SCYTHE Library: #ThreatThursday

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component. This week, we will walk through the variety of CTI analysis which has been conducted on MAZE in addition to creating and sharing an Adversary Emulation Plan. We hope you enjoy it.

Cyber Threat Intelligence

When looking at the variety of cyber threat intelligence available for the MAZE threat, we are given a crystallene example of the ways that CTI can be incredibly specific regarding some details, while simultaneously being sparse with other details. For example this report gives very explicit details regarding the phishing attacks conducted to compromise systems with MAZE. Another report goes into amazing detail about the processes and memory games which the MAZE binaries are observed to play. And yet another report gives us details regarding the authors, and their ransom management software. However, even with the excellent information provided in these reports and others, there are some details which still elude us when attempting to replicate the explicit behaviors of the MAZE threat.

For an explicit example of the discrepancy between CTI analysis, and explicit behaviors we can take the following sentence as an example:‍

“Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment …”‍

The above is certainly useful in regards to gaining insight into a threat actor’s general behaviors and goals; but leaves us wanting when attempting to re-create the explicit behavior utilized by the threat actor.

There are some very practical and interesting artifacts which CTI provides us, and which allow us to leave some interesting IOC’s on endpoints when emulating the MAZE Threat. For example: we have through these reports a litany of example PDB paths which we can use when generating custom binaries, and we also have explicit details about the content of the ransom notes left by MAZE. These details are critical for IR and Purple team events, and provide even more realism to our Adversary Emulation Plan.

Adversary Emulation Plan

Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for MAZE:

Tactic	Description
Summary	MAZE ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, MAZE operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies. (https://attack.mitre.org/software/S0449/)
Command and Control	T1071 - Application Layer Protocol T1105 - Ingress Tool Transfer T1219 - Remote Access Software
Execution	T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1053 - Scheduled Task/Job T1053.005 - Scheduled Task
Defense Evasion	T1078 - Valid Accounts T1078.003 - Local Accounts T1112 - Modify Registry
Credential Access	T1003 - OS Credential Dumping T1003.001 - LSASS Memory
Discovery	T1007 - System Service Discovery T1012 - Query Registry T1016 - System Network Configuration Discovery T1033 - System Owner/User Discovery T1057 - Process Discovery T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1124 - System Time Discovery T1518 - Software Discovery T1518.001 - Security Software Discovery
Privilege Escalation	N/A
Persistence	T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder
Collection	T1005 - Data from Local System T1074 - Data Staged T1074.001 - Local Data Staging T1560 - Archive Collected Data T1560.002 - Archive via Library
Exfiltration	T1041 - Exfiltration Over C2 Channel
Impact	T1485 - Data Destruction T1486 - Data Encrypted for Impact

Lost in the MAZE?

For the sake of our Adversary Emulation of MAZE, we focused more heavily on what could be executed on a specific endpoint, in that specific user’s space of privilege; rather than focusing on initial access method, various privilege escalation techniques, and propagation. The rationale for this was to have the ability to quickly and easily conduct an execution event on a single endpoint, to see which (if any) of our defensive triggers might be lit up by MAZE’s variety of Discovery and Impact operations.

The hope is that some combination of the actions on objective we are conducting, ranging from compressing of files to the use of encryption, would trigger some combination of alarms for a AV, EDR, or Log Monitoring perspective.

With those goals in mind, we created the following SCYTHE Threat template, available in our Community Threats repository: https://github.com/scythe-io/community-threats/tree/master/MAZE

Conclusion

MAZE is a fascinating threat from both an analysis and emulation perspective as it, once again, forces the collective information security community into simultaneously knowing a great deal about a threat actor, while also having minimal details regarding the way it explicitly performs its behaviors. However the variety of discovery techniques, blended with the exfiltration and ransomware behaviors, makes for what can be seens as a bit of a “kitchen sink” from a malware perspective. The realities of the information contrast between CTI sources, and the reliance on signituring of payloads and IP/Domains, gives defenders a wide range of IOC’s to act on, while still left feeling lacking from a threat emulation perspective.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.