by Bhabesh Raj Rai, Associate Security Analytics Engineer
On May 6, 2021, CISA released a report about a new ransomware variant dubbed FiveHands, which was used in a recent successful cyberattack against an organization. Prior to that on April 29, Mandiant disclosed details about an aggressive financially motivated group, UNC2447, which exploited a zero-day vulnerability in SonicWall VPN to deploy FiveHands ransomware along with a sophisticated malware previously referred to as SombRAT.
How threat actor UNC2447 gained access to deploy FiveHands
In January 23, 2021, SonicWall released an advisory on a zero-day vulnerability (CVE-2021-20016) in their SonicWall Secure Mobile Access (SMA) devices. The severe SQL injection vulnerability allows an unauthenticated attacker to remotely grab credentials from the affected devices. Threat actor UNC2447 used this zero-day (T1190) as the initial access vector to gain access to the victim organization.
The threat actor used many publicly available tools like RouterScan and Rclone for the network discovery, credential access and exfiltration phases. UNC2447 also deployed a custom remote access trojan (RAT) called SombRAT to download and execute malicious payloads. The BlackBerry Research and Intelligence team previously reported the use of SombRAT in the CostaRicto espionage campaign. To evade detections from security tools (TA0005), UNC2447 used batch (T1059.003) and text files to execute and invoke PowerShell (T1059.001) scripts that decoded the SombRAT loader.
FiveHands fast facts
• Discovered in January 2021
• Deployed by threat actor UNC2447
• UNC2447 has consistently displayed advanced capabilities to evade detection
• Deployed along with SombRAT
FiveHands uses aggressive double-extortion approach
FiveHands threat actors use the infamous double-extortion tactic to apply maximum pressure on the victims to pay the ransom. The malicious actors encrypt the stolen data and aggressively threaten victims that they will disclose the hack in the media and sell the data on hacker forums if they do not pay the ransom to decrypt the data. F-Secure’s Attack Landscape Update report showed nearly 40% of ransomware strains discovered in 2020, as well as several older strains, demonstrated data exfiltration capabilities by the end of 2020. When threat actors are able to exfiltrate data, they can employ the double-extortion tactic to increase their return on investments. The report also found that by the end of 2020, more than 15 ransomware groups used double extortion, compared to 2019 where only the Maze ransomware family used the aggressive approach.
We will focus on how security administrators can use LogPoint to easily detect UNC2447’s tactics, techniques and procedures (TTPs) to deploy the FiveHands ransomware.
Detecting FiveHands using LogPoint
The initial infection vector was through a zero-day in SonicWall SMA100 devices. However, the group that identified the zero-day is not willing to disclose details on how to detect the exploitation because the group does not want to help attackers mount their own PoCs, like in the cases of F5 and Citrix. Despite the lack of details, we can still proceed to detect FiveHands at other phases of the kill chain.
For reconnaissance, UNC2447 used SoftPerfect Network Scanner (netscan.exe) to gather hostnames and identify network services (T1046). We can easily look out for execution of this tool from Sysmon’s process creation events.
norm_id=WindowsSysmon label="Process" label=Create vendor="SoftPerfect Pty Ltd" description="Application for scanning networks"
The tool generates a report of its findings called netscan.xml or more generally .xml. If Sysmon has been configured to log XML file creations, this serves as another method to detect execution of the utility.
[ norm_id=WindowsSysmon label="Process" label=Create -image IN ["C:\Windows\*", "C:\Program Files*"] | norm on image <image_name:'[^\\]+'><:'(?i)\.exe'> ] as s1 followed by[ norm_id=WindowsSysmon event_id=11 file="*.XML" | norm on file <file_name:'\S+'><:'(?i)\.xml'> ] as s2 on s1.image_name=s2.file_name
Similarly, UNC2447 used the RouterScan utility to identify network routers and proxy servers on the network. The latest release of RouterScan contains a list of common admin names and passwords that can be used for a dictionary attack (T1110.001) to gain access to a router along with the ability to identify common vulnerabilities and leverage exploits against many popular routers (T1595.002). The utility can also scan any subnet and any particular port/protocol (T1046). Detection of the RouterScan utility is trivial via Sysmon’s process creation events.
norm_id=WindowsSysmon label="Process" label=Create application="Router Scan by Stas'M"
Alternatively, we can look out for dropping of DLLs, which RouterScan requires to function via Sysmon’s file creation events.
norm_id=WindowsSysmon event_id=11 file IN ["librouter.dll", "libeay32.dll"]
UNC2447 has also used the popular Microsoft remote administration tool PsExec to remotely execute their payload on different hosts. You can detect PsExec via native Windows events as well as Sysmon’s pipe events as shown below.
norm_id=WinServer event_id=4697 service=PSEXESVC| chart count() by host, user, service, file
norm_id=WindowsSysmon event_id IN [17, 18] pipe IN ["*-stdin", "*-stderr", "*-stdout"]
Security administrators can refer to our blog for more information on how to comprehensively hunt PsExec executions in their environments.
We can also detect the execution of the Rclone utility, an open-source cloud storage management tool, via Sysmon’s process creation events.
norm_id=WindowsSysmon label="Process" label=Create description="Rsync for cloud storage"
Likewise, UNC2447 installed a free version of the S3 Browser program for uploading and downloading data to/from a cloud account (T1567.002). We can detect S3 Browser installation from Sysmon’s registry and we can detect its execution from process creation events.
norm_id=WindowsSysmon label=Registry label=Value label=Set detail="*\S3 browser\s3browser-con.exe"norm_id=WindowsSysmon label="Process" label=Create vendor="NetSDK Software, LLC" application="S3 Browser"
As stated earlier, UNC2447 uses batch and txt files (in %PROGRAMDATA%’s subdirectories) to invoke PowerShell scripts that decode the SombRAT loader. We can hunt for the dropping of those artifacts via Sysmon’s file creation events.
norm_id=WindowsSysmon event_id=11 path="C:\ProgramData*" file IN ["WwanSvc.*"]
If Microsoft Defender is configured in the environment, look out for the following threats associated with UNC2447.
norm_id=WinServer label=Threat label=Detect threat IN ["Trojan:Win32/Casdet!rfn", "Trojan:BAT/Somrat", "Ransom:Win32/CryptoLocker!MSR", "Ransom:Win32/Filecoder.PA!MTB"]
Detecting early phases in ransomware incidents is key
In today’s threat landscape, many threat actors like UNC2447, UNC1878 and REvil are continually using several publicly available tools like Advanced IP Scanner, Rclone and ADFind in their campaigns. Other threat actors may likely catch up to the trend of using widely available tools to reduce their resources spent on creating their own tools. Using common, public tools also has the added benefit of making attribution difficult for threat intelligence analysts.
Thus, enterprise defenders should have detections in place to detect the use of common public tools as they have been used by aggressive threat actors that have a very small time-to-objective window. If your organization uses the aforementioned tools for legitimate administrative tasks, then it may be better to move to a different framework like PowerShell, and treat all executions of these tools as malicious. Organizations need to detect the execution of public tools used by adversaries in the early stages in order to prevent ransom attempts later on.