Ransomware deploys virtual machines to hide itself from antivirus software

The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect in order to run their ransomware in a “safe” environment, outside the reach of local antivirus software.

RagnarLocker
Background: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

This latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity and great lengths some ransomware gangs will go to avoid detection while attacking a victim.

WHAT’S RAGNARLOCKER?

Avoiding detection is crucial because RagnarLocker is not your typical ransomware gang. They’re a group that carefully selects targets, avoiding home consumers, and goes after corporate networks and government organizations only.

Sophos says the group has targeted victims in the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.

On these networks, the RagnarLocker group deploys a version of their ransomware — customized per each victim — and then demands an astronomical decryption fee in the tune of tens and hundreds of thousands of US dollars.

Because each of these carefully planned intrusions represents a chance to earn large amounts of money, the RagnarLocker group has put a primer on stealth and has recently come up with a novel trick to avoid detection by antivirus software.

THE VIRTUAL MACHINE TRICK

The “trick” is actually pretty simple and clever when you think of it.

Instead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.

The group then configures the virtual machine to give it full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.

The next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.

The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won’t be able to detect the ransomware’s malicious process.

From the antivirus software’s point of view, files on the local system and shared drives will suddenly be replaced with their encrypted versions, and all the file modifications appear to come from a legitimate process — namely the VirtualBox app.

Mark Loman, director of engineering and threat mitigation at Sophos told ZDNet today that this is the first time he’s seen a ransomware gang abuse virtual machines during an attack.

“In the last few months, we’ve seen ransomware evolve in several ways. But, the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box,” he added.

An overview of the entire RagnarLocker ransomware, including its VM trick, is available in Sophos’ recent report here:

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

Source: https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/

By: By Catalin Cimpanu for Zero Day

Microsoft’s Linux love continues as PowerShell Core comes to Snap Store

‘Microsoft loves Linux’, the company’s CEO Satya Nadella declared in 2014.

Evidence of that newfound affection has been evident throughout 2018: with Ubuntu 18.04 being made available in the Microsoft Store, Windows File Explorer gaining the ability to launch a Linux Shell and a new option to install Windows Subsystem for Linux (WSL) distros from the command line. That’s without mentioning Microsoft’s release of the Linux-based Azure Sphere operating system.

Now Microsoft has released its command-line shell and scripting language PowerShell Core for the Ubuntu Snap Store, as part of PowerShell Core’s release as a snap package.

PowerShell Core in the Snap Store
Image: Canonical / Microsoft

Snap packages are containerized applications that can be installed on many Linux distributions, which Joey Aiello, PM for PowerShell at Microsoft, says has several advantages.

“Snap packages carry all of their own dependencies, so you don’t need to worry about the specific versions of shared libraries installed on your machine,” he said, adding updates to Snaps happen automatically, and are “safe to run” as they don’t interact with other applications or system files without your permission.

To install PowerShell Core as a snap package on a Linux-based OS, first install snapd and then run the command snap install powershell —classic. Then run the command pwsh from the terminal.

Microsoft continues to make regular improvements to the Windows Subsystem for Linux (WSL), which allows Windows 10 to run various GNU/Linux distros from the Windows Store, providing access to Ubuntu, openSUSE, Fedora, Kali Linux, and Debian, and other distros to be added over time.

WSL distros run with a command line shell, rather than offering graphical desktops, and support a range of command line tools, as well as applications such as Apache web server and Oracle MySQL.

WSL allows different Linux distros to run side-by-side within Windows and Microsoft has previously stated that its aim with the WSL is to provide “the best development environment, regardless of the technologies that developers use, or the platforms they wish to target”.

However, at present, the WSL also has many disadvantages over a running a dedicated GNU/Linux system. Microsoft doesn’t support desktop environments or graphical applications running on WSL, and also says it is not suitable for running production workloads, for example an Apache server supporting a website.

This year saw Microsoft improve WSL to add support for Unix sockets allowing for communication between Windows, as well as for the curl and tar commands

The big takeaways for tech leaders:

  • Microsoft has released its command-line shell and scripting language PowerShell Core for the Ubuntu Snap Store, as part of PowerShell Core’s release as a snap package.
  • Snap packages are containerized applications that can be installed on many Linux distributions.

Ref: https://www.techrepublic.com/article/microsofts-linux-love-in-continues-as-powershell-core-comes-to-ubuntu-snap-store/

By: Nick Heath

U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC)

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

By: Jim Finkle in Toronto; Additional reporting by Gary McWilliams in Houston; Editing by Nick Zieminski and James Dalgleish

Source: https://www.reuters.com/article/us-usa-cyber-energy/u-s-warns-public-about-attacks-on-energy-industrial-firms-idUSKBN1CQ0IN