Threat Thursday

SCYTHE Library: #ThreatThursday - MAZE

Written by Adam Mashinchi | Oct 1, 2020 4:00:00 AM

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component. This week, we will walk through the variety of CTI analysis which has been conducted on MAZE in addition to creating and sharing an Adversary Emulation Plan. We hope you enjoy it.

Cyber Threat Intelligence

When looking at the variety of cyber threat intelligence available for the MAZE threat, we are given a crystallene example of the ways that CTI can be incredibly specific regarding some details, while simultaneously being sparse with other details. For example this report gives very explicit details regarding the phishing attacks conducted to compromise systems with MAZE. Another report goes into amazing detail about the processes and memory games which the MAZE binaries are observed to play. And yet another report gives us details regarding the authors, and their ransom management software. However, even with the excellent information provided in these reports and others, there are some details which still elude us when attempting to replicate the explicit behaviors of the MAZE threat.

For an explicit example of the discrepancy between CTI analysis, and explicit behaviors we can take the following sentence as an example:

“Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment …”

The above is certainly useful in regards to gaining insight into a threat actor’s general behaviors and goals; but leaves us wanting when attempting to re-create the explicit behavior utilized by the threat actor.

There are some very practical and interesting artifacts which CTI provides us, and which allow us to leave some interesting IOC’s on endpoints when emulating the MAZE Threat. For example: we have through these reports a litany of example PDB paths which we can use when generating custom binaries, and we also have explicit details about the content of the ransom notes left by MAZE. These details are critical for IR and Purple team events, and provide even more realism to our Adversary Emulation Plan.


Adversary Emulation Plan

Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for MAZE:

 

Tactic

Description

Summary

MAZE ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, MAZE operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies. (https://attack.mitre.org/software/S0449/)

Command and Control

T1071 - Application Layer Protocol

T1105 - Ingress Tool Transfer

T1219 - Remote Access Software

Execution

T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1053 - Scheduled Task/Job

T1053.005 - Scheduled Task

Defense Evasion

T1078 - Valid Accounts

T1078.003 - Local Accounts

T1112 - Modify Registry

Credential Access

T1003 - OS Credential Dumping

T1003.001 - LSASS Memory

Discovery

T1007 - System Service Discovery

T1012 - Query Registry

T1016 - System Network Configuration Discovery

T1033 - System Owner/User Discovery

T1057 - Process Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1087 - Account Discovery

T1124 - System Time Discovery

T1518 - Software Discovery

T1518.001 - Security Software Discovery

Privilege Escalation

N/A

Persistence

T1547 - Boot or Logon Autostart Execution

T1547.001 - Registry Run Keys / Startup Folder

Collection

T1005 - Data from Local System

T1074 - Data Staged

T1074.001 - Local Data Staging

T1560 - Archive Collected Data

T1560.002 - Archive via Library

Exfiltration

T1041 - Exfiltration Over C2 Channel

Impact

T1485 - Data Destruction

T1486 - Data Encrypted for Impact


Lost in the MAZE?

For the sake of our Adversary Emulation of MAZE, we focused more heavily on what could be executed on a specific endpoint, in that specific user’s space of privilege; rather than focusing on initial access method, various privilege escalation techniques, and propagation. The rationale for this was to have the ability to quickly and easily conduct an execution event on a single endpoint, to see which (if any) of our defensive triggers might be lit up by MAZE’s variety of Discovery and Impact operations. 

The hope is that some combination of the actions on objective we are conducting, ranging from compressing of files to the use of encryption, would trigger some combination of alarms for a AV, EDR, or Log Monitoring perspective.

With those goals in mind, we created the following SCYTHE Threat template, available in our Community Threats repository: https://github.com/scythe-io/community-threats/tree/master/MAZE 

Conclusion

MAZE is a fascinating threat from both an analysis and emulation perspective as it, once again, forces the collective information security community into simultaneously knowing a great deal about a threat actor, while also having minimal details regarding the way it explicitly performs its behaviors. However the variety of discovery techniques, blended with the exfiltration and ransomware behaviors, makes for what can be seens as a bit of a “kitchen sink” from a malware perspective. The realities of the information contrast between CTI sources, and the reliance on signituring of payloads and IP/Domains, gives defenders a wide range of IOC’s to act on, while still left feeling lacking from a threat emulation perspective.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io