Tweet

SophosLabs

1 Jun, 13 tweets, 4 min read

A NEW ransomware enters the fray: Epsilon Red

A bare-bones ransomware offloads most of its functionality to a cache of PowerShell scripts...

(a thread) 1/13

Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red.

The malware was delivered as the final executable payload in a hand-controlled attack in which every other early-stage component was a PowerShell script. 2/13

While the name and tooling were unique to this attacker, the ransom note left behind resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections.

There were no other obvious similarities between the Epsilon Red ransomware and REvil. 3/13

It appears that an enterprise Microsoft Exchange server was the initial point of entry into the enterprise network.

It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. 4/13

From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server. 5/13

The name Epsilon Red is a reference to pop culture.

The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude. 6/13

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX. 7/13

Strangely enough, the ransom note closely resembles the note used by REvil.

But where the REvil note is typically riddled with errors, the note delivered by Epsilon Red has gone through a few edits to make its text more readable to an audience of native English speakers. 8/13

Detections:

Sophos endpoint products, such as Intercept X, will behaviorally detect several of the actions taken by the PowerShell scripts or the ransomware payload. The act of attempting to encrypt files is blocked by the CryptoGuard feature. 9/13

As the ingress point for this attack appears to have been an Exchange server vulnerable to the ProxyLogon exploit chain, customers are urged to patch internet-facing Exchange servers as quickly as possible. 10/13

Sophos endpoint products can protect Exchange servers as well as Domain Controllers or workstations.

Indicators of compromise for this threat can be found on the SophosLabs Github. 11/13

@threatresearch

Read more from @threatresearch... news.sophos.com/en-us/2021/05/…

12/13

@AnandAjjan

Thank you to @AnandAjjan, Richard Cohen, Fraser Howard, Elida Leite, @markloman, Andrew Ludgate, @AltShiftPrtScn, Nirav Parekh, & @GaborSzappanos for producing a comprehensive analysis of the threat & improving our ability to detect & block malware like Epsilon Red in the future.

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @SophosLabs

SophosLabs

@SophosLabs

2 Jun

NEW: AMSI bypasses remain tricks of the malware trade

Malware developers continue to try to sabotage or evade Microsoft’s Anti-Malware Software Interface in “fileless” and living-off-land attacks...

(a thread) 1/13

As Windows 10 and the latest generation of Windows Server platforms have risen to prominence, malware developers and malicious actors have increasingly aimed to evade detection by taking out those platforms’ anti-malware traffic cop: Microsoft’s Antimalware Scan Interface. 2/13

AMSI, introduced in 2015, provides a way for software to talk to security products, requesting scans of files, memory, or streams for malicious payloads in a vendor-agnostic way. 3/13

Read 13 tweets

SophosLabs

@SophosLabs

12 May

NEW RESEARCH: A defender's view inside a #DarkSide ransomware attack ***

What to expect when you’re targeted by a headline-seeking threat actor... (a thread)

1/8

The recent ransomware intrusion of a major US gasoline pipeline operator was the work of an affiliate of #DarkSide, a ransomware ring that has been responsible for at least 60 known cases of ransomware double-extortion so far this year.

2/8

DarkSide has struck several high-profile victims recently, including companies listed on the NASDAQ stock exchange.

3/8

Read 8 tweets

SophosLabs

@SophosLabs

11 May

NEW: May’s Patch Tuesday brings a lighter-than-usual number of Windows updates

... But fewer patches does not make the bugs less dangerous

(a thread) 1/9

The recent history of Patch Tuesday releases has seen Microsoft updating upwards of 100 software bugs every month, but that trend is broken today when the company fixes just 55 vulnerabilities across their products. 2/9

Synchronized to release in parallel with Microsoft’s updates, Adobe is also fixing 11 bugs in their Acrobat Reader software, one of which (CVE-2021-28550/APSB21-29) is reportedly being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows,” 3/9

Read 10 tweets

SophosLabs

@SophosLabs

23 Mar

NEW RESEARCH: Black Kingdom ransomware begins appearing on Exchange servers

***
A novel, if not particularly well made, ransomware is spreading to Exchange servers that haven't been patched against the ProxyLogon exploit.

(a thread)

1/15

Following the #DearCry ransomware attacks reported on last week, another ransomware gang has also started to target vulnerable Exchange servers with another ransomware, called #BlackKingDom.

2/15

Sophos telemetry began detecting the ransomware on Thursday March 18 as it targeted Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month.

3/15

Read 15 tweets

SophosLabs

@SophosLabs

29 Oct 20

---a thread---

We've discovered that the most recent version of Ryuk shares shellcode with Buer Loader, a malware-as-a-service trojan we've been tracking...

The shellcode is used by droppers for both malware, to inject the malware into memory.

Ryuk in-memory loader:

1/6

Buer Loader in-memory loader:

2/6

Ryuk also recently started encrypting text strings—on October 4, the strings within the sample were unencrypted...

3/6

Read 6 tweets

SophosLabs

@SophosLabs

21 Oct 20

NEW: LockBit uses automated attack tools to identify tasty targets 🎯

Using renamed copies of PowerShell and Windows’VBscript host and scripts based on PowerShell pen-testing tool, LockBit actors searched for systems with valuable data to hit at small organizations...

1/12

A series of recent attacks detected by Sophos provided us the opportunity to dive deeper into LockBit’s tools, techniques & practices.

Based on some artifacts, we believe that some components of the attack were based on PowerShell Empire.

2/12

The organizations hit in the 8 attacks we analyzed were smaller orgs with only partial malware protection deployed. None of them had public Internet facing systems on their networks, though 1 had an older firewall with ports open for remote administration by HTTP and HTTPS.

3/12

Read 12 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!