<< All Posts

#ThreatThursday - Evil Corp

August 6, 2020


Garmin users noticed their devices were not working on July 22, 2020, upon visiting the Garmin website, the below image was shown. It would not be until a week later that most Garmin services were operational again. As more information was made public, we found out the attack was attributed to a threat group known as Evil Corp and they leveraged a fairly new ransomware called WastedLocker. This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong. This blog post is a summary of the DEF CON Red Team Village talk, slides available here and the video of the presentation is below.


Cyber Threat Intelligence

News of the Garmin attack started coming in on July 22, 2020. Eventually we learned all Garmin services were down for about a week:



We found, through Cyber Threat Intelligence, the group responsible for the attack is Evil Corp and they used a ransomware called WastedLocker. This group is not documented in the MITRE ATT&CK site so we had to review the below Cyber Threat Intelligence, extract the TTPs, and map it to MITRE ATT&CK:

Evil Corp, as a threat group, is more sophisticated than the standard ransomware attack in that they manually interact with the target, move laterally through a number of systems, and then drop the ransomware. In this case, they dropped WastedLocker. At a high level, this is how the attack works:

  • SocGholish is delivered to the victim in a zipped file via compromised legitimate websites
  • Zip file with malicious JavaScript, masquerading as a browser update 
  • A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts
  • Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers
  • PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks
  • An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files
  • Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system
  • The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts
  • The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring
  • Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes

Here is a screenshot of what the end user would see:

https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/

While the Cyber Threat Intelligence by NCC Group and Symantec has good detail, it is not mapped to MITRE ATT&CK so we did the mapping using ATT&CK Navigator and shared the JSON in the SCYTHE Community Threats Github. Here is a direct link to the Navigator Layer show below:

Figure 1: Evil Corp with WastedLocker ATT&CK Navigator Layer

Adversary Emulation Plan

Is emulating ransomware even possible? Of course it is! The secret is to not encrypt or destroy production data. Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. This method ensures no data is ever at risk of being encrypted, destroyed, or leaked.

First, we start by creating by first building a threat profile for Evil Corp and WastedLocker:

 

Tactic

Description

Initial Access

T1189 - Drive-by Compromise

Command and Control

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1573 - Encrypted Channel

T1573.002 - Asymmetric Cryptography

Execution

T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.007 - JavaScript/JScript

T1569 - System Services

T1569.002 - Service Execution

T1204 - User Execution

T1204.002 - Malicious File

T1047 - Windows Management Instrumentation

Defense Evasion

T1564 - Hide Artifacts

T1564.004 - NTFS File Attributes

T1562 - Impair Defenses

T1562.001 - Disable or Modify Tools

Discovery

T1087 - Account Discovery

T1087.001 - Local Account

T1087.002 - Domain Account

T1033 - System Owner/User Discovery

Privilege Escalation

T1548 - Abuse Elevation Control Mechanism

T1548.002 - Bypass User Access Control

Lateral Movement

T1570 - Lateral Tool Transfer

T1021.002 - SMB/Windows Admin Shares

Impact

T1485 - Data Destruction

T1486 - Data Encrypted for Impact

T1565 - Data Manipulation

T1565.001 - Stored Data Manipulation

T1490 - Inhibit System Recovery

T1489 - Service Stop


Given Evil Corp used Cobalt Strike for manual, lateral movement, we demo how to get a Cobalt Strike Beacon using PowerShell, just as Evil Corp did. Then we use Cobalt Strike to drop the WastedLocker ransomware we created with SCYTHE. The synthetic malware is available on our Community Threats Github for Evil Corp and was created with the below steps:

Here is the video of the demo from the DEF CON Red Team Village talk:

Defend against WastedLocker

We had the pleasure of sitting down with industry thought leader and just awarded Microsoft MVP, Olaf Hartong, to discuss how to defend against ransomware attacks. Given there are many strains of ransomware in the wild, it is important to focus on the behaviors that ransomware has shown in the past and continue to monitor as these criminal gangs evolve. 

Olaf gives us an introduction to Sysmon, a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Olaf is an industry contributor and has an excellent Sysmon configuration that he demos in this video:


Conclusion

Ransomware is evolving and getting more sophisticated. Evil Corp uses a number of tools to gain initial access, manually move laterally around the target environment, and then drop the ransomware. In this post, we consumed the Cyber Threat Intelligence as it came out, extracts TTPs, mapped to MITRE ATT&CK and created a Navigator Layer, created an adversary emulation plan and shared it on our GitHub, demoed the emulation, and discussed defending against ransomware with Olag Hartong. We hope you enjoyed this blog post that is a summary of the DEF CON Red Team Village talk, slides available here.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io


STAY UP TO DATE WITH OUR CONTENT!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Unicorn Content

See All Posts

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

EVALUATE

LEARN MORE