{ "Event": { "analysis": "2", "date": "2025-01-29", "extends_uuid": "", "info": "Phorpiex - Downloader Delivering Ransomware", "publish_timestamp": "1738132653", "published": true, "threat_level_id": "2", "timestamp": "1738132491", "uuid": "4ea0dcc3-eaef-423b-a766-cccabea8b6db", "Orgc": { "name": "CUDESO", "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:botnet=\"Phorpiex\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:financial-fraud=\"Ransomware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:groups=\"LockBit Ransomware Actors & Affiliates\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Phorpiex\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:software=\"LockBit 3.0\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Persistence - T1070.009\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Double File Extension - T1036.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Evasion - T1497.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade File Type - T1036.008\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1738130716", "to_ids": false, "type": "link", "uuid": "852d3a92-06bb-435f-a9a7-af2d0c96e0ff", "value": "https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1738131740", "to_ids": false, "type": "email-src", "uuid": "4654390c-b72f-45e7-a492-ec6e1ee01424", "value": "jenny@gsd[.]com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1738131740", "to_ids": false, "type": "email-src", "uuid": "45192a2c-af67-458f-84db-b98d7b72a8e3", "value": "ebe6941ee8a10c14dc933ae37a0f43fc@gsd[.]com" }, { "category": "Network activity", "comment": "LNK file downloads spl.exe from this URL", "deleted": false, "disable_correlation": false, "timestamp": "1738131823", "to_ids": true, "type": "url", "uuid": "979e9ae7-a492-4a84-b52a-ac02c474600b", "value": "http://twizt.net" }, { "category": "Network activity", "comment": "Used by SCR file pic0502024.jpg.scr", "deleted": false, "disable_correlation": false, "timestamp": "1738131879", "to_ids": true, "type": "ip-dst", "uuid": "5c222cc9-3b69-468f-aee3-00d876e7f2fe", "value": "193.233.132.177" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1738132114", "to_ids": false, "type": "mutex", "uuid": "9488f44d-a2b2-4b82-bab2-b0d67ea31faa", "value": "PreLoad" }, { "category": "Payload delivery", "comment": "Downloaded from hxxp://twizt[.]net", "deleted": false, "disable_correlation": false, "timestamp": "1738132190", "to_ids": false, "type": "filename", "uuid": "64619471-6228-4a3d-8a5d-892389bff5f2", "value": "lslut.exe" }, { "category": "Payload delivery", "comment": "ZIP file related to TWIZT downloader variant, delivered via phishing emails.", "deleted": false, "disable_correlation": false, "timestamp": "1738132315", "to_ids": true, "type": "sha256", "uuid": "36b35ddd-34f7-451e-bfa7-e31b0289a48d", "value": "a861d931cbeb1541193c8707a7114e21daf4ad6d45099427b99a9d0982d976ae" }, { "category": "Payload delivery", "comment": "Document.doc.lnk within the attached ZIP file document.zip.", "deleted": false, "disable_correlation": false, "timestamp": "1738132315", "to_ids": true, "type": "sha256", "uuid": "5ed3d2c5-6caa-4728-b31e-0640948996f5", "value": "05ca9f97a27b675d24edf621b716159ddebff4f16f70b15b2ca68fc7203308b7" }, { "category": "Payload delivery", "comment": "ZIP file related to LockBit downloader variant, delivered via phishing emails.", "deleted": false, "disable_correlation": false, "timestamp": "1738132315", "to_ids": true, "type": "sha256", "uuid": "683cdab2-8eef-4d43-a013-1002702ef246", "value": "01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239" }, { "category": "Payload delivery", "comment": "TWIZT downloader executable", "deleted": false, "disable_correlation": false, "timestamp": "1738132315", "to_ids": true, "type": "sha256", "uuid": "88b11956-4278-45f4-82e0-be92edb19fa0", "value": "c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4" }, { "category": "Payload delivery", "comment": "GandCrab downloader executable", "deleted": false, "disable_correlation": false, "timestamp": "1738132315", "to_ids": true, "type": "sha256", "uuid": "20a5c91a-caf1-436a-bf07-429b9e880720", "value": "5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8" }, { "category": "Payload delivery", "comment": "LockBit downloader executable", "deleted": false, "disable_correlation": false, "timestamp": "1738132331", "to_ids": true, "type": "sha256", "uuid": "0a97dca2-cba3-4e55-b361-1d27704c22fb", "value": "263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb" } ], "Object": [ { "comment": "GandCrab downloader variant", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1738132051", "uuid": "370e370b-fec1-40a5-821c-80fab0fbd794", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1738132051", "to_ids": false, "type": "filename", "uuid": "e901c85b-efe8-4b80-a817-1cd7643ff20f", "value": "DeviceManager.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1738131951", "to_ids": true, "type": "sha256", "uuid": "ab8cb105-5587-487f-a856-697bda5e46a2", "value": "5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8" } ] }, { "comment": "Phorpiex TWIZT Downloader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1738132049", "uuid": "46dbe035-e87e-49f1-a71d-4bdb831019c5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1738132049", "to_ids": false, "type": "filename", "uuid": "809d6beb-08f6-4183-b51b-a2ed9bcb36a0", "value": "windrv.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1738131961", "to_ids": true, "type": "sha256", "uuid": "ebffe3ce-2cea-4a3b-9a61-a8908bd9a806", "value": "c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4" } ] }, { "comment": "LockBit downloader variant", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1738132009", "uuid": "3d8ae8aa-6bfb-4e17-b8a1-144834a19235", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1738131969", "to_ids": true, "type": "sha256", "uuid": "f785d426-f4d1-41af-ae5e-68666b4e21b9", "value": "263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1738131983", "to_ids": true, "type": "filename", "uuid": "43ee10e3-ba10-4dbc-a801-388c586c376f", "value": "PIC0502024.jpg.scr" } ] } ], "EventReport": [ { "uuid": "898469a1-705e-4206-8e57-e6bb808eeaaf", "name": "Report from - https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader (1738130658)", "content": "In this Threat Analysis report, Cybereason Security Services investigate the Phorpiex botnet which is then able to deliver LockBit Black Ransomware (aka LockBit 3.0).\r\n\r\n### KEY POINTS\r\n\r\n \r\n * **Automated Executions:** Unlike the past LockBit ransomware incidents, the threat actors relied on Phorpiex to deliver and execute LockBit ransomware. This technique is unique as ransomware deployment usually consists of human operators conducting the attack. \r\n * **Minimal Change:** After the developers of Phorpiex sold the source code of the botnet back in 2021, the successors have likely not changed much of the code base of the malware. This is evident from consistent attempts in deleting Zone.Identifier files throughout different Phorpiex downloader variants.\r\n * **Straight To The Point:** LockBit downloader variant of Phorpiex downloaded LockBit right away without expanding the infection area within the victim's network. This methodology is different from the usual ransomware operator\u2019s tactics to encrypt as many machines as possible to impact the victim\u2019s network.\r\n \r\n ### INTRODUCTION\r\n\r\n *Phorpiex to LockBit Execution FlowChart*\r\n\r\n What is Phorpiex\r\n\r\n Phorpiex, also known as Trik, is a notorious botnet that has been active since 2010, primarily involved in spam campaigns, cryptocurrency mining, and the distribution of post-exploitation malware.\r\n\r\n Phorpiex\u2019s adaptability and extensive reach has impacted numerous systems globally through its multifaceted malicious activities. Phorpiex often spreads through attachment or links in phishing emails. The common file types of malicious attachments are Microsoft Word documents, PDFs, or executables. Threat actors behind Phorpiex also abuse compromised websites to host the malware.\r\n\r\n What is LockBit\r\n\r\n LockBit Ransomware group is a Russian-speaking cybercrime group that emerged around September 2019. At its peak in 2023, Lockbit was responsible for almost 30% of all ransomware attacks.\r\n\r\n In February 2024, an international law enforcement effort called Operation Cronos, attempted to dismantle the LockBit ransomware group. Despite several arrests, indictment and revelation of the group\u2019s alleged leader, and disruption of infrastructure, Lockbit returned to operations in short order and remains a significant threat.\r\n\r\n The group is known for the following attributes:\r\n\r\n **Ransomware-as-a-Service (RaaS):** LockBit operates on an affiliate model, where the group acts as part of the distributor and collects the percentage of the ransom from the affiliates. \r\n\r\n **Fast Encryption:** LockBit advertised to have a rapid encryption process, which minimizes the time available for detection and response. \r\n\r\n **Wide Target:** LockBit targeted various industries such as Logistics, Retail, Consumer Services, Technology, Transportation, Legal, Finance, Construction, Manufacturing, Wholesales, Aviation, Energy, Defense, and Professional Services across multiple regions. \r\n\r\n **Double Extortion:** LockBit often exfiltrates data before encryption systems, threatening to release the stolen data publicly if the ransom is not paid.\r\n\r\n Phorpiex to LockBit Connection \r\n\r\n The connection between Phorpiex and LockBit primarily lies in the distribution channels and evolution of attack strategies:\r\n\r\n **Distribution of LockBit:** There have been instances where Phorpiex has been used to distribute LockBit ransomware. The botnet\u2019s extensive reach and capabilities make it an effective distribution mechanism for ransomware. \r\n\r\n **Evolution of Threat Actors:** Cybercriminals often evolve their tactics, techniques, and procedures (TTPs). Operators behind LockBit leveraged Phorpiex in their existing infrastructure to distribute more lucrative ransomware. \r\n\r\n **Wide Target:** LockBit targeted various industries such as Logistics, Retail, Consumer Services, Technology, Transportation, Legal, Finance, Construction, Manufacturing, Wholesales, Aviation, Energy, Defense, and Professional Services across multiple regions. \r\n\r\n **Botnet as a Service:** The operators behind Phorpiex might offer their botnet infrastructure as a service to other cybercriminals, including those spreading LockBit.\r\n\r\n ### TECHNICAL ANALYSIS\r\n\r\n This section covers the technical analysis of Phorpiex downloaders. The analysis consists of two sections:\r\n\r\n \r\n * TTPs\r\n * Phorpiex Binary Analysis\r\n \r\n \r\n\r\n Tactics, Techniques and Procedures (TTPs)\r\n\r\n In this campaign, not only did Cybereason observe the LockBit downloader version of Phorpiex, but also the TWIZT downloader version of Phorpiex. This section highlights key TTPs seen in both variants.\r\n\r\n *LockBit Infection Flow*\r\n\r\n *TWIZT Infection Flow*\r\n\r\n Phishing Email\r\n\r\n Phorpiex infection flow begins with phishing emails with the subject Your Document. The emails with ZIP files named document.zip were sent from *jenny@gsd[.]com* and *ebe6941ee8a10c14dc933ae37a0f43fc@gsd[.]com*. The email appears to be responsible for delivering both the LockBit downloader version of Phorpiex or TWIZT downloader variant.\r\n\r\n *Phishing Email From gsd[.]com Observed In Cybereason XDR Platform*\r\n\r\n *Emails Subject, Senders And Attachment Zip Files*\r\n\r\n For each variant, the file consisting within the ZIP file differs. \r\n\r\n \r\n * **SCR file:**LockBit variant\r\n * **LNK file:** TWIZT variant\r\n \r\n \r\n\r\n LNK File\r\n\r\n TWIZT variant delivers LNK file *document.doc.lnk* within the attached ZIP file *document.zip*. The LNK file is responsible for downloading *spl.exe* from *hxxp://twizt[.]net* and saving it as *windrv.exe* on the victim's machine under *%userprofile%* folder.\r\n\r\n *Shortcut File Leads PowerShell Execution*\r\n\r\n *Windrv.exe* appears to be TWIZT downloader variant, which this report dives into more details later.\r\n\r\n SCR File\r\n\r\n *Malicious SCR file Detection By Cybereason*\r\n\r\n LockBit downloader variant delivers SCR file *pic0502024.jpg.scr* within the ZIP file document.zip. When the victim executes the SCR file, it creates a connection to IP address *193.233.132[.]177*. At the time of this execution, Cybereason did not observe a successful connection to *193.233.132[.]177,* however according to ProofPoint's blog, the IP address hosted LockBit ransomware.\r\n\r\n *Connection To IP Address 193.233.132[.]177*\r\n\r\n The process *PIC0502024.jpg.scr* attempts to download LockBit binary *lbbb.exe* from IP address *193.233.132[.]177* and renames it with a random generated SCR file name in folder *%TEMP%*.\r\n\r\n *GET Request To Download lbbb.exe*\r\n\r\n Phorpiex Binary Analysis\r\n\r\n This section covers binary analysis of three different Phorpiex variants:\r\n\r\n LockBit Downloader \r\nGandCrab Downloader \r\nPhorpiex TWIZT Downloader\r\n\r\n Analysis samples consist of following Secure Hash Algorithm 256 (SHA-256) signatures:\r\n\r\n Filename\r\n\r\n SHA-256\r\n\r\n Description\r\n\r\n PIC0502024.jpg.scr\r\n\r\n 263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb\r\n\r\n LockBit downloader variant\r\n\r\n DeviceManager.exe\r\n\r\n 5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8\r\n\r\n GandCrab downloader variant\r\n\r\n windrv.exe\r\n\r\n c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4\r\n\r\n Phorpiex TWIZT Downloader\r\n\r\n \r\n\r\n Cybereason added a GandCrab downloader variant analysis to give additional insights for the comparative analysis.\r\n\r\n LockBit Downloader Variant\r\n\r\n URL Cache Deletion\r\n\r\n Before initiating download of the LockBit ransomware, the downloader deletes the URL cache of the C2 *hxxp://193.233.132[.]177/lbbb.exe* via *DeleteUrlCacheEntryW*. The downloader utilizes this methodology to likely prevent broken cache from hindering the downloading process.\r\n\r\n *Deletes URL Cache Via DeleteUrlCacheEntryW*\r\n\r\n Library Obfuscation\r\n\r\n As part of its anti-analysis capabilities, the LockBit Downloader variant employs encrypted strings as part of code obfuscation. This variant includes a decryptor function responsible for revealing these strings.\r\n\r\n *Decryptor Function Code Snippet*\r\n\r\n Many of these encrypted strings are library names and function names, which are dynamically loaded by the downloader during the runtime. The decryptor function returns the decrypted strings that are then passed into either *LoadLibraryA* or *GetProcAddress* to load necessary libraries.\r\n\r\n *Decrypting Library Name wininet.dll And Loading The Library Via LoadLibraryA*\r\n\r\n LockBit Download & Execution\r\n\r\n Once necessary executions complete, the downloader attempts to download LockBit binary *lbbb.exe* from the C2 server. The downloading process consists of:\r\n\r\n \r\n 2. Fetching full directory path of *%temp%*\r\n 4. Creating a new SCR file name with randomly generated numbers\r\n 6. Creating a full file directory combining 1. and 2.\r\n 8. Downloading *lbbb.exe* file from C2 *hxxp://193.233.132[.]177*\r\n 10. Writing *lbbb.exe* onto the full directory path mentioned in Step 3 \r\n \r\n\r\n \r\n *Code Snippet Of LockBit Download*\r\n\r\n Once the downloader process finishes, it attempts to execute LockBit via *ShellExecuteA*. \r\n\r\n Indicator Removal\r\n\r\n The downloader ensures to delete the *Zone.Identifier* file in order to hide the trace and evidence of C2 metadata. The Zone.Identifier file is responsible for storing metadata on downloaded files such as the URL hosting the downloaded files. \r\n\r\n *Zone.Identifier Content Example*\r\n\r\n Since *Zone.Identifiers* often consist of the host URL of the downloaded files, the downloader attempts to delete all of *Zone.Identifiers* related to Phorpiex variants.\r\n\r\n *Deletes Zone.Identifier File Of The Downloaded LockBit*\r\n\r\n Phorpiex TWIZT Downloader Variant\r\n\r\n JPEG File Check \r\n\r\n\r\n After the TWIZT variant LNK file downloads the binary payload from C2, the binary creates an empty JPEG file under the *%TEMP%* folder. The process *windrv.exe* confirms the presence of the JPEG file in *%TEMP%* folder. This procedure verifies the machine is a new host to avoid re-infecting it. \r\n\r\n *Confirm Existence Of The JPEG File*\r\n\r\n *Create The JPEG File In %TEMP% Folder*\r\n\r\n *Connect To twizt[.]net/installed*\r\n\r\n If the JPEG file does not exist, the downloader connects to *twizt[.]net/Installed*, which likely notifies C2 of the new victim host.\r\n\r\n Mutex Creation\r\n\r\n As part of checking the mechanism of the infection status within the victim\u2019s machine, the downloader creates a mutex named *PreLoad* via *CreateMutexA* after the JPEG file check. If *PreLoad* mutex already exists within the machine, the process exits. \r\n\r\n *Mutex PreLoad Creation*\r\n\r\n Indicator Removal\r\n\r\n The TWIZT downloader ensures to remove evidence and trace of the downloaded files by deleting *Zone.Identifier* file, same as LockBit downloader. \r\n\r\n Persistence Via Registry Run Key\r\n\r\n To maintain persistence within the victim\u2019s machine, the downloader conducts following actions: \r\n\r\n \r\n 2. Fetches full directory path of *%userprofile%*\r\n 4. Copies and renames itself as *%userprofile%\\winsvc.exe*\r\n 6. Register renamed file *winsvc.exe* as *Windows Service* in the registry run key.\r\n \r\n \r\n *Copies Itself Into %userprofile% Via CopyFileW*\r\n\r\n *Creates Persistence By Registering Copied File Via Registry Run Keys*\r\n\r\n *Registry Manipulation To Execute Automatically*\r\n\r\n Payload Download & Execution\r\n\r\n After necessary executions complete, the downloader attempts to retrieve the actual payload from the C2 server. The downloading process consists of: \r\n\r\n \r\n 2. Fetching full directory path of *%temp%*\r\n 4. Creating a new file name with randomly generated numbers. \r\n 6. Creating a full file directory combining 1. and 2. \r\n 8. Downloading *lslut.exe* file from *C2 hxxp://twizt[.]net*\r\n 10. Writing *lslut.exe* onto the full directory path mentioned in Step 3. \r\n \r\n\r\n \r\n *Code Snippet Of Payload Download*\r\n\r\n Once the download finishes, the downloader attempts to delete the *Zone.Identifier* file and execute the newly downloaded file via *CreateProcessW* or *ShellExecuteW*. \r\n\r\n *Code Snippet Of Process Creation Of lslut.exe*\r\n\r\n GandCrab Downloader Variant\r\n\r\n Anti-SandBox\r\n\r\n GandCrab Downloader consists of an anti-sandbox feature, which checks the existence of following modules or processes with combinations of *CreateToolhelp32Snapshot*, *Process32First*,and *Process32Next*. \r\n\r\n Blocklisted Files\r\n\r\n dir\\_watch.dll\r\n\r\n prl\\_cc.exe\r\n\r\n prl\\_tools.exe\r\n\r\n python.exe\r\n\r\n pythonw.exe\r\n\r\n sbiedll.dll\r\n\r\n tpautoconnsvc.exe\r\n\r\n vboxcontrol.exe\r\n\r\n vboxservice.exe\r\n\r\n vboxtray.exe\r\n\r\n vmsrvc.exe\r\n\r\n vmtoolsd.exe\r\n\r\n \r\n\r\n If any of the above modules or processes exist within the environment, the process terminates itself with *ExitProcess*.\r\n\r\n Defense Evasion\r\n\r\n The downloader updates two registries in order to impair defense of the victim\u2019s machine.\r\n\r\n \r\n * Disable Windows Defender\u2019s AntiSpyware feature \r\n\t + Add *DisableAntiSpyware* in *HKEY\\_LOCAL\\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\* \r\n * Register the current process into the AuthorizedApplication list in Firewall Policy for Windows Defender. \r\n\t + Add current process\u2019 filepath in *HKEY\\_LOCAL\\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\\* \r\n \r\n **Execution Flow Obfuscation**\r\n\r\n GandCrab downloader variant consists of a feature where the binary overwrites the .text section during the runtime as part of code obfuscation. The deobfuscation flow consists of the following steps:\r\n\r\n \r\n 2. Fetch and decrypt shellcode, obfuscated header and .text section code from *.rsrc* section\r\n 4. Execute decrypted shellcode\r\n 6. Update memory protection of header and *.text* section\r\n 8. Zero out current header and *.text* section of the downloader process\r\n 10. Write decrypted header and *.text* section into the zeroed out sections from 4. \r\n \r\n \r\n*Memory Protection Update Via VirtualProtect*\r\n\r\n *.text Section Rewrite*\r\n\r\n \r\n Indicator Removal\r\n\r\n The downloader ensures to remove evidence and trace of the downloaded files by deleting Zone.Identifier file, same as LockBit downloader. \r\n\r\n Persistence via Registry Run Key \r\nTo maintain persistence within the victim\u2019s machine, the downloader performs the following actions. \r\n\r\n \r\n 2. Fetches full directory path of %SystemRoot%\r\n 4. Creates new directory %SystemRoot%\\T-50979593940500600407640\r\n 6. Copies and renames itself as %SystemRoot%\\T-50979593940500600407640\\winsvc.exe \r\n \r\n\r\n \r\n This persistence mechanism is similar to the Phorpiex TWIZT downloader variant, the only difference is the directory location. \r\n\r\n ### Comparative Analysis\r\n\r\n This section covers the comparative analysis between LockBit Downloader, GandCrab Downloader and Phorpiex TWIZT Downloader variants. \r\n\r\n **Tactics**\r\n\r\n **LockBit Downloader**\r\n\r\n Phorpiex TWIZT Downloader\r\n\r\n GandCrab Downloader\r\n\r\n Anti-Sandbox\r\n\r\n \r\n\r\n \u2714\r\n\r\n Disable Microsoft Defender AntiVirus via DisableAntiSpyware\r\n\r\n \r\n\r\n \u2714\r\n\r\n Execution Flow Obfuscation\r\n\r\n \r\n\r\n \u2714\r\n\r\n JPEG File Check\r\n\r\n \r\n\r\n \u2714\r\n\r\n Library Obfuscation\r\n\r\n \u2714\r\n\r\n Mutex Creation\r\n\r\n \r\n\r\n \u2714\r\n\r\n Persistence via Registry Run key\r\n\r\n \r\n\r\n \u2714\r\n\r\n \u2714\r\n\r\n Register itself into authorized application list\r\n\r\n \r\n\r\n \u2714\r\n\r\n Removal of *Zone.Identifier*\r\n\r\n \u2714\r\n\r\n \u2714\r\n\r\n \u2714\r\n\r\n URL Cache Deletion\r\n\r\n \u2714\r\n\r\n \r\n ### IOCs\r\n\r\n **IOC**\r\n\r\n **IOC type**\r\n\r\n **Description**\r\n\r\n twizt[.]net\r\n\r\n Domain Name\r\n\r\n C2 related to TWIZT downloader variant\r\n\r\n 193.233.132[.]177\r\n\r\n IP Address\r\n\r\n C2 hosting LockBit binary\r\n\r\n a861d931cbeb1541193c8707a7114e21daf4ad6d45099427b99a9d0982d976ae\r\n\r\n SHA-256\r\n\r\n ZIP file related to TWIZT downloader variant, delivered via phishing emails. \r\n\r\n 05ca9f97a27b675d24edf621b716159ddebff4f16f70b15b2ca68fc7203308b7\r\n\r\n SHA-256\r\n\r\n Document.doc.lnk within the attached ZIP file document.zip.\r\n\r\n 01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239\r\n\r\n SHA-256\r\n\r\n ZIP file related to LockBit downloader variant, delivered via phishing emails. \r\n\r\n c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4\r\n\r\n SHA-256\r\n\r\n TWIZT downloader executable\r\n\r\n r263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb\r\n\r\n SHA-256\r\n\r\n LockBit downloader executable\r\n\r\n 5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8\r\n\r\n SHA-256\r\n\r\n GandCrab downloader executable\r\n\r\n \r\n\r\n ### Cybereason Recommendations:\r\n\r\n Cybereason recommends the following actions in the Cybereason Defense Platform:\r\n\r\n \r\n \r\n \r\n - Enable Application Control to block the execution of malicious files. \r\n - Enable Anti-Ransomware in your environment\u2019s policies, set the Anti-Ransomware mode to Prevent, and enable Shadow Copy detection to ensure maximum protection against ransomware.\r\n - Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.\r\n \r\n \r\n \r\n Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.\r\n\r\n ### MITRE ATT&CK MAPPING\r\n\r\n Tactic\r\n\r\n Techniques / Sub-Techniques\r\n\r\n Summary\r\n\r\n TA0001: Initial Access\r\n\r\n T1566.001 - Phishing: Spearphishing Attachment\r\n\r\n Phorpiex arrives on to the system when a TA sends emails consisting of zip files which contain variants of Phorpiex.\r\n\r\n TA0002: Execution\r\n\r\n T1204.002 - User Execution: Malicious File\r\n\r\n When the user executes the malicious files (.lnk, .scr) within those zip files it makes connections to C2 to download additional payload.\r\n\r\n TA0003: Persistence\r\n\r\n T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\n\r\n Phorpiex TWIZT and GandCrab variant manipulates the registry to automatically execute.\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1070.009 - Indicator Removal: Clear Persistence\r\n\r\n Removes traces of downloaded files by deleting *zone.identifier*.\r\n\r\n TA0005: Defense Evasion \r\n\r\n T1562.001 - Impair Defenses: Disable or Modify Tools\r\n\r\n Phorpiex GandCrab variant observed disabling windows defender\u2019s AntiSpyware feature and registering process into Firewall Policy for Windows Defender.\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1027.002 - Obfuscated Files or Information\r\n\r\n Aim to evade static analysis and make the file appear less suspicious or different from known signatures.\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1497.001 - Virtualization/Sandbox Evasion: System Checks\r\n\r\n Phorpiex GandCrab variant checks the modules or processes to detect virtualization and analysis environments.\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion\r\n\r\n Phorpiex checks system time or uses sleep functions to detect if it is running in a sandbox (where time might be manipulated or slower).\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1036.007 - Masquerading: Double File Extension\r\n\r\n LockBit downloader variant uses extension .jpg.scr to masquerade the true file type.\r\n\r\n TA0005: Defense Evasion\r\n\r\n T1036.008 - Masquerading: Masquerade File Type\r\n\r\n Phorpiex was observed downloading LockBit binary and then renaming it with a random generated SCR file name and saving it in the temp folder to achieve persistence, stealth and evading detection.\r\n\r\n TA0011: Command and Control\r\n\r\n T1071 - Application Layer Protocol\r\n\r\n Threat actors communicate with C2 to download additional payloads of LockBit or GandCrab executables.\r\n\r\n \r\n\r\n ### ABOUT THE RESEARCHER\r\n\r\n Mahadev Joshi, Senior Security Analyst, Cybereason Global SOC \r\n\r\n\r\n Mahadev Joshi is a Security Analyst with the Cybereason Global SOC team. He is passionate about cybersecurity and malware analysis, with a focus on understanding and countering advanced threats. He is eager to learn more and stay ahead of emerging threats. Mahadev has a Bachelor of science in Information Technology.\r\n\r\n Masakazu Oku, Senior Security Analyst, Cybereason Global SOC \r\n\r\n\r\n Masakazu Oku is a Security Analyst with the Cybereason Global SOC team. \r\nHe works as a SOC analyst and investigates security events on a daily task. He is interested in threat intelligence, malware analysis and APT campaigns. He had a Master's degree in Information Science from Nara Institute of Science and Technology (NAIST).", "id": "83", "event_id": "463", "timestamp": "1738130701", "deleted": false } ] } }