Threat Group Exploits SonicWall Flaw to Deploy FiveHands Ransomware

Researchers noticed a brand new ransomware variant, referred to as FiveHands, being deployed by an “aggressive” financially motivated menace group in January and February.

In keeping with a FireEye Mandiant report, the UNC2447 group exploited a essential SonicWall vulnerability (CVE-2021-20016) previous to a patch being out there. The group leveraged this exploit as a foothold with the intention to deploy the previously-discovered SombRAT malware, in addition to FiveHands.

“UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware adopted by aggressively making use of stress by means of threats of media consideration and providing sufferer information on the market on hacker boards,” mentioned researchers with FireEye Mandiant.

UNC2447 (“UNC” being FireEye’s designation for unclassified menace teams) was first found by researchers in November, once they noticed the group utilizing a PowerShell dropper in an try to put in malware at two unnamed firms. In January, the UNC2447 group was then noticed exploiting the SonicWall flaw, a essential SQL injection vulnerability in Safe Cellular Entry (SMA) 100 Sequence VPN home equipment, which permits unauthenticated attackers to realize distant code execution. Earlier than SonicWall patched the flaw in February, it revealed that it had "recognized a coordinated assault on its inner programs by extremely refined menace actors exploiting possible zero-day vulnerabilities on sure SonicWall safe distant entry merchandise."

Justin Moore, menace analyst with Superior Practices at FireEye Mandiant, mentioned researchers haven't noticed any FiveHands intrusions since patches have been deployed - nonetheless, organizations that haven't but patched their programs stay at a excessive threat of compromise from any group.

“Whereas the latest particulars of the FiveHands assaults are at the moment printed within the weblog, together with hashes and comparisons to different ransomware variants, there have been at over 100 SonicWall SMA 100 sequence VPN compromises throughout this marketing campaign,” mentioned Moore. “UNC2447 associated actors have credentials for these organizations and should still have entry to deploy ransomware regardless of patches being utilized.”

Researchers mentioned they consider that the FiveHands ransomware is a brand new rewrite of the prevailing DeathRansom ransomware, which was first noticed in November 2019. FiveHands, which is written in C++, shares a number of options, capabilities and coding similarities with DeathRansom. Nonetheless, researchers famous that the perform calls and code construction used to implement the vast majority of its capabilities are written in a different way. One vital departure from DeathRansom is FiveHands' use of a memory-only dropper, which upon execution expects a command line swap of -key adopted by the important thing worth essential to carry out decryption of its payload, mentioned researchers. Extra code within the ransomware - not present in DeathRansom - makes use of the Home windows Restart Supervisor to shut a file at the moment in use in order that it may be unlocked and efficiently encrypted, they mentioned.

“The payload is saved and encrypted with AES-128 utilizing an IV of ‘85471kayecaxaubv,’” they mentioned. “The decrypted FiveHands payload is instantly executed after decryption.”

Researchers additionally famous similarities between FiveHands and HelloKitty, a ransomware that has additionally been reportedly constructed from DeathRansom. Whereas each FiveHands and HelloKitty share a number of high-level functionalities with DeathRansom, each have their very own marked variations. For example, much like HelloKitty, FiveHands lacks a language test, which was utilized by DeathRansom to test for a number of languages on contaminated programs.

Along with FiveHands, UNC2447 was deploying SombRAT, malware first reported in November by Blackberry Cylance researchers, who famous that the backdoor's major function is to obtain and execute plugins supplied by way of the C2 server. The model of SombRAT utilized on this assault options extra obfuscation to evade detection and discourage evaluation, mentioned researchers.

Researchers mentioned that whereas they noticed FiveHands being deployed by UNC2447, not all intrusions might have been carried out by this group. They consider that FiveHands - together with HelloKitty - could also be utilized in assaults by totally different teams collaborating in underground affiliate packages.

“Primarily based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty might have been utilized by an general associates program from Might 2020 by means of December 2020, and FiveHands since roughly January 2021,” they mentioned.

Researchers warn that UNC2447 continues to pose a menace to organizations - notably as ransomware assaults proceed to hit companies worldwide. The problem has turned the heads of each tech firms and authorities regulators: This week, for example, a ransomware task force introduced it had developed a broad set of suggestions to assist tackle these ransomware assaults.

“UNC2447 has been noticed concentrating on organizations in Europe and North America and has constantly displayed superior capabilities to evade detection and decrease post-intrusion forensics,” researchers mentioned.