Malware on Trial

Earlier this year, Blackpoint Cyber released a blog post called ‘Examining the Conti Group, Leaks, and Evolving Ransomware’. The blog provided an overview relating to new tactics, techniques and procedures (TTPs) that the Adversary Pursuit Group (APG) has been monitoring. Since then, Blackpoint has identified a specific combination of TTPs attributed to the BlackCat ransomware-as-a-services (RaaS) threat actors.

The use of legitimate software by threat actors is not new. Largely, it is software native to the target machine, two primary examples being powershell.exe and schtasks.exe. In other instances, it may be custom software developed and stored in a public repository. However, the cases Blackpoint has been monitoring involve the use of enterprise-level software as part of their attack campaigns. Unlike in 2018 when leaked source code for Ammy Admin was used as a basis for a new Trojan (FlawedAmmy) by threat actors in malware such as Dridex, the tools observed by Blackpoint remain unaltered.

Lateral Movement

In the cases involving this threat actor, lateral movement occurred from unprotected devices, limiting the ability to determine the factors for initial access. Each of the monitored cases involved multiple attempts to propagate laterally across the network. The two techniques observed were T1021.001, Remote Desktop Protocol (RDP) and T1021.002, SMB/Windows Admin Shares. In both cases, the threat actors used valid stolen credentials and, upon gaining access, used them to begin the next stage of their campaign: deployment of enterprise software.

Total Software Deployment (TSD) is a software management tool that enables remote deployment. Unfortunately, the features that make this an appealing tool for use by Managed Service Providers (MSPs) and Information Technology Service Providers (ITSPs) also make it an appealing tool for threat actors (see Figure 1). One of two key features of this tool is that it can deploy packages in ‘unattended mode’ which will not interrupt end users. The second key feature is that TSD scans the network automatically and, using the admin password, inspects every device. A more robust version of the network scanning capability, Total Network Inventory (TNI), has also been observed. This is another software from the same creators of TSD with the key observable difference being TNI will also document the hardware on the endpoint, not just the software. Nevertheless, it does lack the capability of TSD to deploy software packages.

Figure 1: TSDService

Not only can TSD scan endpoints and install software, it can also remove software from an endpoint. An example would be anti-virus (AV) solutions. Fortunately, most AV solutions have anti-tampering to prevent this, but does this consider when the credentials are from an administrator? In this instance, TSD is not just a lateral movement tool, but a reconnaissance tool as well as a, albeit limited, device controller.

Device Control 

In each of the identified cases, Blackpoint observed that the first software package deployed was another enterprise capability often used by MSPs called ScreenConnect, also known as ConnectWise Control. Designed to offer help desk-style services, this tool allows for full remote control of an endpoint. ScreenConnect has two main features appealing to threat actors. The first is known as ‘backstage mode’ which allows for complete access to the Windows terminal and PowerShell without the logged-on user being aware. This is the primary use case observed by Blackpoint. The second is a mass-deployment feature for the agent based on the subnet or ARP table. While this is a similar feature to TSD, this tool allows for another avenue of lateral movement. Blackpoint has yet to see attackers use this feature in earnest. 

Since TSD is automated, the scanning of devices and the deployment of this tool occur very close together. When access is obtained, ScreenConnect is then able to issue further commands such as running PowerShell commands to download malicious payloads or ensure persistence using Registry Editor (regedit). Fortunately, in all examined cases where devices were monitored, Blackpoint was able to prevent any such capabilities from being run. 

For each session of ScreenConnect that is run, a set of URL-encoded ‘Client Launch Parameters’ [1] (see Table 1) are used to initialize it (see Figure 2).  

Table 1: ScreenConnect Client Launch Parameters

Figure 2: ScreenConnect Service

In each case observed, certain parameters were always the same. Each session was an Access session with process type Guest. These parameters combined are vital to giving threat actors access to the targeted device. In this instance, the relay server observed had been obfuscated. In the documentation provided by ScreenConnect, they suggest changing the port value to something such as 8041. Interestingly, every malicious threat instance observed uses the default parameter of 443. This is not surprising if it is assumed the intent of the actors is to use out-of-the-box tools with minimal interaction. In all observed cases of ScreenConnect, both legitimate and malicious, there is no observable use of the SessionName, CustomProperties, or NameCallbackFormat.

Post execution of the ScreenConnect Client Service, the next step is to assign roles to the instance. By default, there are two roles, administrator and host. These, on the endpoint, appear to be identified as ‘System’ and ‘User’ respectively. Evaluation of legitimate- and benign-use cases of ScreenConnect suggests that only the malicious instances call both the ‘System’ profile and the ‘User’ profile (see Figure 3). Instances of legitimate use appear to only call one or the other.

Figure 3: Roles and Permissions

After the assignment of both roles, two further behaviors have been identified. Firstly, the threat actors utilize reg.exe to alter the WDigest registry. By setting the value of “UseLogonCredential” to 1 (see Figure 4), Lsass.exe will retain a copy of the user’s plaintext password in memory. Note, this is being done on every device concurrently as ScreenConnect is being propagated. Secondly, the threat actor conducts further enumeration of devices within the compromised network.

Figure 4: Manipulation of WDigest registry key

Despite already having a foothold within the network, threat actors continue to conduct enumeration to uncover additional devices not connected to the original infection point. By identifying additional devices, further lateral movement and device control can be conducted. While lightly touching on the software with enumeration capabilities above, these tools are more synonymous with lateral movement, for example, the embedded capabilities within TSD and TNI. However, during examination of the detected cases, Blackpoint identified the use of another MSP tool, SoftPerfect Network Scanner. Another enterprise-level software, SoftPerfect Network Scanner is designed to scan ports and retrieve information related to the target device utilizing various technologies such as WMI, SNMP, HTTP, SSH, and PowerShell. This tool is designed to be fast and operate on IPv4 and IPv6, making it both appealing to MSPs and threat actors.

Although lateral movement is one use case for the information provided by this tool, the result format, being JSON and XML, does allow for another use case. During the evaluation of these threat actors, it became apparent that the final stage of the campaign was deployment of ransomware. As such, the information contained within the report, combined with the JSON format, would expedite the assimilation of information into the ransomware configuration information.

It is unclear how long the threat actors spend in each environment before the next stage of their attack. This may depend on the value of the system for passive data collection or further accessibility to alternate systems. However, through further investigation, Blackpoint identified that the next stage of the attack is the deployment of BlackCat/ALPHV, a type of RaaS (see Figure 5).

Figure 5: BlackCat Ransom Note

BlackCat/ALPHV has been linked to the compromise of at least 60 worldwide entities. The malware itself is written in Rust and operates rapidly on an endpoint. As a programming language, Rust has memory efficiency syntactically similar to C++. Additionally, code written in both C++ and Rust can be executed rapidly. However, Rust forgoes the use of garbage collection which is known to slow down execution time. When examining the assembly code for BlackCat/ALPHV, no real encryption or obfuscation has been done in the code either, which would further slow down execution. As such, the configuration for the ransomware is in plain text (see Figure 6).

Figure 6: Example JSON Configuration

The configuration details are not written to disk but instead loaded into memory, reducing the overall footprint of the malware. In the interest of reducing the ability to determine customer details, the ‘public_key’ and ‘extension’ have been removed. Each instance of BlackCat/ALPHV is configured based on the customer. While there may be instances where a generic configuration is used, the samples analyzed by the APG have identified instances where credentials are hardcoded into the configuration. Furthermore, the APG has observed variations in the ‘kill_services’ and ‘kill_processes’ configurations, including the cessation of RMM services such as Datto’s.

The estimated cost of developing enterprise-level software ranges anywhere from $50,000 to $750,000 depending on scale and complexity. While the use of already developed enterprise-level software can be costly, compared to net new software, it is a fraction of the amount. For example, unlimited deployment of TSD would be a total cost of $2,490 and ScreenConnect would be a monthly cost of around $30. Unfortunately, threat actors are circumventing this cost by exploiting freely offered trials of the software. ScreenConnect only requires the user to provide an email address, password, and the name of their preferred ScreenConnect URL. TSD and SoftPerfect Network Scanner simply allow for the download of the product without any checks. Sadly, there are no measures in place to easily identify when threat actors are using trial versions of software. Nevertheless, the capabilities employed by these actors can still be identified and remediated.

Blackpoint Cyber is a provider of leading-edge cybersecurity threat hunting, detection, and response technology. Founded by former United States Department of Defense (DoD) and intelligence security experts, we fuse real security with real response to protect what’s most important to you. Our true, 24/7 Managed Detection & Response (MDR) service works in tandem with our Security Operations Center (SOC) team to take in real-time threat alerts, respond immediately, and eradicate malicious actors’ access to your networks. Before lateral movement can happen, trust Blackpoint to eliminate any chance of further compromise.  If you’re interested in decades of extensive knowledge in real-world defensive and offensive tactics protecting you and your clients’ business, contact us today!

[1]: ConnectWise, “Integration Guide,” 22 04 2017. [Online]. Available: https://docs.connectwise.com/ConnectWise_Control_Documentation/Developers/Integration_guide [Accessed 03 05 2022].