Industry News

CL0P: Hunting a New Kind of Ransomware

This is a post authored by Matt Suiche (Director, Memory, IR & R&D).

The Cybersecurity and Infrastructure Security Agency (CISA) & partners recently released a joint cybersecurity advisory uncovering techniques and tactics used by the threat actor behind the CL0P ransomware. This campaign was launched  using an SQL injection zero-day vulnerability (now labeled as CVE-2023-34362) to install a web shell named LEMURLOOT on MOVEit Transfer web applications.

We’ve covered how to hunt for web shells in memory in our last blogpost “Hunting “Volt Typhoon” State-Sponsored Actor in Memory With Magnet AXIOM Cyber.” In this post, we will dive into how we can achieve the same goal using the YARA rules published in the joint advisory.

What is CL0P?

CL0P is a notorious ransomware gang associated with the TA505 threat actor. First observed in 2019, CL0P has been prolific while operating as ransomware-as-a-service (RaaS). Their sophisticated malware infiltrates computer systems, encrypts files, and demands ransom in exchange for the decryption key.

Hunting for LEMURLOOT

LEMURLOOT is a web shell written in C# which is deployed on MOVEit Transfer web applications, it is dropped by the DLL with the hash c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf which drops the web shell (human2.aspx) which has been extracted and shared by security researcher John Hammond on GitHub.

The web shell includes several specific SQL queries which can be used for hunting such as:

-	SELECT Username FROM users WHERE InstID={0} AND Permission=30 AND Status='active' and Deleted=0
-	insert into activesessions (SessionID, Username, LastTouch, Timeout, IPAddress) VALUES ('{0}','{1}',CURRENT_TIMESTAMP, 9999, '127.0.0.1')
-	INSERT INTO users (Username, LoginName, InstID, Permission, RealName, CreateStamp, CreateUsername, HomeFolder, LastLoginStamp, PasswordChangeStamp)
-	Delete FROM users WHERE RealName='Health Check Service'

Like the YARA rules written for hunting “Volt Typhoon”—which were designed for physical files—include conditions specific to their “on-disk” attributes such as “filesize”. If we simply remove those conditions when performing memory scanning, we enable a new scope of search for those rules.

This also goes for checks where although we are looking for a web shell written in C#, we check the MZ header of the dll containing the initial web shell to be dropped such as “uint16(0) == 0x5A4D“ – or even file names.

This allows investigators and analysts to scan machines quickly and efficiently in a simple manner. For more information on using YARA rules in AXIOM Cyber check out: YARA Rule Processing in Magnet AXIOM Cyber

Find Out More About Memory Analysis in AXIOM Cyber

To learn more about the recently updated memory analysis capabilities of AXIOM Cyber check out Comae Memory Analysis Capabilities Integrated Into Magnet AXIOM Cyber.

To try the memory analysis capabilities of Comae in AXIOM Cyber for yourself, update to the latest version over at the Customer Portal or request a free trial today!

YARA Rules for Hunting “CL0P Ransomware”

rule MOVEit_Transfer_exploit_webshell_memory {
    meta:
        date = "2023-06-15"
        description = "Hunts for memory IOCs MOVEit Transfer exploitation."
        author = "Matt Suiche - Magnet Forensics"
        reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
        reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
        reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
        reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
        verdict = "dangerous"
        mitre = "T1505.003"
          platform = "windows"
        
    strings:
        $a1 = "SELECT Username FROM users WHERE InstID={0} AND Permission=30 AND Status='active' and Deleted=0" wide
        $a2 = "insert into activesessions (SessionID, Username, LastTouch, Timeout, IPAddress) VALUES ('{0}','{1}',CURRENT_TIMESTAMP, 9999, '127.0.0.1')" wide
        $a3 = "INSERT INTO users (Username, LoginName, InstID, Permission, RealName, CreateStamp, CreateUsername, HomeFolder, LastLoginStamp, PasswordChangeStamp)" wide
        $a4 = "Delete FROM users WHERE RealName='Health Check Service'" wide
    condition:
        all of them 
}

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top