As the Sophos Managed Threat Response team looked into an attack from July where attackers used Maze ransomware, they made an interesting discovery. They found that the attackers implemented techniques used by the cybercriminals behind Ragnar Locker –ransomware that distributes inside of a virtual machine (VM).
The threat actors in the Maze incident used a virtual hard drive (VirtualBox virtual image/.vdi file) to distribute the virus. The payload was discovered inside a .msi file used to install Windows. The attackers bundled an 11-year-old version of VirtualBox hypervisor inside the file to run the virtual machine as a “headless” device, meaning that it had no user-interface.
The virtual machine with Maze was running Windows 7, rather than the Windows XP used to distribute Ragnar Locker. Hunting through the telemetry data of the attack showed that the attackers could have been present on the target network for at least three days before starting the attack. Further analysis showed that they had been on the system for at least six days before the attack.
The investigation also discovered installer scripts showing how the attackers spent days preparing the attack by creating lists of IP addresses inside the network, using the domain controller servers of the target network, and exfiltrating the data to Mega.nz; a cloud storage provider. The attackers initially demanded a $15 million ransom, but the target did not pay them.
What Happened During the Attack
Further analysis of the attack showed that the attackers used batch files to orchestrate their attack. The hackers made several attempts to encrypt machines on the target network. The first payloads for the ransomware were copied to the root of the %programdata% folder. The attackers then created scheduled tasks to run the ransomware payload files based on different versions of Windows Update Security and Windows Update Security Patches.
This first attack didn’t work as intended. The hackers tried again, using a ransomware payload called license.exe. The file was run from the same location. Before launching the file, however, the attackers used a script to disable Real-Time Monitoring from Windows Defender.
Once again, the attackers used a command to create a scheduled task and run the .exe file. This time, they changed the name of the file to run at midnight local time of the infected computers.
That these attempted attacks were detected shows that the payload was caught and quarantined before it could cause any damage. The security software on the computers prevented the malware from encrypting data on the computer by blocking the Windows APIs the ransomware used.
This was when the attackers switched to their third and most radical approach.
Weaponizing a Virtual Machine
The attackers used a .msi installer file for their third attack. The file contained an installer for the 32-bit and 64-bit versions of VirtualBox 3.0.4. This particular version of the software dates back to 2009 and uses the name Sun Microsystems, the name the publisher went by at the time.
This file also contains a virtual disc called micro.vdl. This file contains a bootable partition of Windows 7 SP1 and a file called micro.xml, which contains configuration information for the virtual hard drive.
The root of this virtual disk contained three files associated with Maze ransomware; vrun.exe, preload.bat, and a file called payload, which contained the actual payload.
The virtual machine appears to have been created ahead of time by someone who had knowledge of the target network. The configuration file maps two drive letters the organization uses as shared network drives. The machine was likely programmed to encrypt files on those shared drives and the ones on the local device.
The malware also creates a file called startup)_vrun.bat. The file is a persistence mechanism that triggers the virtual machine if the computer is restarted before the ransomware runs. The script copies the files from the root of the virtual machine disk to other disks and then commands the computer to shut down. The vrun.exe executable runs as soon as someone turns the computer back on.
The Connection to Ragnar Lock
This third and final attack used a different methodology than other attacks by Maze ransomware. The researchers noticed it immediately, however, because they also responded to the Ragnar Locker ransomware attack where the infection method was first used. Ragnar Locker also infected machines using a virtual network.
The group behind Maze took a different approach to the Ragnar Locker team. They used a Windows 7 virtual machine rather than an XP one. Using Windows 7 increased the size of the disk and allowed for extra functionality not seen with Ragnar Locker. The threat actors added a VirtualBox installer file and the weaponized virtual drive inside a file and used a batch script to execute the attack from within the virtual machine. The way the virtual machine was configured could allow for other ransomware installations.