DragonForce
Hi THT members, today we get information about DragonForce Group and their TTP
Who is behind the DragonForce ransomware?
it is uncertain who is responsible for the DragonForce ransomware attacks, some in the cybersecurity community have linked the ransomware to the Malaysian hacking group and forum called DragonForce Malaysia
Modus Operandi
The deployment of these malicious tools is “unsurprising,” as modern ransomware operators “are increasingly reusing and modifying builders from well-known ransomware families that were leaked to tailor them to their needs,” said researchers at Singapore-based cybersecurity firm Group-IB. Conti, Babuk and LockBit are among the common families that have been modified
DragonForce which is works as Ransomware-as-a-Service and their Affiliate program mainly targets experienced CyberCriminals who focus on high-value targets, according to the group’s post on the dark web. DragonForce affiliates receive 80% of the Ransom. The group allows them to customize its tools for specific attacks, including setting encryption parameters and personalizing ransom notes
Researchers called DragonForce a “formidable adversary” because it targets key industries and employs advanced tools and tactics. The group’s previous attacks include those on probiotic milk drink manufacturer Yakult Australia, the Ohio Lottery, and the government of Palau. As the Group-IB discovered that during the past years DragonForce targeting 82 victims, mostly in the U.S., followed by the U.K. and Australia.
As Fortra noticed that, like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web
Advertising their affiliate program they started On 26 June 2024, on the underground forum “RAMP”..
Dear partners,
We appreciate your consideration of our RaaS and want to communicate the importance of careful candidate selection. In order to start working with us, we ask you to complete the following steps:
1. Prepare a target with an income of $5,000,000 US dollars and above.
2. Send us information about your zoominfo target .
3. Provide files using any storage location convenient for you (for example, mega.co.nz or SSH).
4. The files must match the zoominfo you provided .
We ask you to contact us in advance to agree on all the details so that the process goes as smoothly as possible and without delays. This will allow you to access our RaaS faster.
Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
Sincerely, 01101111 01101110 01101100 01111001 00100000 00110011 00100000 01110011 01110100 01100101 01110000 01110011 00100000 0 1110100 01101111 00100000 01100100 01100101 01100011 01110010 01111001 01110000 00101110 00101110 01110100 00101110
They detailed Information which is contained about how their affiliates can earn 80% of the total ransom amount, as well as key features of its ransomware including client tracking, automated file delivery, secure access control, and support for extended detection and response (XDR) / endpoint detection and response (EDR) bypass, encryption, and SYSTEM impersonation, adding that comprehensive support services are also available to their affiliates
In other undergrounds as well they advertised themselves:
But The DragonForce affiliate program officially began on June 26, 2024, before the beginning of the affiliate program, the group worked only within the team. The affiliation program will take the actions in another stage, as well as expanding their business and number of targets.
The one of the Sample of their Ransom Note:
Analysis of Ransomware
~ GROUP-IB
ContiV3 modification
Features that have been added by DragonForce:- Embedded Configuration
- Bring Your Own Vulnerable Driver (BYOVD) for process termination
- Encrypt filenames
- Persistence via Scheduled tasks
- Verbose logging
- DragonForce wallpaper and icon
Obfuscation / Anti-analysis
The Methods which are used are similar to the Conti:
--> String obfuscation using ADVobfuscator
--> Deleting Shadow Copy with COM Objects – enumerates shadow copies and deletes them:
Kod:
SELECT * FROM Win32_ShadowCopy
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='%s'" delete--> Anti-hooking
--> Resolving APIs by Hash - Names are hashed with `MurmurHash2A` algorithm with the seed value of `0xB801FCDA`
Command-line Arguments
| Arguments | Description |
|---|---|
| -p | EncryptMode – path |
| -m | EncryptMode – all, local, net |
| -log | Specify log file |
| -size | Specify file encryption percentage |
| -nomutex | Do not create mutex |
Configuration
Different from how Conti binary conf, DragonForce embedded configurations inside the binary (without commond-line):
byte-by-byte details:
Kod:
start_marker: 0xDEAD
build_key
offset_embedded_resource
encrypt_mode: 10/11/12/14 - all/local/network/path
time_sync
logging option and filepath
filesize_for_fullencrypt
filesize_for_headerencrypt
header_encrypt_size
other_encrypt_chunk_percent
encrypt_file_names
custom_icon option, size and filepath
schedule_job details
kill
use_sys: 0/1/2 - None, Truesight, RentDrv
driver offset and sizes
driver encryption key
driver encryption nonce
list of processes to kill (priority)
list of processes to kill
custom_extension
whitelisted paths
whitelisted extensions
whitelisted filenames
whitelisted shares
custom_ransomnote_name
custom_wallpaper option, size and filepath
end_marker: 0xBEEFBYOVD for Process Termination
Conti uses Windows Restart Manager to kill processes that are currently using the resources..
DragonForce has implemented additional ways to kill processes, especially for protected processes..
The “Bring Your Own Vulnerable Driver” (BYOVD) which is actively used (still using) technique, that works as installing Vulnerable Drivers into the target workstation, and commanding them to execute the malicious code at the Kernel Level. So the main purpose using this tactic is from the Kernel Level, terminate EDR and Antivirus processes.
TrueSight.sys and RentDrv.sys used as BYOVD, & drivers perform the same method of process termination by calling `ZwOpenProcess()` and `ZwTerminateProcess()`.
These drivers have been published on the Microsoft recommended driver block rules
"DragonForce has advertised that one can configure two kill processes lists– one for a single termination and the other for continuous termination"
TrueSight.sys
Truesight driver, which is RogueKiller Antirootkit Driver v3.3 which is developed by Adlice Software:
0x22E044 --> terminates the target process provided by its PID
RentDrv.sys
RentDrv driver, which is developed by Hangzhou Shunwang Technology. Here 0x220E010 --> terminates the target process provided by its PID:
In the user-mode driver builds communication with the help of DeviceIoControl:
Hashes of Drivers
| Name | SHA256 |
| RentDrv.sys | 1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3 |
| RentDrv.sys (64-bit) | 9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5 |
| Truesight.sys | bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c |
The ransomware terminates the following processes to allocate system resources (for faster encryption):
| oracle | tbirdconfig | powerpnt |
| ocssd | mydesktopqos | steam |
| dbsnmp | ocomm | thebat |
| synctime | dbeng50 | thunderbird |
| agntsvc | sqbcoreservice | visio |
| isqlplussvc | excel | winword |
| xfssvccon | infopath | wordpad |
| mydesktopservice | msaccess | notepad |
| ocautoupds | mspub | calc |
| encsvc | onenote | wuauclt |
| firefox | outlook | onedrive |
As well as:
| memtas | sophos | GxVss | GxCVD |
| mepocs | veeam | GxBlr | GxCIMgr |
| msexchange | backup | GxFWD | NegoExtender |
LockBit 3.0 modification
Binary configuration which is used in LockBit sample:"config": {
"settings": {
"encrypt_mode": "auto",
"encrypt_filename": false,
"impersonation": true,
"skip_hidden_folders": false,
"language_check": false,
"local_disks": true,
"network_shares": true,
"kill_processes": true,
"kill_services": true,
"running_one": true,
"print_note": true,
"set_wallpaper": true,
"set_icons": true,
"send_report": false,
"self_destruct": true,
"kill_defender": true,
"wipe_freespace": false,
"psexec_netspread": false,
"gpo_netspread": true,
"gpo_ps_update": true,
"shutdown_system": false,
"delete_eventlogs": true,
"delete_gpo_delay": 1
},
"white_folders": "",
"white_files": "",
"white_extens": "",
"white_hosts": "",
"kill_processes": "",
"kill_services": "",
"gate_urls": "",
"impers_accounts": "",
"note": ""
}
MITRE ATT&CK
| Tactic | Technique with ID | Description |
|---|---|---|
| Initial Access | Valid Accounts (T1078) | DragonForce affiliates gain access using compromised valid domain accounts |
| Execution |
|
|
| Persistence | Valid Accounts: Domain Accounts (T1078.002) | Maintaining access by using compromised domain accounts |
| Persistence | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | Registry keys are created to ensure malware execution at startup |
| Persistence | Create or Modify System Process: Windows Service (T1543.003) | SystemBC creates services for persistence |
| Defense Evasion |
|
|
| Credential Access | OS Credential Dumping: LSASS Memory (T1003.001) | Mimikatz is used to dump credentials from LSASS memory |
| Discovery | Domain Trust Discovery (T1482) | ADFind tool is used to gather information on the Active Directory |
| Discovery | Remote System Discovery (T1018) | Network scanner tools are used to discover remote systems |
| Discovery | System Network Configuration Discovery (T1016) | Network configuration details are collected by the attackers |
| Discovery | System Information Discovery (T1082) | System-specific information is gathered for targeted attacks |
| Discovery | File and Directory Discovery (T1083) | Attackers explore directories and files for valuable data |
| Lateral Movement | Remote Services: Remote Desktop Protocol (T1021.001) | RDP is used for lateral movement within the network |
| Command and Control | Application Layer Protocol: Web Protocols (T1071.001) | C2 communication is established using HTTP |
| Impact | Data Encrypted for Impact (T1486) | Ransomware is deployed to encrypt files across multiple systems |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
|---|---|---|
| d54bae930b038950c2947f5397c13f84 | MD5 | DragonForce Ransomware |
| e164bbaf848fa5d46fa42f62402a1c55330ef562 | SHA1 | DragonForce Ransomware |
| 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b | SHA256 | DragonForce Ransomware |
| 164bbaf848fa5d46fa42f62402a1c55330ef562 d54bae930b038950c2947f5397c13f84 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b | File Hash | URL: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion/ |
IP Addresses:
Kod:
185[.]73[.]125[.]8
94[.]232[.]46[.]202
69[.]4[.]234[.]20
2[.]147[.]68[.]96
185[.]59[.]221[.]75IoC File Hashes:
| File path | MD5 Hash |
|---|---|
| C:\Users\[Redacted]\AppData\Local\Temp\2\ socks aug\socks.exe | 97B70E89B5313612A9E7A339EE82AB67 |
| C:\Users\[Redacted]\AppData\Local\Temp\2\a65.exe | A50637F5F7A3E462135C0AE7C7AF0D91 |
| C:\Users\[Redacted]\AppData\Local\Temp\2\netscanold.exe | BB7C575E798FF5243B5014777253635D |
| df.exe (dropped in multiple paths) | C111476F7B394776B515249ECB6B20E6 |
Reference
https://www.group-ib.com
future_modified-lockbit-and-conti-ransomware-shows-activity
https://www.watchguard.com
https://www.ic3.gov/Media/News/2022/220204.pdf
Son düzenleme:
