Training Scenario - Signed Ransomware

Group Name

Training Data - Signed Ransomware (Hive)

Scenario

In this training scenario, we will execute a ransomware payload, running as admin, and with a custom signature. This scenario is not too different from the ‘vanilla’ sample, but utilizes a signed executable.

Often times signed executables are treated is if they are verified to be benign. While it’s true that certified software should all be signed, this is not a bidirectional relationship, and we shouldn’t trust things just because they’re signed. Unfortunately, sometimes that mistake is made.

 

Identifying it

Aside from the fact that this cert name is a bit odd for training purposes, how does Cyber Crucible know it’s not trustworthy? Cyber Crucible plays it safe and maintains a (group specific) list of trusted certificates. This means that we can easily catch test signing certs, as well as official certs from large CAs like digicerts.

 

We can see above that even though the file “321d0…” is signed, it’s still not trusted. Since there are no other complex obfuscation techniques used to deploy the attack, we know exactly where it came from!

 

To confirm the execution method, we can look into the process creations around the time of the incident. What we see confirms that there was no complex exploit method, or even a script! As with other samples, the child process creations are interesting, though. Even though the execution method of the malware itself was obvious, many background processes are started that disable protections and other system settings.

 

 

At this point the attack has been contained by Cyber Crucible, but analysis of the related processes is important to find scope of the malicious behaviors. The execution of the unsigned exe alone looks obvious when its laid out by Cyber Crucible, but many times background processes started by something as privileged and protected as Defender would simply be ignored.

 

Relevant documentation

  • Mitre T1566 - Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password.

  • Mitre T1091 - Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities.

  • Mitre T1204 - User execution, often gained via phishing, is the simplest way malware to begin execution.

  • Mitre T1587-002 - Code signing certificates are a way for an authority to certify that an applications code. Malware may generate a certificate that does not come from any certificate authority but may confuse a user into thinking it is legitimate.

  • Mitre T1587-003 - SSL certificates are used to ensure that data transmission is trustworthy. In a poorly configured environment, malware may be able to install its own SSL certificate to facilitate man in the middle attacks.