Kasseika Ransomware uses BYOVD trick to disable pre-encryption security

Kasseika Ransomware

The ransomware group known as Kasseika has become the latest version to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disable security-related processes on compromised Windows hosts, joining other groups such as AkiraAvosLocker, BlackByte and RobbinHood.

This tactic allows “threat actors to terminate antivirus processes and services before deploying ransomware,” according to Trend Micro said in an analysis Tuesday.

Kasseika, discovered for the first time by the cybersecurity firm in mid-December 2023, has overlaps with the now-defunct BlackMatter, which emerged in the wake of DarkSide’s shutdown.

There are indications that the ransomware strain could be the work of a skilled threat actor who gained or purchased access to BlackMatter, as the latter’s source code was never publicly leaked after its demise in November 2021.

Attack chains involving Kasseika start with a phishing email for initial access, then remove remote control tools (RATs) to gain privileged access and move laterally within the target network.

The threat actors have been observed using Microsoft’s command-line tool Sysinternals PsExec to run a malicious batch script, which checks for the existence of a process named ‘Martini.exe’ and, if found, terminates it and for it ensures that there is only one instance of the process. process on which the machine runs.

The main responsibility of the executable is to download and run the “Martini.sys” driver from a remote server to disable 991 security tools. It is worth noting that “Martini.sys” is a legitimately signed driver named “viragt64.sys” added to Microsoft’s software block list for vulnerable drivers.

“If Martini.sys does not exist, the malware will terminate itself and not continue its intended routine,” the researchers said, indicating the crucial role the driver plays in evading defenses.

After this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption process using ChaCha20 and RSA algorithms, but not before disabling all processes and services that have access to Windows Restart Manager.

Then a ransom note is placed in each folder that is encrypted and the computer background is adjusted to display a note demanding a payment of 50 bitcoin to a wallet address within 72 hours or risk every 24 hours an additional $500,000 to be paid once the deadline has passed.

Additionally, victims are expected to post a screenshot of the successful payment to an actor-controlled Telegram group to receive a decryptor.

The Kasseika ransomware also has other tricks up its sleeve, including erasing traces of its activity by clearing the system’s event logs using the wevtutil.exe binary.

“The wevutil.exe command efficiently clears the application, security, and system event logs on the Windows system,” the researchers said. “This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activity.”

The development comes as Palo Alto Networks Unit 42 details the BianLian ransomware group’s shift from double extortion to encryptionless extortion attacks following the release of a free decryptor in early 2023.

BianLian has been an active and widespread threat group as of September 2022, primarily targeting the healthcare, manufacturing, professional and legal services sectors in the US, UK, Canada, India, Australia, Brazil, Egypt, France, Germany and Spain.

Stolen Remote Desktop Protocol (RDP) credentials, known security flaws (e.g. ProxyShell), and web shells act as the most common attack routes used by BianLian operators to infiltrate corporate networks.

Additionally, the cybercrime squad shares a customized .NET-based tool with another ransomware group tracked as Makop, suggesting possible links between the two.

“This .NET tool is responsible for retrieving file enumerations, registry and clipboard data,” says security researcher Daniel Frank said in a new overview of BianLian.

“This tool contains some words in the Russian language, such as the numbers one through four. The use of such a tool indicates that the two groups may have shared a toolset or used the services of the same developers in the past.”

#Kasseika #Ransomware #BYOVD #trick #disable #preencryption #security

Notify of
Inline Feedbacks
View all comments
Previous Post
Google Kubernetes

Google Kubernetes Misconfig allows any Gmail account to manage your clusters

Next Post
Nudge Security

What is Nudge Security and how does it work?

Related Posts