, it's an interesting attack in terms of, I mean,
it demonstrates that whoever was behind it, now we don't know whether it was the ransomware authors
themselves or an affiliate, really knew their way around a network and knew how to deploy this ransomware. And also they were, I guess, quite confident in themselves
because in this case, the organization seemed to have discovered the attack
and made efforts to kick them off the network.
And they came back with another strain of the ransomware and managed to succeed.
And usually when an attack is discovered that's
it the attackers disappear and then they try something else so how they got onto the network
is a little bit unclear we saw the first signs of suspicious activity seem to date from
november 3rd and it seemed to kind of come from a remote machine on the network. So it could be the case of it was a machine that we didn't ourselves have visibility on because maybe our software wasn't running on it, or else that the attackers may have compromised or they may have added a new machine to the domain and then used that to start the attack.
to start the attack. And so once they were in the network, how did they go about spreading around and also maintaining persistence? They used a lot of the tools and techniques that
we'd see targeted ransomware attackers used. There's a number of steps that they all need to
take. It would, you know, escalating privileges in order to gain admin privileges,
stealing credentials, and then moving laterally across the network.
One of the steps that we saw them take was they managed to disable
the remote admin feature, and that effectively took away the safeguards
against pass-the-hash attacks.
They also used PowerShell via PS Exec to disable Windows
Defender. They didn't disable it as such, they just modified it in a way that it was disabled,
so they added executable files to the exclusion list, and then used PS Exec again to deploy the
ransomware across the network. At what point did the targeted organization detect that something was going on?
I believe it was during the ransomware deployment stage.
And the reason I say this is because they had to recompile a new version of the ransomware.
So it was obviously once they started rolling out the ransomware itself that they noticed
that the attack was underway.
You know, the ransomware itself kind of does a fair bit of work.
So there may have been a kind of window for the organization to notice the attack and close it down before the ransomware could finish doing its work.
Is there any sense for how long they were in the network before they
actually started encrypting files? Yeah, I mean, it's, let me see, the first time we're sure of
malicious activity was November 3rd, and the actual encryption, I believe, occurred on November 18th,
so nearly two weeks, which is, you know, a long time to be on a network. And we might get
to it later, but they made the most of that time on the network because they seem to have done
pretty extensive reconnaissance. They knew an awful lot about the organization they were attacking.
Well, let's dig into that. How were they going about that reconnaissance and what sort of
information were they gathering? Obviously, I mean, you know, we don't have visibility into every single thing
that they did. But when we analyzed the ransomware sample that was used against the victim, it had
a number of interesting features. And that was that not only were administrative credentials
for that organization baked into the sample,
but they'd also have an application kill list.
Now, an application kill list is not unusual.
There's a list of applications that they want to shut down before encryption launches.
But it seemed to be unique to that organization.
So they had gone about and gathered.
They realized what applications were running in that environment, and they added it to the kill list. So the ransomware was kind of highly tailored
to the victim. Well, let's dig into some of the technical details of this particular ransomware
operator. One of the things that you all noted was that they were doing their development in Rust.
Yeah, yeah. I mean, that's one of the things that caught our attention.
I gather Rust is a really hot programming language right now.
It's quite popular.
I think one of the reasons it's quite popular
is that people believe that it can be used
to create kind of quite clean, efficient applications.
And I guess there is an obvious appeal
to ransomware operators with that
because speed is of the essence in ransomware attacks.
As I mentioned earlier,
the average piece of ransomware has a lot of work to do.
You know, it has to like try and delete the backups.
It might have to exfiltrate data
and then it has to encrypt a whole bunch of files
on each computer.
So it's quite labor-intensive, and I guess the quicker it can accomplish those tasks,
the better.
And maybe the ransomware developer, I guess like any other software developer, said, well,
let's see what Rust has to offer and whether it gives us any advantages.
Yeah, I guess not surprising that they would be using the latest, greatest hot tools.
Yeah, I mean, ransomware is very much a marketplace like anything else.
And you see people try to experiment with new techniques and new technologies.
Well, let's walk through the technical details together.
The information that you all published has an extensive step-by-step description here.
Can you take us through what exactly happens here? Yeah, I mean, it does a lot of things before it
starts encrypting. As I mentioned earlier, it removes shadow copies, and then it issues a
command to collect a universal identifier from the infected machine.
And that's something we can maybe talk a little bit more about later,
because I think it's one of the more interesting features of this ransomware.
It then attempts to mount hidden partitions.
And then it also then attempts to propagate itself via network shares.
And it looks for available
shares by using the net use command.
And then the aforementioned administrative credentials that is baked into the ransomware
are maybe leveraged then to use to propagate via network shares.
The next step it takes is to kill processes on the machine. There's a kind of a generic list
of processes that it will try and kill, but it will also, as I mentioned earlier, kill a custom
list that are specific to that organization. Then it begins encryption. Like most ransomware,
it doesn't try and encrypt everything on the hard drive it excludes certain directories
and file names and that's really just to kind of speed up the encryption process to make sure that
they're just encrypting valuable data as opposed to you know stuff that you know the user doesn't
really care about you mentioned uh it was interesting the way it was working with uuids
what caught your eye there yes this was quite an interesting feature because
it has a unique ID for each infection. And this creates an access token that creates a unique
address for the victim to visit in order to negotiate with the attackers or pay the ransom.
And this is something I haven't seen before anyway.
I'm not saying for sure that nobody else has done it,
but it's certainly something unique that we've seen,
that it means that only somebody with access to the infected computer
can get the address to visit to negotiate with the attackers.
And we think that this has been caused by the fact
that there's been some level of frustration expressed by ransomware attackers in recent
times that outsiders neither the victim or their representative are kind of crashing these
ransomware negotiations and disrupting them. And it could be reporters indeed,
looking in on ransomware negotiations
and reporting on them.
What usually happens is that somebody might upload a sample
of the ransomware to VirusTotal or something like that.
And the tour site that's used for negotiation
is in that sample. And then it becomes public, and anybody who has the address can visit it.
So this kind of creates an address that is unique to the victim and is only accessible to the victim as well.
At the end, there's a little bit of innovation.
It also suggests that people who developed this ransomware knew what they were doing and maybe kind of experienced operators in the space
knew that this was a problem to be addressed
and this was their way of dealing with it.
Do you have any indications of who might be behind this?
No.
Not in terms of identities.
We have been informed by third parties that it has been advertised on
russian-speaking cybercrime forums so there's you know there's some suggestion there that the
authors are russian-speaking but you know that's not you know hard and fast uh evidence or anything
like that but the fact that you know it's been advertised in the cybercrime community and the fact that there's a fair bit of sophistication behind it, I'd say it isn't these people's first rodeo, so to speak.
Yeah, I think that's an interesting aspect of this.
I mean, it sounds to me like this particular group is on the higher level of sophistication in your estimation?
Definitely so. I think it's one to watch. Now, whether they gain traction or not
is another question. There's a number of factors, I believe, that would kind of decree the success
of ransomware. But if you're looking at up-and-coming ransomware families, this is one
I would definitely be watching in the coming months.
Are there any specific recommendations here based on the information you gathered for organizations to best protect themselves against this group?
I think the advice in regard to Noberis would be kind of the same with regard to all of the other, you know, high level ransomware threats.
with regard to all of the other, you know, high level ransomware threats.
And that is that you need to adopt defense in depth because, you know, you can't rely on any single strategy because these, these guys are,
you know, it's human operated ransomware. They, you know,
if they find themselves stymied at one point,
they will usually attempt a different tactic.
So you really need to you really need to
kind of consider your protection across the attack chain in terms of vectors how they get
out to networks i would say that a lot of the more frequently seen threats we've seen
are being spread in collaboration with botnets trick TrickBot, Emotet is back again.
It's also being involved in ransomware,
IceID, botnets like that.
They have kind of the reach to get into organizations.
They're able to,
they have a high level of spamming infrastructure behind them.
And what they seem to do is,
is they now have a close relationship
with ransomware organizations and they sell off the choices victims to ransomware attackers who
then kind of proceed to elaborate to unfurl the attack further so that's one major infection
vector the other one we've seen a lot of is exploitation of vulnerabilities and public-facing applications.
It's not done by all ransomware groups, but a select few seem to specialize in it.
That's, I guess, your point of entry.
Then once they're on the network, I think I would advise any organization to familiarize themselves with the techniques that ransomware groups use to steal credentials, to move across
the network, and escalate privileges. So you will see the use of some malicious tools, but there's
an awful lot of living off the land type activity or abuse of legitimate tools. We've seen an awful
lot of remote access or remote desktop tools being
deployed in ransomware attacks, for example. So with that in mind, keep a close eye on what
applications are running on your network. And if there's applications that you do not expect to see
running on your network or are not authorized to run on your network, like remote access programs, you need to kick them off immediately.
I would advise close monitoring of any PowerShell usage.
Also, implement multi-factor authentication for admin privileges and things like that.
You know, and then you kind of, you get onto your security software stage and I'm not even
going to give you, I'm not going to give the hard sell on our products.
But obviously, you know, a good AV solution,
a good EDR solution are critical
in terms of being able to identify
and remediate ransomware attacks. where it takes. Our thanks to Dick O'Brien from Symantec for joining us. The research is titled
No Baris. Technical analysis shows sophistication of new rust-based ransomware. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Thanks for listening.
We'll see you back here next week.