Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers

Cisco Talos precocious discovered a malicious run deploying variants of the Babuk ransomware via an antithetic corruption concatenation technique.

Image: Cicso Talos

Cisco Talos has a informing retired for U.S. companies astir a caller variant of the Babuk ransomware. The information researchers discovered the run successful mid-October and deliberation that the variant has been progressive since July 2021. The caller constituent successful this onslaught is an antithetic corruption concatenation technique.

Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the caller menace successful a Talos Intelligence blog post. The researchers deliberation that the archetypal corruption vector is an exploitation of ProxyShell vulnerabilities successful Microsoft Exchange Server done the deployment of China Chopper web shell.

Babuk tin impact respective hardware and bundle platforms but this mentation is targeting Windows. The ransomware encrypts the target's machine, interrupts the strategy backup process and deletes the measurement shadiness copies. 

SEE: How to combat the astir prevalent ransomware threats

According to the researchers, the corruption concatenation works similar this: A DLL oregon .NET executable starts the onslaught connected the victim's system. The DLL is simply a mixed mode assembly. The .NET executable mentation of the archetypal downloader is simply a modified variant of the EfsPotato exploit with codification to download and trigger the adjacent signifier

The archetypal downloader module connected a victim's server runs an embedded and obfuscated PowerShell bid to download a packed downloader module. This 2nd module has encrypted .NET resources arsenic bitmap images. The PowerShell bid besides executes an AMSI bypass to debar endpoint detection. 

The packed downloader module connects to a URL connected pastebin.pl (a PasteBin clone site) that contains an intermediate unpacker module. The unpacker concatenates the bitmap images from the assets conception of the trojan and past decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and encrypts files connected the victim's server and each mounted drives. The Cisco Talos station has details connected each signifier and instrumentality successful the attack.

Cisco Talos' telemetry besides suggests that the caller variant tries to exploit respective different vulnerabilities successful different products astir commonly triggering these Snort rules:

• Microsoft Exchange autodiscover server broadside petition forgery effort (57907)
• Atlassian Confluence OGNL injection distant codification execution effort (58094)
• Apache Struts distant codification execution effort (39190, 39191)
• WordPress wp-config.php entree via directory traversal effort (41420)
• SolarWinds Orion authentication bypass effort (56916)
• Oracle WebLogic Server distant bid execution effort (50020)
• Liferay arbitrary Java entity deserialization effort (56800)

The researchers enactment the Babuk builder and its root codification were leaked successful July and that the Tortilla ransomware histrion has been experimenting with antithetic payloads. This radical has "low to mean skills with a decent knowing of the information concepts and the quality to make insignificant modifications to existing malware and violative information tools," according to the blog post.

Also spot

• How to go a cybersecurity pro: A cheat sheet (TechRepublic)
• Social engineering: A cheat expanse for concern professionals (free PDF) (TechRepublic)
• Shadow IT argumentation (TechRepublic Premium)
• Online information 101: Tips for protecting your privateness from hackers and spies (ZDNet)
• Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)