EPHEMERAL LOCKPICKER: Malware Leveraged for Novel Intrusion Lifecycle and LuckyDay Ransomware Delivery

In 2021, Kroll investigators have had multiple opportunities to respond to a series of interconnected network intrusions, ransomware events and cyber incidents which, upon investigation and review, possessed overlapping tactics, techniques and procedures (TTPs) and similar indicators of compromise (IOC) among them. The incidents affected organizations of various sizes across diverse industry sectors through what Kroll’s investigations confirmed was a range of separate intrusion vectors. However, Kroll discerned similarities which it assessed was a novel malware attack pattern, and for which Kroll identified scant to no open-source reporting on this threat actor toolkit that preceded LuckyDay ransomware deployment in certain circumstances. Kroll has titled the threat actor toolkit and related intrusion lifecycle pattern EPHEMERAL LOCKPICKER, which is composed of the malware toolkit itself and the threat actor TTPs used as the primary delivery mechanism for observed LuckyDay ransomware payloads.

Kroll is pleased to share the research it has conducted on the malware and the threat actor toolkit with the greater information security community. Our goal is to encourage further investigations that can better equip security, digital forensics, malware reverse engineering and incident response professionals in detecting, mitigating and responding to attacks leveraging this malware.

At a glance, EPHEMERAL LOCKPICKER is distinguished by four distinct features:

• Novel techniques that are designed to appear benign in the face of scrutiny 
• TTPs that represent a concerted effort to remain resident only in memory
• Customized data collection utilities
• Ultimate observed endgame: ransomware with an internal name of locker_64.exe

Kroll’s analysis determined that across numerous investigations, a common LuckyDay ransomware was deployed via the same PowerShell interpreter. It was not written to the filesystem, and threat actor TTPs limited the scope and availability of system logging activity.

As with numerous Kroll investigations involving the cited malware, ransom notes and payment site similarities initially suggested a connection between the ransomware sample investigated by Kroll and LuckyDay. In the meantime, ransom note and payment site similarities have resulted in the widely reported association of LuckyDay ransomware with LockBit et al.

However, Kroll assessed that the ransomware sample was not likely limited to LuckyDay ransomware. Kroll determined that the sample was employed by threat actors prior to the use of the LuckyDay payment site (luckydaynywoklzy.onion) and was actively employed by threat actors as far back as September 15, 2020. This activity predated any known Kroll-observed or open-source identifiable malware activity associated with LuckyDay and the .luckyday file extension.

Attacker Toolkit 

Backdoors 

The backdoors employed by EPHEMERAL LOCKPICKER were not the more commonly observed banking Trojans, stage one and/or two downloaders or botnets. Instead, the backdoors provided simple, yet effective, remote access to the PowerShell interpreter via download and execute functionality. Furthermore, Kroll observed their operation in conjunction with other malware samples. Analysis revealed the malware samples were coded using C# and PowerShell, which was like many of the other samples uncovered as part of the investigation.

The Base64-encoded PowerShell script highlighted in Figure 1 is part of the threat actor arsenal. It uses legitimate system tools instead of malicious executables to retrieve and execute payloads and further evade traditional security apparatus. Kroll researchers observed multiple layers of obfuscation, which were ultimately decoded using dynamic analysis with the native PowerShell interpreter in a controlled environment.

A key IOC was revealed in another obfuscated script, hxxps://3105436412. The use of decimal formatted addresses is a common tactic leveraged by EPHEMERAL LOCKPICKER. This address was in decimal format only to hinder analysis and was converted into the classic dotted decimal representation: hxxps://185.25.50.252. After configuration of a proper control environment to sniff TLS traffic, examiners were able to identify, capture and analyze the final payload.

Figure 1 – Encoded PowerShell

Security Bypass Utility

EPHEMERAL LOCKPICKER leverages a variety of tactics to bypass or disable security software, including Microsoft’s AMSI (Antimalware Scan Interface). Kroll identified that the threat actors used a copy-paste of the well-known bypass technique ASBBypass from Rasta-mouse with some strings obfuscation. Upon inspection, there was an in-memory patching of the AMSI.dll library to always return AMSI_RESULT_CLEAN code from the function AmsiScanBuffer(). This is the function that will detect any potential malicious signature from the script passed to the interpreter (Figure 2).

Figure 2 – AMSI Bypass

The end goal of the AMSI bypass was to overwrite the entry point of the AmsiScanBuffer function with the byte array listed above. The byte arrays had those patching bytes as they had the same purpose; however, they must be different due to the calling convention variations between 32- and 64-bit architectures. Disassembling those bytes, Kroll obtained the same code: instructions to patch the entry point of function AmsiScanBuffer to always return AMSI_RESULT_CLEAN to the calling function and continue the execution.

After AMSI was bypassed, the malicious script proceeded undisturbed using legitimate executables on the system. The script performed the deletion of Volume Shadow Copies with the command illustrated in Figure 3 to ensure the data could not be easily restored.

Figure 3 – Backup Deletion

After the backup copies were deleted and disabled, the next priority was to disable a variety of services that could impact encryption. For example, targeted services included Kaspersky, Norton, Cylance, nod32 or iisadmin, Veritas and pop3 or even services that contained words like iDRAC, Dell or Azure in their name. These strings were all encoded using base64, so they were decoded and documented (Figure 4).

Figure 4 – Disabled Services List

Every process in the list was enumerated and eventually stopped, as was observed during controlled tests and in victim environments during investigative analysis. Separate functions were used for stopping Microsoft Exchange and Windows Defender. Additionally, the malicious script searched for and stopped system monitoring processes like wireshark, procmon, process explorer, etc. (Figure 5).

Figure 5 – Monitor Process Disable

After all these actions were completed, the ransomware ran undisturbed on systems, encrypting the vast majority of important files.

EPHEMERAL LOCKPICKER and Ransomware

During Kroll’s 2021 breach response and forensic engagement that initiated this malware research and analysis, Kroll investigators recovered a 64-bit C# application with behavior consistent with ransomware. 

Delivery

Like many of the tools employed by the threat actor, the ransomware in this investigation was delivered to the impacted systems through the PowerShell interpreter. As seen in Figure 6, the ransomware was stored in a hash table as base64 encoded values. The ransomware was reconstituted by sorting the hash table on the numerical keys, performing base64 decoding and inflating the compressed binary stream (seen in Figure 7, lines 460-473). Finally, the ransomware was executed with arguments on line 479 (Figure 7). While these arguments were crucial to the operation of the malware, they contained client-identifiable data and were redacted from this report. A full investigation into the purpose of the arguments and impact on the ransomware behavior is contained in the next section.

Figure 6 – Hash Table Contents

Figure 7 – Deobfuscation Routine

Operation

From the PowerShell invocation, execution of the ransomware application began with the Main() function. This function, presented in Figure 8, contained the primary logic of the application. The application decrypted its arguments with the RC4 algorithm by treating the passphrase as the first element of a hard-coded string which was split on the “ ” character. As a result, the passphrase used in the algorithm was the value jG71dZnTUEqDrf228mbZPFvnK/0Tc/bvGbwcEE2P+Y8= used in its encoded state (Figure 8).

Figure 8 – Ransomware Main

Investigating Figure 8, lines 20-22, if the last argument in the input array can be decrypted to the value -log, it will trigger the logging capabilities of the ransomware.

Continuing with the application logic in Figure 8, lines 27-30 show variables being set to the decrypted input arguments. Specifically, ID and link were set to indices 0 and 3 while key and IV were set to indices 1 and 2 of the aptly named “array” variable. The ID and link variables represented values inserted into the ransom note. The key and IV variables were used in the EncryptFile and EncryptHugeFile functions and were provided as arguments to the CryptoWorker class (Figures 9 and 10).

Figure 9 – CryptoWorker

Figure 10 – File Encryption Functions

The initialization routine of the CryptoWorker class can be seen in Figure 9. Lines 13 and 14 show the base64 decoding of the key and IV variables and line 22 shows the creation of an AES cipher. This cipher was applied to the contents of files by way of the EncryptFile() and EncryptHugeFile() functions shown in Figure 10. Use of the different file encryption functions was based on the file size. Encrypted files for this malware analysis were given the .luckyday file extension, and a ransom note was placed alongside the impacted files. The application used code from the SharpShares project to enumerate network shares. Additionally, the ransomware contained folder exclusions, IP exclusions and file extension exclusions.

Ransom Note Analysis

As shown in the Drop() function in Figure 11, the ransom note was decrypted from an embedded resource. The %link% and %id% strings in the note were replaced with the contents of the link and ID variables. An unmodified copy of the ransom note can be found in Figure 12.

Figure 11 – Drop Function

Figure 12 – Ransom Note

This note matched the structure and content of the first LuckyDay ransom note as reported by the Twitter user @deomonslay335 (Figure 13) and provided on pastebin.com.

Figure 13 – Ransom Note Reported by Twitter User @demonslay335

However, performing ssdeep searches in VirusTotal for notes with a similar composition uncovered that this was not the first time a note with this format was found (Figure 14).

Figure 14 – VirusTotal Results

Two primary modifications appeared to have occurred between September 15, 2020 and November 4, 2020. First, the name of the ransom note was changed from Data Recovery.txt to File Recovery.txt. As seen in Figure 15, the ransom note file name corresponded to the ResNote variable. This variable was used in the Drop() function as outlined in Figure 11. Second, the pay site was modified from covid4y7gdsz6xbm.onion to luckydaynywoklzy.onion. As established above, the pay site value was provided as a command line argument to the malware. It was inserted into the ransom note at line 482 of the Drop() function and took the place of the %link% value.

Figure 15 – Ransom Note Modifications

Conclusion

Threat actors, organized and disorganized, are continually evolving their tradecraft. Kroll has observed in recent years that many groups are spending more time on research and development, leading to zero-day exploitation or bespoke tooling that is leveraged as part of intrusion lifecycles. Kroll anticipates a continued rise and evolution of TTPs that will enable threat actors to evade endpoint security, perimeter defenses and network traps through anonymity and their lightweight, obfuscated designs.

In the engagements that led to this report’s research and analysis, Kroll determined that the opportunistic use of open-source capabilities was effectively combined with private research and development efforts to construct a flexible and dynamic toolkit. The result was a toolkit that was not monolithic, but rather, modularized and optimized to provide a tailored look and feel while also minimizing the possibility of recovery and identification. As such, Kroll named the threat actor toolkit documented herein EPHEMERAL LOCKPICKER.

Based on the scarcity of open-source reporting that Kroll encountered in analyzing the constituent elements and collective functionality of the EPHEMERAL LOCKPICKER toolkit, we hope these findings spur new research by the greater security community that ultimately better equips security professionals in detecting, mitigating and responding to attacks leveraging this malware.

Additional Resources

Table 1 – DNS over HTTPS Backdoor

Table 2 – PowerShell Lateral Movement Script Utilizing Named Pipes

Table 3 – Ransomware Binary, .luckyday File Extension and Note “File Recovery.txt”

Table 4 – Ransomware Binary, .luckday File Extension and Note “DATALOSS_WARNING_README.txt”

Table 5 – Ransom Note Embedded in the Ransomware Application

Table 6 – Credential Theft Utility, Internal Name “InvokeMe_45_64.exe” – Stored Passwords in Web Browsers

Table 7 – Credential Theft Utility with Internal Name “InvokeMe.exe” - Cookies

Table 8 – Data Theft Utility, Internal Name “Drops.exe”