SCYTHE Library: Threat Emulation: Yanluowang

Intro

Welcome to the September 2022 SCYTHE #ThreatThursday! This edition features Yanluowang emulation plans based on data from multiple sources about the Yanluowang ransomware group. We would like to especially thank Cisco Talos for their fantastic writeup on the actions taken in the network by the threat actors. We know it is always challenging for victims to share data from their incidents and this is certainly no exception. Cisco has provided a model for victim organizations in transparency around its incident, ensuring that data is shared so other victims can be more prepared.

Executive Summary

The Yanluowang ransomware group has been around since at least late 2021, but many people had never heard their name prior to their involvement in the Cisco incident in August 2022. SCYTHE posting this threat in no way should be construed as victim blaming. On the contrary, there is sufficient data in the public domain to discuss at least in part because of the great work by Talos.

For this Threat Thursday, SCYTHE is taking a bit of a different approach. Traditionally, our ThreatThursday emulation plans are large and contain an entire attack chain. We’ve received feedback from customers that emulation plans of this size are difficult for some to operationalize. For this month’s ThreatThursday, we’ve broken the steps down into multiple plans, highlighting different components of the operation. If you want to run a complete emulation, you should consider combining the plans into a single campaign. We believe that most teams will be better served by consuming smaller (but by no means inconsequential) plans emulating Yanluowang procedures.

‍

The plans being released with this ThreatThursday are:

Create a new backdoor user “z” and add this user to the local administrators group (Yanluowang_add_admin_user)
Execute ntdsutil and exfiltrate the data (Yanluowang_ntdsutil)
Install LogMeIn (Yanluowang_LogMeIn)
Use ImageFileExecutionOptions (IFEO) to backdoor both narrator.exe and sethc.exe (Yanluowang_ifeo_login_bypass)
IFEO backdoor with PSEXEC (Yanluowang_ifeo_psexec)

Cyber Threat Intelligence

Profile:

Yanluowang ransomware, first discovered by Symantec, has been used in targeted attacks since at least August 2021. Some reports have suggested a link between Yanluowang and Thieflock (a RaaS developed by the Canthroid/Fivehands group) due to overlap in TTPs used. A deeper analysis of the code does not support shared authorship but instead may suggest that Yanluowang attacks could be carried out by former Thieflock affiliate groups.

Historically, use of AdFind and SoftPerfect Network Scanner have been noted as potential precursors to Yanluowang attacks. Researchers have also observed use of WMI to obtain a list of running processes on remote devices of interest, indicating some level of operational security discipline. Prior to deployment of the ransomware, PowerShell is often used to download other tools to aid in reconnaissance. Credential theft, specifically targeting those stored in browsers, is accomplished via GrabFF, GrabChrome, BrowserPassView, and KeeThief. Once Yanluowang is deployed, the malware halts all processes of interest, encrypts files on the compromised device, appends the .yanluowang extension, and drops a README.txt ransom note.

In the most recent May attack, researchers observed some additional TTPs such as:

Creation of local admin user “z”
Remote access tools usage (LogMeIn and Team Viewer)
Windows logon bypass leveraging ImageFileExecutionOptions

Aliases:

N/A

Targets:

Attacks have been heavily focused on U.S. corporations in the financial sector but companies in manufacturing, IT services, consulting, and engineering have been targeted as well.

Objectives:

Data exfiltration
Data encryption
Credential harvesting

Capabilities:

Reconnaissance

ADFind
SoftPerfect Network Scanner
Process enumeration via WMI

Lateral Movement

PSExec.exe

Persistence

Creation of local admin account(s)
Changing passwords of existing local accounts
Use of Windows logon bypass techniques (leveraged accessibility features)

Remote Access

RDP
ConnectWise
LogMeIn
TeamViewer

Credential Harvesting

Ntdsutil.exe
Extraction of HKLM\SYSTEM, SAM and SECURITY hives
GrabFF (tool to dump passwords from Firefox)
GrabChrome (tool to dump passwords from Chrome)
BrowserPassView (tool to dump passwords from Internet Explorer + other browsers)
Kee Thief (PowerShell script to copy the master key from Kee Pass)

Data Exfiltration

Screen capture tools
File exfiltration via filegrab.exe

Other payload delivery

BazarLoader
Cobalt Strike

‍

Automated Emulation

Create a New Backdoor User “z”

This emulation plan creates a new backdoor user “z” and adds this user to the local administrators group. The username and password observed were sourced from the Talos reporting.

After a three minute delay (configurable), the user is deleted. The intent of the delay is to give a threat hunter time to discover the new administrative user if desired.

Execute ntdsutil and Exfiltrate Data

The first portion of the plan checks for the existence of ntdsutil.exe to ensure it is present (and in the expected path) on the system of interest.

Next, we create the directory of C:\users\public\z for the output if it doesn’t already exist.

Then, we execute ntdsutil creating a full backup and place the output in C:\users\public\z.

Then we download 7za.exe (standalone 7zip executable) and create a password protected archive of the NTDS export. Next, upload the archive to the SCYTHE server.

The cleanup steps remove the directory C:\users\public\z and other artifacts in the directory that we created.

Install LogMeIn (Yanluowang_LogMeIn)

This emulation downloads the LogMeIn.msi and performs a silent install.

We first create a staging directory “remote”:

Next we download the .msi file. *Note: download of LogMeIn is gated by requiring a user to create an account with GoTo so we have hosted the file on github.

Next we install the program using the /quiet switch:

Finally, we perform a clean up to uninstall, delete the msi, and remove the staging directory.

Finally, perform a clean up to uninstall

Use ImageFileExecutionOptions to backdoor both narrator.exe and sethc.exe (Yanluowang_ifeo_login_bypass)

We begin by querying the registry to obtain the current state of certain keys which are referenced later during clean-up to restore the initial state.

Then we download a benign executable (benign.exe) that will be used as a placeholder for what would be cmd.exe in the case of the Cisco attack

Sethc.exe is a program under accessibility features that is responsible for the “Sticky Keys” feature in Windows and is available before login. Narrator.exe is the program responsible for the screen reading accessibility feature and is also available pre-login. By configuring a debugger under ImageFileExecutionOptions (IFEO), the debugger program is launched first when sticky keys or narrator execution is triggered. We set these registry keys, pointing them instead to our notmalware.exe, with the following commands:

We then include a step which sets a scheduled task to kill the process spawned after we execute sethc.exe. This is an artifact of the emulation and not intended to be used in detection engineering.

These steps are repeated to illustrate the same login bypass technique via use of narrator.exe instead. Clean up steps are included at the end after a 4 minute delay.

IFEO backdoor with PSEXEC (Yanluowang_ifeo_psexec)

The Talos blog reported that the adversary often relied on use of PSExec to remotely add the registry values related to the IFEO logon bypass technique. Prior to running this threat please ensure you have updated the initial steps with the correct information for your environment:

The echo steps that follow are present for diagnostic purposes, ensuring the parameters used for testing are easily available in SCYTHE reporting. The “net use” command is used to validate connectivity with the intended target.

‍

Similar to the previous threat, the registry queries that follow are used to establish baseline values which are referenced later during clean-up to restore the initial state.

‍

After downloading PSExec, we leverage it to set the same debugger values in the registry.

Clean up steps are included at the end to restore the registry to its initial state and remove the network share connection.

Detection Opportunities

There are several detection opportunities in these plans, many of which are covered by multiple rules. Where appropriate, a defense-in-depth approach should be taken by layering rules, even though one may cover the procedure in its current state.

‍