Threat Essentials Blog

DearCry malware follow-ups to the Microsoft Exchange attacks

We recently wrote about the Hafnium group’s intrusions into Microsoft Exchange servers by exploiting the chain of vulnerabilities known as 'ProxyLogon". We suspected many of the malicious applications deployed on Exchange servers (such as web shells) were likely to be weaponised by opportunistic attackers for data theft and extortion, particularly in the time gap between the initial intrusion and Exchange users patching their systems.  

Unfortunately, this is proving to be true this week.

What is DearCry malware

DearCry is the new strain of malware being deployed to execute ransomware attacks on Exchange servers already breached by Hafnium and other malicious actors using the same tactics, techniques and procedures (TTPs). 

 te_dearcry_new

Screenshot A: Forum member sharing information about where to find a Proof of Concept for the ProxyLogon vulnerability. 

ProxyLogon chatter on dark web forums 

Threat Essentials monitors the many dark web forums popular with threat actors looking to buy, sell or share information very closely. At present, almost every forum we cover contains discussion threads on ProxyLogon, including Proofs of Concept (PoCs), techniques and guides for making the exploit work effectively and offers of tools (such as scanners) to help facilitate exploitation.  

We have noted at least one discussion thread involving a threat actor with a history of engaging with ransomware groups, offering employment to anybody who knows how to achieve remote code execution (RCE) with ProxyLogon effectively. 

As the Exchange Server exploits are now widely available and easy to use, all forum posts regarding these are experiencing very high viewership and engagement levels.  There has been more than 500% increase in traffic from Github to well-known dark web forum ‘Raidforums’ since February, and the current volume of posts asking how to use the exploits reflects both the large number of individuals attempting to illicitly benefit from Exchange server vulnerabilities, as well as the basic skillset they possess. There appears to be a competitive frenzy, where threat actors are trying to attack as many targets as possible before others get the chance. 

 te_dearcr (1)

Screenshot B: Russian-speaking threat actor seeking to buy ProxyLogon examples that achieve remote code execution (RCE) or pay individuals who can develop them. 

 

Technical summary of DearCry malware 

We have analysed a sample of DearCry with a sha256 hash of "e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6" and it appears to create a service called 'msupdate' which encrypts files with SYSTEM privileges. It uses OpenSSL to encrypt files, presumably with the public key embedded inside the executable, so that a command and control infrastructure is not required.  

When the files are encrypted, they are saved to a different file with the .CRYPT extension appended, and the originating file is overwritten. Upon completion of encryption, the malware deregisters itself as a service. 

The malware appears to target the following file extensions: 

.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML  .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG.CSV .DAT .ISO .PST .PGD  .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA 

It then leaves a ransom note in every folder it has encrypted named readme.txt' with the following text: 

Your file has been encrypted! 

 If you want to decrypt, please contact us.  

%s 

 And please send me the following hash! 

%s 

The email addresses to contact and the hash of the file is filled in as the encrypted file is created. 

The DearCry malware does not use obfuscation or command and control infrastructure, and the only element of stealth in its operation is the use of msupdat as the name of the service it spawns. This is already detected by most anti-virus vendors and by Windows Defender as Ransom:Win32/DoejoCrypt.. 

 Screenshot C - ransom message

Screenshot C: DearCry malware creates a ransom message after encrypting files. 

 

What we recommend  

Further to the security patches released last week, Microsoft has released its one-click Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security update.’  We recommend adopting a proactive approach to cyber defence by using the unique and customisable Threat Essentials intelligence platform to gain visibility into the underground conversations that could have a severe and adverse effect on your information systems. 

To find out more about how Threat Essentials can support your cyber defences, get in touch with a Threat Essentials analyst at info@threatessentials.com 

 

References: 

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021