This post was authored by Aufa and Fareed.
This blog post is intended to give a better overall picture of a ransomware attack that is operated by the BlackBit Ransomware gang observed by our team from our observatory farm, within the actual attack launch by the ransomware gang.
This blog post might be useful for security engineers, researchers, and security analysts to catch up with current cybersecurity issues specifically malware threats and ransomware hunting. By the end of this blog post, readers will understand the techniques used by this ransomware operator that compromised users via public-facing RDP. Furthermore, security analysts can collect the provided Indicators of Compromise (IOCs) extracted from the malware to assess whether your environment has been compromised.
This Blackbit ransomware investigation has been handled by Netbytesec Internship:
The threat actor initiates the breach by employing a brute force attack, successfully compromising the user "Administrator". Upon gaining the initial access, the attacker establishes persistence on the machine utilizing a well-known technique known as the "Sticky Keys backdoor".
Subsequently, a new local user account named 'Microsoft' is created by the attacker, and the attacker login through this account. Leveraging the copy and paste feature in Windows RDP, the attacker transfers a malicious file named 'svchost.exe' to the targeted machine, initiating the ransomware infection process.
|Figure 1: One of the Netbytesec PC Malware Lab infected with BlackBit Ransomware
|Figure 2: Graph flow of the threat actor's activity
|Figure 3: Timeline of the execution
Brute-Force RDP for Initial Access
During the initial access phase, the attacker with IP Address 18.104.22.168 started brute-forcing activities targeting the RDP machine and successfully login as a local user named Administrator. Here are some of the account names that the attacker tested during the bruteforce shown in the figure below.
|Figure 4: The attacker with IP 22.214.171.124 carry out a brute-force attack
The IP address appears to be hosted on XHOST hosting provider. According to VirusTotal, the IP address 126.96.36.199 has been detected by 5 vendors. Additionally, it has been tagged with "brute force", "RDP", and "SSH" on Alienvault, further raising concerns about its potential for malicious attacks. Furthermore, a security researcher with name "SecGuy" has created a VirusTotal graph, which maps the IP address with his RDP connections intelligence.
|Figure 5: VirusTotal community tab
Sticky Key backdoor for persistence access
Upon login into the account, the attacker establishes a persistent mechanism by replacing the sethc.exe executable with the cmd.exe executable which is known as the "Sticky Key backdoor" technique. By using this method, the sticky key shortcut will execute cmd.exe instead of the original sethc.exe which gives the attacker a Command Prompt with elevated privileges on the login page of Windows. Thus, the attacker is able to perform malicious actions in high-privileged mode afterward.
|Figure 6: The exploitation of sethc.exe to execute cmd with the highest privilege.
Create new user
|Figure 8: Attacker logins with Microsoft user
Drop the ransomware executable
|Figure 9: Ransomware executable named svchost.exe created
Configure custom exclusion and execute ransomware
Ransomware technical analysis and reverse engineering
|Figure 11: VirusTotal detection
|Figure 12: The executable has been protected by .NET Reactor
|Figure 14: Malware opens any mutex if it has been created
|Figure 15: Checking mutex's function
Create a persistent mechanism via the Startup folder
The ransomware employs a persistence mechanism to ensure continuous execution on the infected machine. To achieve this, it duplicates itself into multiple folder locations (with name "winlogon.exe"), including the following directories:
- "C:\Users\Microsoft\Windows\Start Menu\Programs\Startup"
|Figure 16: Ransomware copy itself to other location including the startup folder
|Figure 17: The executable copy into the Startup folder
|Figure 18: The executable copied to AppData roaming
|Figure 19: Winlogon.exe set to hidden
Create scheduled tasks for the persistent mechanism
|Figure 21: Schedule task with the name Blackbit created by the malware
|Figure 22: Code that does the schtasks command
Creation of a task manager locker (bat file) into the startup folder
|Figure 24: The creation of the batch file to disable the task manager
|Figure 25: Batch file used for Task Manager locker
Content of the bat file:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
|Figure 26: Task manager already disabled
Setting up of ransom note application
|Figure 27: Code that does the compilation of the ransom note application
|Figure 28: The malware set the application for Blackbit extension
|Figure 30: Code of the executable
|Figure 31: info.Blackbit HTA application
Create ransom message
|Figure 33: Restore-My-Files.txt
Check for admin privilege
|Figure 34: Check for Administrator privileges
Enumerate and close processes
|Figure 35: The application tries to terminate any disruptive processes.
|Figure 36: The ransomware enumerates all running processes
|Figure 37: List of all disruptive processes
Disable Windows update services
|Figure 38: The ransomware tries to stop services
|Figure 39: The ransomware gets all the running services process
|Figure 40: List of targeted processes
|Figure 41: Ransomware found one of the disruptive services
|Figure 42: The malware trying to stop MSDTC service
|Figure 43: Ransomware stops services
Delete shadow copy, system backup, and disable the firewall
|Figure 44: vssadmin command to delete shadows copy
|Figure 45: wbadmin to delete system backup
|Figure 47: Function that does the deletion of shadow copy and backup data
|Figure 48: Few commands to delete backup
|Figure 49: Disabling firewall
Delete user recycle bin
|Figure 50: The function that does the emptying victim's recycle bin
Disable Windows Defender
|Figure 52: Function code to disable Windows Defender
Scan for network share
|Figure 53: The ransomware starting network share scanner of the current IP Address
|Figure 54: Scan SMB shares function
|Figure 55: The code responsible to add a registry about the ransomware information
|Figure 56: Registry key that contains the information
The Timer represents a date-time value (encoded) that indicates the ransom's expiration date. When the date expired, the malware will initiate a wipe of the drives. By default, the date is set to 30 days after the execution of the ransomware.
|Figure 57: Snippet code of the StartEncryption function
|Figure 58: All files encrypted
|Figure 59: Encrypted files append with BlackBit extension and contact email
|Figure 60: POST request made by the ransomware contains information about the compromised host
Ransom message on the login screen
|Figure 61: The ransomware tries to modify the registry to change the user login note
|Figure 62: Ransom note in logon screen
Change volume label
|Figure 63: The label of the drive has been changed
|Figure 64: Wallpaper has been changed
- Isolate the infected system from the network to prevent spreading to other connected devices and shares.
- Preserve evidence that may be important for investigations.
- Alert and notify the IT security team or IR team.
- Evaluate the availability and integrity of backup files. If possible, restore encrypted files from backups to minimize data loss and avoid paying the ransom.
- Perform a post-incident analysis to understand how the ransomware gained access, what weaknesses were exploited, and how the response could be improved in the future.
- 2931fae146c3944c277538970a4fdeca - svchost.exe and winlogon.exe
- application-api.xyz - C2 Communication
- IP Address:
- 188.8.131.52 - Bruteforce RDP
- 184.108.40.206 - Successful login RDP
- T1110 - Brute Force
- T1015 - Sticky Keys
- T1136 - Create Account
- T1059.001 - Command-Line Interface
- T1059.005 - Scheduled Task/Job
- T1547.001 - Boot or Logon Autostart Execution
- T1548.002 - Bypass User Account Control (UAC)
- T1562.001 - Disable or Modify Tools
- T1489 - Service Stop
- T1490 - Inhibit System Recovery
- T1562.002 - Disable or Modify System Firewall
- T1071.001 - Web Protocols
- T1486 - Data Encrypted for Impact