An Emerging Ducktail Infostealer – Active IOCs
September 11, 2024Multiple D-Link Products Vulnerabilities
September 11, 2024An Emerging Ducktail Infostealer – Active IOCs
September 11, 2024Multiple D-Link Products Vulnerabilities
September 11, 2024Severity
High
Analysis Summary
The NoName ransomware gang, also known as CosmicBeetle, has been active for over three years, targeting small and medium-sized businesses globally. The group uses custom malware tools from the Spacecolon family, gaining network access through brute-force attacks and exploiting vulnerabilities like EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).
According to the report, NoName has switched from the Scarab encryptor to the newer ScRansom ransomware in its recent campaigns, which is a Delphi-based file-encrypting malware. ScRansom’s encryption technique uses a mix of AES-CTR-128 and RSA-1024, but its multi-step key exchange process is prone to errors leading to failures in file decryption even when ransom payments are made.
ScRansom's encryption system offers partial encryption with different speed modes giving attackers versatility, and includes an "ERASE" mode, which makes files unrecoverable by overwriting them. It targets files across all drives and kills critical Windows processes before launching. Despite its evolving capabilities, the gang's operations still reflect a certain level of immaturity as seen in their decryption difficulties. Victims often receive multiple decryption keys, but many are unable to recover all their data which contrasts with more seasoned ransomware groups that prioritize smoother decryption to build a reputation and increase ransom payments.
NoName exploits various vulnerabilities, including those in SMB environments, such as CVE-2017-0144, CVE-2020-1472, and more recent ones like CVE-2023-27532 (Veeam Backup & Replication). The gang also leverages CVE-2017-0290 to disable Windows Defender via a batch file. Alongside its primary ransomware activities, NoName has also been experimenting with tools like the leaked LockBit 3.0 ransomware builder and has created a similar data leak site, mimicking LockBit’s branding to confuse victims and investigators.
In late 2023, NoName/CosmicBeetle likely joined the RansomHub affiliate program, a significant shift in its operations. This was marked by the use of RansomHub’s EDR killer, a tool for disabling security agents and enabling privilege escalation. While the group’s affiliation with RansomHub is not fully confirmed, researchers believe with medium confidence that CosmicBeetle is now working with RansomHub, using their resources to further advance their attacks. Despite technical limitations and frequent errors, NoName's constant evolution suggests it remains a persistent threat on the ransomware scene.
Impact
- Information Theft
- File Encryption
- Financial Loss
Indicators of Compromise
Domain Name
- lockbitblog.info
IP
- 66.29.141.245
MD5
- a8570f9c64b9dd0d7e89eeb3327a8c61
- 8404570e27b53d8291f742c1efd15979
- 377f6d22b30b79b6cbd850716595fcc4
- ba2ad45b96907e639853178a571a122d
- 473aa92db128b6dd772e280eb8facbe5
SHA-256
- 34e2b621f15ad4747c7e3dde2be3617841ffacba203b93fd2ff3256b914240f7
- 8b67a544d7ddbe8e78fad71aab03431dea585c84a229e6d23832d8f449d47ff2
- e44422f6853a2a318f937607e9270ec66a374a3e078d1eedd720f8cb838a165c
- da414697d21874978dcc58930a63c7f2aa42a23b6e8b9580ad4c94d9311c138d
- 87738c63f7098c86625e831ccb7867eca336222bb038fe6411ca4a42186f3cc9
SHA-1
- 4497406d6ee7e2ef561c949ac88bb973bdbd214b
- 26d9f3b92c10e248b7dd7be2cb59b87a7a011af7
- 1b635cb0a4549106d8b4cd4edaff384b1e4177f6
- dae100afc12f3de211bff9607dd53e5e377630c5
- 705280a2dcc311b75af1619b4ba29e3622ed53b6
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.