Ransomware
Analyzing the Fileless SOREBRECT Ransomware
We first encountered the fileless, code-injecting ransomware SOREBRECT during our monitoring in the beginning of second quarter this year, affecting the systems and networks of organizations in the Middle East.
Save to Folio
Updated on June 17, 2017, 06:54 PM (UTC-7): We updated the appropriate name of the process that was injected.
Fileless threats and ransomware aren’t new, but a malware that incorporates a combination of their characteristics can be dangerous. Take for instance the fileless, code-injecting ransomware we’ve uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B.
We first encountered SOREBRECT during our monitoring in the beginning of second quarter this year, affecting the systems and networks of organizations in the Middle East. Extracting and analyzing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Its abuse of the PsExec utility is also notable; SOREBRECT’s operators apparently use it to leverage the ransomware’s code injection capability.
SOREBRECT’s stealth can pose challenges
While file encryption is SOREBRECT’s endgame, stealth is its mainstay. The ransomware’s self-destruct routine makes SOREBRECT a fileless threat. The ransomware does this by injecting code to a legitimate system process (which executes the encryption routine) before terminating its main binary. SOREBRECT also takes pains to delete the affected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps (i.e. appcompat/shimcache and prefetch). These deletions also deter analysis and prevent SOREBRECT’s activities from being traced.
When we first saw SOREBRECT in the wild, we observed a low distribution base that was initially concentrated on Middle Eastern countries like Kuwait and Lebanon. By the start of May, however, our sensors detected SOREBRECT in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Affected industries include manufacturing, technology, and telecommunications. Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service.
Figure 1: SOREBRECT’s attack chain
SOREBRECT’s code injection makes it a fileless threat
SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. The misuse of PsExec to install SOREBRECT indicates that administrator credentials have already been compromised, or remote machines were exposed or brute-forced. SOREBRECT isn’t the first family to misuse PsExec—SAMSAM, Petya, and its derivative, PetrWrap (RANSOM_SAMSAM and RANSOM_PETYA, respectively), for instance, use PsExec to install the ransomware on compromised servers or endpoints.
SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging.
Why PsExec? While attackers can both use Remote Desktop Protocol (RDP) and PsExec to install SOREBRECT in the affected machine, its code injection capability makes the attack more effective. Compared to using RDP, utilizing PsExec is simpler and can take advantage of SOREBRECT’s fileless and code injection capabilities. PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs. In SOREBRECT’s case, it makes more sense for the attackers to use PsExec since once the main binary is executed, the svchost.exe process injected with malicious code can still carry out the payload.
To cover its tracks, SOREBRECT also utilizes wevtutil.exe to delete the system’s event logs, and vssadmin to delete shadow copies. The svchost.exe process that was injected with malicious code executes the payload—encrypting the files of the local machine and network shares. SOREBRECT uses the Tor network protocol to anonymize its connection to its command-and-control (C&C) server.
Figure 2: SOREBRECT appends encrypted files with a .pr0tect extension
Figure 3: One of SOREBRECT’s ransom notes
SOREBRECT can also encrypt network shares
SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It does so by scanning the network for asset discovery and enumerating open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network. Once a live host is identified, it initiates a connection after discovering the shares. Authentication would succeed if it’s an open share. If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted.
Figure 4: SOREBRECT’s network scanning activity to enumerate machines with open shares 
Figure 5: SOREBRECT initiating a connection on the share on a live host
Adopt best practices for securing systems and networks
Given the potential damage SOREBRECT can cause to an enterprise’s servers and endpoints, IT/system administrators and information security professionals who secure them can adopt these best practices for defending against ransomware:
- Restrict user write permissions. A significant factor that exposes network shares to ransomware is the tendency to give users full permissions. Limiting them will prevent ransomware from carrying out its file-encrypting routines across the network. Reviewing the permissions for each user in the Domain is a good starting point. This entails assessing each user account/group within the Active Directory and only providing the necessary privilege levels. Configuring the security of shared files and folders on a network is also recommended (don’t set up folders that anyone can easily access, for instance).
- Limit privilege for PsExec. PsExec is commonly used in enterprise networks, providing system administrators flexibility with how they interact with remote machines. As pointed out by its creator, however, in cybercriminals’ hands it can provide a way to interface and laterally move within remote systems using compromised credentials. This would ultimately enable them to install and propagate threats such as ransomware. Limiting and securing the use of tools and services such as PsExec and providing permission to run them only to administrator accounts that really need it help mitigate threats that misuse PsExec.
- Back up files. Cybercriminals use the potential loss of important and personal data as a fear-mongering tactic to coerce victims into paying the ransom. Organizations and end users can back up files to remove their leverage: keep at least three copies, with two stored in different devices, and another to an offsite or safe location.
- Keep the system and network updated. Ensuring that the operating system, software, and other applications are current with the latest patches deters threats from using security gaps as their doorways into the systems or networks. This has been exemplified by malware such as WannaCry, UIWIX, and Adylkuzz that exploited a vulnerability. Employing virtual patching in the absence of patches can also be considered.
- Foster a cybersecurity-aware workforce. User education and awareness helps improve everyone’s security posture. Like other malware, ransomware’s points of entry is typically through email and malicious downloads or domains. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices.
- Deploy multilayered security mechanisms. As ransomware matures in the threat landscape, we can only expect it to diversify in terms of attack methods and targets. There is no silver bullet for ransomware, which is why enterprises need a defense-in-depth approach to security where proactive security mechanisms are arrayed. Data categorization and network segmentation help mitigate damage in case of exposure. While advanced sandboxing provides a way to quarantine and analyze unknown or dubious files, application control and behavior monitoring prevent suspicious files from executing and block unwanted modifications to the system.
Trend Micro Ransomware Solutions
Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro™ Deep Discovery™ Inspector detects ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers–regardless if they’re physical, virtual, or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
Indicators of Compromise
Related Hashes: Detected as RANSOM_SOREBRECT.A (SHA256):
- 4854A0CA663588178B56754CD50626B2E8A121F66A463E1C030836E9BD5B95F8
- AC4184EEC32795E1CBF2EFC5F4E30D0CBE0B7F982BC2060C180BE432994DCEFF
- 05CEFE71615F77D9A386BF6F48AD17ACA2BAE433C95A6F2443184462832A3E90
Detected as RANSOM_SOREBRECT.A (SHA-1):
- 36fa4c4a7bd25f086394b06fe50e41410f78dbb3
- 9f327c5168b07cec34e1b89aba5f45b78f20e753
Detected as RANSOM_SOREBRECT.B (SHA256):
- 4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76