Amid an uptick in attacks on healthcare orgs, malware families, Kegtap, Singlemalt and Winekey are being used to deliver the Ryuk ransomware to already strained systems.
The boozy names might sound like the kind of thing conjured up in a frat-house common room, but malware families Kegtap, Singlemalt and Winekey are being used to gain initial network access in potentially lethal ransomware attacks on healthcare organizations in the midst of a global pandemic, researchers said in newly released findings.
The shot? The rampant spread of COVID-19 has put a tremendous strain on the U.S. healthcare system. The chaser? Cybercriminals are getting better than ever at exploiting that life-and-death crisis to turn a profit.
Who could use a drink?
Mandiant published a report this week laying out the signature tactics of the Kegtap/BEERBOT, Singlemalt/STILLBOT and Winekey/CORKBOT attacks, which researchers said have targeted hospitals, retirement communities and medical centers “… demonstrating a clear disregard for human life,” the report added.
Mandiant researchers observed the ransomware being used to hit a variety of sectors and organizations, in addition to healthcare, and found a few commonalities.
Phishing emails, designed to mimic everyday business functions like contracts, personnel paperwork or complaints are sent with a link, not to a malware payload, but to a Google doc, PDF or some other document which would contain the in-line link to the malware.
“Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies,” the report said. “Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.”
Kegtap, Singlemalt and Winekey (a.k.a. Bazar variants) act as first-stage loaders, which establish a foothold on a device before fetching malware for the next stage of the attack.
In this case, the criminals use them to download common penetration-testing frameworks like Cobalt Strike, Beacon and/or Powertrick to establish a presence. Following initial compromise, Cobalt Strike helps maintain the malware’s presence after reboot, the report said, and Beacon is the most often observed backdoor in these attacks.
Cobalt Strike, PowerShell Empire, Powersploit and Medasploit are a group of dual-use tools used for both legitimate tasks as well as nefarious ones, according to Cisco researcher Ben Nahorney. These pen-testing tools are intended to help security professionals identify weaknesses in their network defenses, but in the wrong hands they can supercharge attacks.
Beacon has also been used to deploy “PowerLurk’s Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit and RegShot,” the report said.
The malware then sets about escalating privileges, most often with valid credentials, according to the report, which are obtained through “exported copies of the ntds.dit Active Directory database and system, and security registry hives from a Domain Controller.”
Beacon, along with publicly available tools like Bloodhound, Sharphound or ADfind, is then deployed for reconnaissance, the researchers added, which enabled the actors to move laterally to expand their footprint across the compromised network.
The Ransomware Payload
The main goal of the mission, according to the report, is to deliver a Ryuk payload.
“There is evidence to suggest that Ryuk ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis,” the report continued.
This partnership between the developers behind Kegtap, Singlemalt and Winekey with the group behind Ryuk, makes this group particularly noteworthy. Ryuk is operated by an Eastern European actor called UNC1878 according to Mandiant, and continues to be a prolific threat against healthcare organizations — attacks which Charles Carmakal, senior vice president and CTO of Mandiant says pose unprecedented dangers to the U.S.