NoEscape Ransomware, AvosLocker Ransomware, Retch Ransomware, S-H-O Ransomware and More: Hacker’s Playbook Threat Coverage Round-up: October 31st, 2023

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including NoEscape ransomware, AvosLocker ransomware, and Retch ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

NoEscape Ransomware: What you need to know

The NoEscape ransomware is a newly discovered ransomware variant (first identified in May 2023) that leverages the ransomware-as-service (RaaS) model to target victims. It is believed that the attackers that created the NoEscape ransomware built it and its supporting infrastructure from scratch – making it different from other ransomware variants and families that often have some basic similar source code. The ransomware creators offer their affiliates a platform that can help them build and manage different payloads for Windows and Linux environments and use a profit-sharing model to keep a share of the ransom.

It is believed that a NoEscape ransomware payload can support different types of encryption models, including full, fast, or strong. They also use RSA and ChaCHA20 to encrypt certain kinds of files. A shared encryption feature allows for a single encryption key to be shared across all infected files in a network as opposed to each host having a unique key. This option is available to allow for efficient encryption and rapid decryption should the victim pay. NoEscape ransom notes are typically saved as text-file labeled “HOW_TO_RECOVER_FILES.TXT” in each folder that contains encrypted files. All encrypted files will have a ten-character identifying extension appended to them. Examples of observed extensions include “.CCBDFHCHFD” and “.CBCJDHIHBB”.

SafeBreach Coverage of NoEscape Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against NoEscape ransomware. 

• #9271 – Write NoEscape (2bc0d8) ransomware to disk
• #9272 – Pre-execution phase of NoEscape (2bc0d8) ransomware (Windows)
• #9273 – Transfer of NoEscape (2bc0d8) ransomware over HTTP/S
• #9274 – Transfer of NoEscape (2bc0d8) ransomware over HTTP/S
• #9275 – Email NoEscape (2bc0d8) ransomware as a compressed attachment
• #9276 – Email NoEscape (2bc0d8) ransomware as a compressed attachment
• #9277 – Write NoEscape (4a3e58) ransomware to disk
• #9278 – Transfer of NoEscape (4a3e58) ransomware over HTTP/S
• #9279 – Transfer of NoEscape (4a3e58) ransomware over HTTP/S
• #9280 – Email NoEscape (4a3e58) ransomware as a compressed attachment
• #9281 – Email NoEscape (4a3e58) ransomware as a compressed attachment

AvosLocker Ransomware: What you need to know

On October 11^th, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an updated advisory/ US-CERT Alert AA23-284A highlighting newly discovered and updated IOCs and TTPs associated with the AvosLocker ransomware variant. AvosLocker operates on a ransomware-as-a-service (RaaS) model and its affiliates have previously targeted critical infrastructure entities in the U.S.  These threat actors target and compromise Windows, Linux, and VMware ESXi environments by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.

Some of the open-source tools used by the affiliates include:

• Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133].
• Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest.
• Open-source networking tunneling tools [T1572] Ligolo and Chisel.
• Cobalt Strike and Sliver for command and control (C2).
• Lazagne and Mimikatz for harvesting credentials [T1555].
• FileZilla and Rclone for data exfiltration.
• Notepad++, RDP Scanner, and 7zip.

FBI and CISA recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

SafeBreach Coverage of AvosLocker Ransomware

The SafeBreach platform has been updated with the following new attacks to ensure our customers can validate their security controls against the AvosLocker ransomware variant. 

• #9260 – Write AvosLocker Beacon (49ca0f) backdoor to disk
• #9261 – Transfer of AvosLocker Beacon (49ca0f) backdoor over HTTP/S
• #9262 – Transfer of AvosLocker Beacon (49ca0f) backdoor over HTTP/S
• #9263 – Email AvosLocker Beacon (49ca0f) backdoor as a compressed attachment
• #9264 – Email AvosLocker Beacon (49ca0f) backdoor as a compressed attachment
• #9265 – Write NetMonitor (a29c6f) backdoor to disk
• #9266 – Pre-execution phase of NetMonitor (a29c6f) backdoor (Windows)
• #9267 – Transfer of NetMonitor (a29c6f) backdoor over HTTP/S
• #9268 – Transfer of NetMonitor (a29c6f) backdoor over HTTP/S
• #9269 – Email NetMonitor (a29c6f) backdoor as a compressed attachment
• #9270 – Email NetMonitor (a29c6f) backdoor as a compressed attachment

Additionally, the following existing attacks have also been mapped to the AvosLocker ransomware variant:

• #1528 – Remote command execution by WMIC (remote download and execute) (lateral movement)
• #794 – Extract Login Information using MimiKatz
• #1220 – Inject Mimikatz using PowerShell to Extract Credentials
• #5833 – Extract Login Information using MimiKatz DCSync
• #3819 – Windows Credentials Collection using LaZagne
• #8652 – Write Chisel hacktool to disk
• #8653 – Pre-execution phase of Chisel hacktool (Windows)
• #8654 – Transfer of Chisel hacktool over HTTP/S
• #8655 – Transfer of Chisel hacktool over HTTP/S
• #8656 – Email Chisel hacktool as a compressed attachment
• #8657 – Email Chisel hacktool as a compressed attachment
• #8866 – Write chisel (767b) hacktool to disk
• #8867 – Pre-execution phase of chisel (767b) hacktool (Windows)
• #8868 – Transfer of chisel (767b) hacktool over HTTP/S
• #8869 – Transfer of chisel (767b) hacktool over HTTP/S
• #8870 – Email chisel (767b) hacktool as a compressed attachment
• #8871- Email chisel (767b) hacktool as a compressed attachment

Retch and S.H.O Ransomware: What you need to know

Researchers from FortiGuard Labs recently analyzed and identified two new ransomware variants – Retch and S.H.O that affect Windows users. These two ransomware variants have been classified as critical and researchers encourage organizations to ensure protection against these new variants. 

• Retch Ransomware – This variant was first discovered in August 2023 and leaves two ransom notes on victim computers. The ransomware encrypts a wide variety of files except those from the following directories: Windows, Program Files, and Program Files (x86) and leaves a “.Retch” extension to the encrypted files.  A ransom note (Message.txt) is left behind in every folder that is encrypted by the attackers and asks the victims to pay about 300 Euros in Bitcoin to purchase the decryption keys. 
• S.H.O Ransomware – The S.H.O variant also encrypts a wide variety of files and adds five random letters and numbers as a file extension. S.H.O encrypts each file using an RSA public key and the Microsoft “Rijndael Managed” C# library. Once it completes encryption, it replaces the Desktop wallpaper with a new image that asks victims to find and read the ransom note labeled “readme.txt”. Typical S.H.O ransom is listed at $200 (payable in Bitcoin)

SafeBreach Coverage of Retch and S.H.O Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against these ransomware variants: 

• #9187 – Write Retch (7fcaac) ransomware to disk
• #9188 – Pre-execution phase of Retch (7fcaac) ransomware (Windows)
• #9189 – Transfer of Retch (7fcaac) ransomware over HTTP/S
• #9190 – Transfer of Retch (7fcaac) ransomware over HTTP/S
• #9191 – Email Retch (7fcaac) ransomware as a compressed attachment
• #9192 – Email Retch (7fcaac) ransomware as a compressed attachment
• #9193 – Write S-H-O (2ebdc3) ransomware to disk
• #9194 – Pre-execution phase of S-H-O (2ebdc3) ransomware (Windows)
• #9195 – Transfer of S-H-O (2ebdc3) ransomware over HTTP/S
• #9196 – Transfer of S-H-O (2ebdc3) ransomware over HTTP/S
• #9197 – Email S-H-O (2ebdc3) ransomware as a compressed attachment
• #9198 – Email S-H-O (2ebdc3) ransomware as a compressed attachment

AtlasAgent Trojan: What you need to know

Researchers from NSFocus recently discovered an new advanced persistent threat (APT) group called AtlasCross that is leveraging Red Cross Blood Donation requests as phishing lures to target and infect victims with a previously unknown trojan called AtlasAgent. It is believed that these phishing attacks contain a macro-enabled Word document (.docm) attachment that urges the victim to click “Enable Content” to view the hidden content. This action triggers a malicious macro that infect the Windows device with the AtlasAgent malware.

AtlasAgent is a custom C++ trojan and its core functions include extracting host and process details, preventing the launch of multiple programs, executing additional shellcode on the compromised machine, and downloading files from the attacker’s C2 servers. the malware sends information to the attacker’s servers, including local computer name, network adapter information, local IP address, network card info, OS system architecture and version, and a running process list. Researchers believe that this advanced attacker is very adept at leveraging various existing hacker technologies and integrating them into their own stack, creating a very formidable opponent that can be very hard to detect for organizations. 

SafeBreach Coverage of AtlasAgent Trojan

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant: 

• #9205 – Write AtlasAgent (d967c8) trojan to disk
• #9206 – Transfer of AtlasAgent (d967c8) trojan over HTTP/S
• #9207 – Transfer of AtlasAgent (d967c8) trojan over HTTP/S
• #9208 – Email AtlasAgent (d967c8) trojan as a compressed attachment
• #9209 – Email AtlasAgent (d967c8) trojan as a compressed attachment

SOGU Malware: What you need to know

Threat researchers from Mandiant have discovered several attacks leveraging infected USB drives to target public and private sector entities. The SOGU malware is attributed to a China-linked threat actor, TEMP.Hex. Researchers believe that the threat actor primarily used these attacks to collect sensitive information in support of Chinese national security and economic interests. Victims were located in Europe, Asia, and the United States and primarily belonged to the construction and engineering, business services, government, health, transportation, and retail verticals. 

SOGU threat actors use an infected USB drive to deliver the primary infection vector. The malicious drive is believed to contain tools that are designed to drop a malicious payload via DLL hijacking. Once they establish presence on victim networks, they typically side-load another malicious DLL file called KORPLUG. The malware infects the victim by dropping a batch file onto the RECYCLE.BIN file path that then runs host reconnaissance commands and outputs the results to a separate file. To maintain its persistence on the system, the malware creates a directory that masquerades as a legitimate program and sets the directory’s attribute to hidden. At the last stage of the attack, the malware will exfiltrate any data that has been staged. The malware can also be copied onto new removable drives plugged into an infected system. This allows the malicious payloads to spread to other systems and potentially collect data from air-gapped systems.

SafeBreach Coverage of SOGU Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant: 

• #9210 – Write SOGU (ae5f96) loader to disk
• #9211 – Pre-execution phase of SOGU (ae5f96) loader (Windows)
• #9212 – Transfer of SOGU (ae5f96) loader over HTTP/S
• #9213 – Transfer of SOGU (ae5f96) loader over HTTP/S
• #9214 – Email SOGU (ae5f96) loader as a compressed attachment
• #9215 – Email SOGU (ae5f96) loader as a compressed attachment

Scattered Spider Threat Group: What you need to know

Recent research has revealed that the threat group Scattered Spider is responsible for the recent ransomware attacks against the casino groups MGM International and Caesars Entertainment. This group (thought to have founded in May 2022) is also known as UNC3944 and primarily comprises of hackers aged 19-22 based in the U.S. and the U.K.

Researchers have tracked the threat group leveraging ALPHV/BlackCat ransomware in the middle of this 2023 to target VMware ESXi servers. They are believed to be able use their growing arsenal of advanced tactics, techniques, and procedures (TTPs) to target extremely complex and hybrid enterprise networks. The threat actors are adept at leveraging stolen PII data such as family names, residential addresses, etc. and using the threat of physical violence to force targeted victims to reveal credentials for corporate network access. 

Microsoft researchers provided more detailed information about the threat group highlighting that the group’s use of highly advanced TTPs (including adversary-in-the-middle techniques) meant that organizations would have to leverage unconventional techniques and procedures to protect themselves. 

SafeBreach Coverage of Attacks related to Scattered Spider

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the threat group: 

• #9199 – Write SOCKS5 Reverse Proxy (08d3a9) hacktool to disk
• #9200 – Pre-execution phase of SOCKS5 Reverse Proxy (08d3a9) hacktool (Windows)
• #9201 – Transfer of SOCKS5 Reverse Proxy (08d3a9) hacktool over HTTP/S
• #9202 – Transfer of SOCKS5 Reverse Proxy (08d3a9) hacktool over HTTP/S
• #9203 – Email SOCKS5 Reverse Proxy (08d3a9) hacktool as a compressed attachment
• #9204 – Email SOCKS5 Reverse Proxy (08d3a9) hacktool as a compressed attachment
• #9282 – Write POORTRY (e45104) trojan to disk
• #9283 – Transfer of POORTRY (e45104) trojan over HTTP/S
• #9284 – Transfer of POORTRY (e45104) trojan over HTTP/S
• #9285 – Email POORTRY (e45104) trojan as a compressed attachment
• #9286 – Email POORTRY (e45104) trojan as a compressed attachment
• #9287 – Write KApcHelper (cb9f9c) trojan to disk
• #9288 – Transfer of KApcHelper (cb9f9c) trojan over HTTP/S
• #9289 – Transfer of KApcHelper (cb9f9c) trojan over HTTP/S
• #9290 – Email KApcHelper (cb9f9c) trojan as a compressed attachment
• #9291 – Email KApcHelper (cb9f9c) trojan as a compressed attachment

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.