Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving SafePay ransomware.

Below provides a summary of findings which are presented in this blog post: 

• Initial access via a misconfigured firewall
• A domain administrator account with a weak password
• Usage of ScreenConnect likely for persistence
• QDoor backdoor
• Deployment of Safepay ransomware

Incident Overview

The Threat Actor was able to gain access to a local account through a simple misconfiguration on the Fortigate firewall, allowing local accounts to be authenticated and bypass the MFA requirement on the VPN. After this, the Threat Actor interacted with servers and file shares subsequently encrypting them.

The Threat Actors behind the ransomware sample investigated as part of this incident identify themselves as the “Safepay team”. The encryptor includes a built-in check to prevent it from operating in Russian-speaking countries, hinting at the actors’ possible location or affiliations.

A screenshot of the .onion address from the ransom note is shown below.

Timeline

T + 0 days – Initial access due to a misconfigured firewall

T + ~7 hours – First malicious batch file utilised and network share discovery

T + 1 day – Credential Access and File Accesses

T + 2 days – Ransomware Deployed 

Mitre TTPs

Initial Access

T1190 - Exploit Public-Facing Application 

A misconfiguration of a policy in the Fortigate firewall allowed local & LDAP groups to authenticate against the VPN, therefore bypassing the multi-factor authentication requirement. This led to the Threat Actor gaining initial access to the victim’s environment. Coupled with weak passwords across all accounts resulted in the attack being successful.

T1078.002 - Valid Accounts: Domain Accounts

The Threat Actor was able to gain access to a local account through a simple misconfiguration of the firewall. Once inside, the Threat Actor was able to escalate to a domain administrator account not covered by MFA at the time of the attack. 

Logs indicated that a Threat Actor controlled device named vultr-guest successfully authenticated as the administrator and conducted various activities from the VPN range. vultr-guest is known to be an account associated to devices which utilise the Vultr Virtual Private Server (VPS) infrastructure[1].

Execution

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

The compromised domain administrator account executed the batch file C:\ProgramData\<single digit>.bat. 

Persistence

T1543.003 - Create or Modify System Process: Windows Service

The Threat Actor created a ScreenConnect service. 

Service Name:  ScreenConnect Client

Service File Name: C:\Program Files(x86)\\ScreenConnect Client

Service Type: user mode service

Service Start Type: auto start

Service Account: localsystem

The exact purpose of ScreenConnect is unknown in this incident but was likely utilised by the Threat Actor to maintain access to the environment. 

T1133 – External Remote Services

A malicious file named soc.dll was deployed and identified as a backdoor tool publicly known as QDoor[2].

T1027.002 – Obfuscated Files or Information: Software Packing

The soc.dll file used by the Threat Actor was packed with UPX/modified UPX, an open-source packer, to conceal the content of the file. 

soc.dll Analysis

The DLL presents 3 exports:

• DllRegisterServer
• DllUnregisterServer
• x

The malicious code start point is found in DllRegisterServer which indicates it is designed to be executed with regsvr32, a command-line tool on Windows used for registering or unregistering Dynamic Link Library files.;

The first stage decodes and extracts another embedded DLL. This DLL is mapped into memory and execution is transferred directly to that memory region. No injection is performed at this stage.

The new DLL has signatures that point to the use of an open-source tool called RunPE [3]. Within this file, the RunPE tool has been combined with another executable.

The RunPE portion of the executable creates a new process C:\Windows\system32\WerFault.exe in a suspended state. It injects this process with the content of the embedded executable using standard process hollowing techniques that can be viewed in the RunPE project. 

The injected executable has one final layer of packing. This time, it uses UPX [4].

With the final layer removed, internal strings that identified the sample as a backdoor tool known as QDoor with possible attribution to the Blacksuit ransomware group [5]. The tools’ functionality and hardcoded C2 address match those in the linked blog. 

Notable points:

• Hardcoded C2: 88.119.167[.]239 communicating over port 443
• Unencrypted C2 traffic with a header: C4 C3 C2 C1
• Registration with the C2 sends basic host information
• Possible C2 command include:
  1. Heartbeat request instructing bot to check in with the C2
  2. Tunnel request. Providing an IP for the bot to establish a tunnel with 

Credential Access

T1003 – OS Credential Dumping

The C:\Windows\Temp\RRZqKUbG.tmp was flagged as Behaviour:Win32/RemoteRegDump.A by Microsoft Defender suggesting an attempt by the Threat Actor to harvest further credentials. 

Discovery

T1082 – System Information Discovery

The batch files utilised by the Threat Actor, for example 1.bat, interacted with servers and file shares subsequently encrypting them using the ransomware binary 1.exe. 

Lateral Movement

T1021.001 – Remote Services: Remote Desktop Protocol

A number of successful RDP connections were made by the Threat Actor during the course of the attack. 

T1021.002 – Remote Services: SMB/Windows Admin Shares

The malicious batch files observed across the estate accessed drives and shares and pushed the ransomware binary 1.exe to numerous servers. An example of the command can be seen below:

start C:\1.exe -pass=<string of characters> -path=\\<location> -enc=1

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

The 88.119.167[.]239 IP address was identified as a hardcoded command and control beacon within soc.dll, communicating over port 443 (HTTPS). 

T1219 – Remote Access Software

The remote access application ScreenConnect was created as a service however the exact usage of the application was not identified during the investigation. 

Impact

T1531 – Account Access Removal

The threat actor changed all admin passwords making it difficult for the victim to access the infrastructure once encryption had occurred. 

T1486 – Data Encrypted for Impact

Ransom notes, named readme_safepay.txt, were left behind on numerous hosts and indicated this attack was the work of SafePay. The .safepay file extension was appended to files on the compromised servers. The encryption deployed by the Threat Actor included the encryption of hypervisors rendering the virtual machines within useless. 

Ransomware Encryptor

Ransomware Arguments

The ransomware was executed via the command line, requiring specific arguments such as -pass which provides the password to decrypt an embedded public key. 

Anti-Recovery Tactics

The encryptor issues several commands during execution designed to disable recovery mechanisms and disable functionality that could impact its operation:

Encryption

The encryptor uses ChaCha20 to encrypt files. ChaCha20 is a symmetric encryption algorithm that uses the same key for encryption and decryption. In this case, each file is encrypted using a unique key. 

The process requires that the threat actor can derive the encryption key used. This is achieved using an x25519 key exchange mechanism.

A random private key is generated for each file using the Windows API CryptGenRandom. From this random key, a public key is derived using an x25519 derivation function:

The second call to this function derives the shared secret from the generated private key and a public key from the Threat Actor that has been encrypted and hardcoded within the binary. The shared secret is used as part of a key derivation function (KDF), resulting in the final encryption key for the ChaCha20 encryption.

After the file is encrypted, the additional metadata is attached to the end of the file in plaintext as described in the Structure of an encrypted file section. The metadata lets the Threat Actor derive the shared secret with their private key and decrypt the file.

In summary, the analysis shows that decryption of files by the Threat Actor should be possible, but no weaknesses in the implementation that would allow decryption without access to the Threat Actor’s private key were identified.

Structure of an encrypted file

All encrypted files are renamed by appending the extension .safepay to the filename. Files are not entirely encrypted. Instead, they are encrypted in blocks of 0xa00000 or 10485760 bytes, and the level of encryption per block depends on the -enc argument passed to the encryptor. In the case of this incident, -enc=1 was passed, indicating the block should be encrypted to 10%, resulting in blocks of 0x100000 bytes being encrypted every 0xa00000 bytes.

At the end of the file, an unencrypted block of metadata is appended, which is 0x41 or 65 bytes long. This consists of:

• 32-byte public key associated with the random private key generated for that file used to derive the encryption key during decryption.
• 32-byte validation hash generated as part of the KDF function likely used for integrity validation during decryption.
• 1-byte value that was passed in the -enc argument

Targeted file extensions

The ransomware only encrypts the files with these extensions:

.exe .dll .pdb .386 .cmd .ani .adv .ps1 .cab .msi .msp .com .nls .ocx .mpa .cpl .mod .hta .prf .rtp .rpd .bin .hlp .shs .drv .wpx .bat .rom .msc .spl .msu .ics .key .lnk .hlp .sys .drv .cur .idx .ldf .ini .reg .apk .ttf .otf .fon .fnt .dmp .tmp .pif .wav .wma .dmg .app .ipa .xex .wad .msu .icns .theme .diagcfg .diagcab .diagpkg .msstyles .gadget .woff .part .sfcache .winmd .icl .deskthemepack .nomedia

Language check

A system language check determines if the infected device is in a region it intends to avoid targeting. Threat actors often use this tactic to bypass machines in certain countries, likely to evade legal repercussions or reduce unwanted attention from local authorities. If the system language matches any specified languages, the malware will immediately terminate. A complete list of languages checked can be seen below:

• Russian
• Ukrainian
• Belarusian
• Azerbaijani (Cyrillic)
• Armenian
• Georgian
• Kazakh

Attribution

Current analysis could not identify any high-confidence indicators that enabled the attribution of this sample to a known threat actor group. This sample was compared to known Blacksuit ransomware encryptors, which showed a very low amount of shared code, indicating either that this is not a Blacksuit ransomware binary or that this version has been completely rewritten.

IOCs

References

[1] https://www.vultr.com/

[2] https://www.linkedin.com/pulse/qdoor-new-backdoor-tool-blacksuits-arsenal-connectwise-uwvhc

[3] https://github.com/d35ha/RunPE/blob/master/RunPE.cpp

[4] https://upx.github.io/

[5] https://www.linkedin.com/pulse/qdoor-new-backdoor-tool-blacksuits-arsenal-connectwise-uwvhc/