We chatted with ReversingLabs Malware Researcher Joseph Edwards about his research on AstraLocker 2.0.

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey, welcome back to another episode of ConversingLabs, ReversingLabs' podcast. Every couple of weeks, we're coming to you with the best minds in information security, threat intelligence, threat hunting, application security. And this week, we are thrilled to have one of our own researchers here at ReversingLabs, Joseph Edwards, with us. Hey, Joseph. Welcome.

JOSEPH EDWARDS
Thanks for having me on, Paul.

PAUL ROBERTS
This is your first time on ConversingLabs?

JOSEPH EDWARDS
Yes, definitely excited to be here.

PAUL ROBERTS
So we have you with us today, Joseph, because you just published a research report, which we published on our blog, taking a look at some research that you did into a ransomware threat, kind of, called AstraLocker 2.0, and a really interesting campaign that you discovered, a little bit atypical, and we want to have you in to talk about what you found. But before we do that, could you just tell the audience just kind of what your role is here at ReversingLabs and what type of work you do?

JOSEPH EDWARDS
Sure. Sounds good. So at ReversingLabs, I'm a senior malware researcher. Most of what I do is searching across the TiCloud file corpus and looking at kind of everything we have. And as many of our viewers know, it's a lot of files per day. So it definitely does take a good amount of threat hunting and sort of knowledge of different malware techniques. My goal is to kind of figure out what our specialty is at ReversingLabs, and we do a lot of static analysis, so we are capable of finding things that some antiviruses might have overlooked. So that's kind of where my approach was on hunting for these threats and hunting for threats in general. Anything that is going to trip up normal antivirus using typical evasion techniques or obfuscation techniques are something that we're interested in.

PAUL ROBERTS
So how did you come to focus on AstraLocker 2.0?

JOSEPH EDWARDS
That was the result of just some hunting on Twitter. Somebody had reached out on Twitter saying that there was a sample of a malicious document and they were unsure, they were unable to get it to run in a sandbox. So we have a piece of malware that's doing some sandbox evasion. So that's something that might trip up antivirus or it might trip up automated sandboxes. So I thought it would be a good idea to take a deeper look.

PAUL ROBERTS
Interesting. And that's pretty common in modern malware, right, that they'll try and detect if they are being run in a sandbox or a virtualize environment, which a lot of security companies use to analyze. What does this thing do when you run it, right?

JOSEPH EDWARDS
Definitely. And there's a range of how sophisticated those techniques can be. Sometimes they're just looking for processes that are running that look suspicious, and sometimes they're going as deep as looking at hardware serial numbers to see if it's related to certain sandboxes or certain antiviruses. So in this case, it wasn't that the threat actor was super sophisticated, but the packer had a lot of anti-evasion, anti-sandbox methods in it.

PAUL ROBERTS
So let's talk about AstraLocker. This is a fairly recent entry in the ransomware world and it seems to have its origins in the Babuk ransomware family. Is that right? So this is something, AstraLocker, that was first identified, I think last year, in 2021. What do we know about AstraLocker?

JOSEPH EDWARDS
The attribution is a bit unclear. The Babuk group, of course, is a ransomware-as-a-service group, so it can be difficult to tell what affiliate launched what ransomware attack. And of course, they do sell builders for each affiliate to build their own piece of ransomware for a campaign. I think the interesting thing to note is that they did have a source code leak last year that was kind of going around.

PAUL ROBERTS
Babuk ransomware did?

JOSEPH EDWARDS
Yes, Babuk ransomware had a source code leak, and it does seem related to the proliferation of AstraLocker and AstraLocker 2.0. So definitely related to the Babuk group, but not necessarily attributable to them or their affiliates.

PAUL ROBERTS
And one of the things that you observed about this campaign when you were analyzing it is that unlike most ransomware infections, this one basically cut right to the chase. Basically like it was using Microsoft Word documents as lures. That's not that unusual, but when you open the Word document, it immediately went to install the ransomware, which I think is I don't know, you'd have to explain. But I think that's pretty unusual, isn't it, to have the ransomware be the first piece of malware that's delivered?

JOSEPH EDWARDS
Yeah, it definitely is very unusual. And first thought, first glances. This has got to be some kind of mistake. It's got to be somebody just playing with a payload. But when you start to look a little deeper at it and do some hunting. Not just on this sample. But across other samples using the same packer. You're kind of seeing that not only is it strange from a technical perspective. Typically ransomware is not deployed until an attacker has control of multiple systems. Ideally a domain controller. And they can proliferate ransomware out to all of the different hosts at the same time. So that's typically the strategy. But one thing that is very interesting about this sample is that clearly once this source code gets out and it gets into the hands of attackers who are trying to monetize as quickly as possible, you may not have traditional ransomware strategy. And so we can't necessarily get too comfortable in how we think about ransomware. And clearly a technique like this can still have impact.

PAUL ROBERTS
Yeah. I mean. We're used to talking about the M.O. of ransomware groups and affiliates is to expand your reach, to own as many valuable IT assets within the environment. Often these days. To have already exfiltrated a fair amount of data that you're going to also use to extort the victim and then at the very last stage in the attack. To actually spring the trap. Launch a ransomware. And obviously cripple the victims environment with a ransomware. But clearly not the objective here. What do we know about who was targeted? What types of organizations were targeted with this, and whether this was a money making endeavor for the attackers or just kind of a proof of concept attack?

JOSEPH EDWARDS
I mean, that's a good question. We can get a little bit of indication into what their motive here was. I would say that this looks a bit like attempting to develop a payload, or test antiviruses, or test some aspect of development, or just an attacker getting a hold of the source code and trying different methods of packing it. Because as I noted in the article, one thing that's odd about this sample is once you detonate it and decrypt the ransomware note, you find that the email is actually missing. So there's not a way for the threat actor to be contacted by the victim. There's no way for them to send the victim a decryption key. So that lack of quality assurance in the sample actually makes this piece of ransomware into something basically destructive. There is not a straightforward way to recover your files if you're encrypted with this sample. And so clearly, if they were practicing quality assurance, quote, unquote, and attempting to get their money realistically, they would have included all of that information in there. Yeah. So, yeah, definitely another strange thing about the sample.

PAUL ROBERTS
Yeah. They kind of have the AstraLocker @ as the email address, but no domain. Right. So that's not a real email address. And obviously, as you said, those email addresses, you need a support address basically to help the customer affect the complete the payment, get the decryption key, and kind of complete the transaction. So there's actually a fair amount of interaction between the victim and the attacker in most normal ransomware situations. Right. And that all happens through that support email.

JOSEPH EDWARDS
Yeah, and for good reason, because any ransomware that is attempting to sort of automate that decryption process malware researchers like myself have typically found vulnerabilities in that. So it's very common for attackers to set up a communication channel and not attempt to have a centralized infrastructure for sending in payments and sending decryption keys, because typically they need to... Because typically it's public key encryption, so they need to provide the decryption key.

PAUL ROBERTS
So when we look at this, you said that there was obviously the theft and leak of the Babuk source code back in 2021, and that may have given rise to AstraLocker as a kind of fork of the Babuk ransomware. When we look at the sort of functionality of these, are they pretty similar? And when we look at these attacks that you analyze, are there similarities between those and the Babuk attacks that we saw back in 2021? I think Babuk first appeared in early 2021, so some of those affiliate attacks that we saw during 2021? 

JOSEPH EDWARDS
Sure, yes. They're pretty much 98% similar. Same encryption algorithm, same exclusion list of processes, same services and processes killed in order for the ransomware to run. The differences are pretty much cosmetic. The ransomware has kind of a personalized AstraLocker 2.0 in the ransom note. Well, of note, of course, are the Bitcoin and Monero wallet addresses and those are also important campaign markers. Wherever they want you to send the ransom is definitely going to be something that you want to track. And so I noticed that the Monero wallet address was related to the Chaos ransomware gang, which is not really affiliated with Babuk per se. They have their own .net ransomware called Chaos and there's different versions of that. So there is a bit of overlap between these two actors based on that wallet address. And I also noticed that the Bitcoin wallet address, if you were to pay your ransom in Bitcoin is related to a couple other AstraLocker 2.0 campaigns, this one specifically just to differentiate between other AstraLocker 2.0 campaigns, it seems that they were testing out using this specific packer called Safe Engine Shield and it's very old, not really supported. I would say if you wanted to block anything packed with this packer, you would probably be doing yourself a service rather than a disservice.

PAUL ROBERTS
Not going to be a lot of false positives.

JOSEPH EDWARDS
Right.

PAUL ROBERTS
And what can we really infer from that? So you've got the Bitcoin wallet seems pretty consistent with the earlier AstraLocker campaigns. The Monero wallet, this other ransomware group, it's like trying to piece together, I imagine, like the police dramas where they've got the board and the pictures with the string, attaching them or something. It's a really confusing picture. It makes me wonder, is this just somebody's half-assed effort to kind of just push something out there and kind of cobble together a campaign from little disparate pieces that they grabbed from different places? Or like you said, is it sort of it was a work in progress that maybe got out early or they released it without really having fully completed what they needed to complete. You're trying to kind of figure out what the intention was here. I don't know if you have any thoughts about what that is.

JOSEPH EDWARDS
Sure. And I think intel analysts would be able to probably give the full picture of the scene. And this is, I think, an interesting piece of the puzzle because you have one group, the Babuk group, who are developing pretty tight, I would say ransomware not easy to find chinks in the armor of Babuk originally. And with the source code leak, you have a bunch of different threat actors either attempting to use the builders from the source code leak or to basically implement similar ransomware in kind of less sophisticated language like .net. And if we have this connection between the group who took these leaked builders and attempted to build it and pack it and deploy it. This AstraLocker 2.0 sample. You kind of might imagine that this Chaos ransomware group. Which we have the connection from the Monero wallet. You could say that potentially this group is attempting to reimplement Babuk. Reimplement their ransomware in Chaos. Taking inspiration from an older and more sophisticated group. And maybe this is a less sophisticated group given that they're writing in an intermediate language, they're not writing their malware in something extremely low level. So it's kind of an indication of how techniques and malware sort of are exchanged between groups and it just makes it very difficult to have solid attribution so we can't really rest on the assumptions for attribution that we may have had.

PAUL ROBERTS
So, Joseph, one of the things you pointed out in your research was that the way that this attack was implemented in the Word document that was used as the fishing lure required a lot of user interaction, like multiple quick clicks to get this thing to launch. My understanding is most malicious actors are looking to avoid that type of thing. Why do you think that was a feature of this attack and do you think that had any impact on, ultimately how many victims there were of this particular AstraLocker 2.0 campaign?

JOSEPH EDWARDS
We don't necessarily have information that this lure was too elaborate or too complex to work. Anything can work. Any amount of clicks can theoretically happen. Like you said, the fewer clicks to get the malware to launch the better. But of course some phishing documents they'll have you click on a link to take you to a website to have you download a zip to open up that zip and click on a link file inside. So really any amount of clicks is still feasible. But yeah, I definitely agreed that in this case the lure wasn't amazingly well formed. It didn't seem like it was an APT-level type lure, it wasn't incredibly convincing. But yeah, I think that definitely goes as to not necessarily the sophistication of the actor but the amount of time that they've put into it. It really does seem like they are demoing a technique, demoing an idea, packing known malware with an obfuscator or packer. It seems like their strategy here.

PAUL ROBERTS
I think one of the big takeaways from your report is just that in situations like this where we have malware like Babuk where the source code is leaked. That enables a lot of lower level actors or criminals to kind of draft off of that development work that's been done by a cyber criminal group and go out and kind of strike out on their own to do attacks and operations. Again, leveraging that malware that may not be very sophisticated but that could impact your organization. Even if like this, they're sort of smash and grab, just push them out, push the ransomware out right away and see what happens. But that could kind of still impact you as an organization as far fetched as it sounds. Right?

JOSEPH EDWARDS
Yeah, definitely. And it is kind of a twofold story on attribution, of course, because of course, when there's a source leak like this, you can't place it necessarily with Babuk or their affiliates. But based on the information and the configuration in the malware, you can place the date, place the time frame in which it happened, and when you have more information about how the attack was constructed or maybe where the payload was stored, you can start to make a bigger story. But of course, when you have a file like this maldoc, you can see that a lot of impact is still possible. With one phishing email campaign against the company, you could still end up with a lot of computers encrypted and in this case, not recoverable.

PAUL ROBERTS
So, final question, what would your advice be to organizations out there, SOCs or security teams worried about these types of follow on attacks, either using based on the Babuk leaked source code or others like it? What can they do? I mean, obviously train your users not to open random Word attachments if they get an email. So I guess that's lesson number one. Are there other lessons?

JOSEPH EDWARDS
Sure. And I mean, there's a lot of vectors that can deliver malware and phishing is definitely the most common. But one thing that we've kind of learned from this research is that there's going to be a long tail to any ransomware operation where the source code has been leaked. These things will continue to live on. And in this sample, in particular, packing it with some very old or obscure obfuscator, it's always kind of meant to bypass antivirus signatures. It's meant to ideally sneak under the radar and not loudly blare it. So malware authors are going to consistently try techniques to bypass static detection. And so it's like you said, it's definitely important to avoid being phished, but it's also important to have a very up to date antivirus solution, whatever that may be, ensure that there's very good detections and not just sort of static signatures.

PAUL ROBERTS
With all that we saw in this sort of the initial stages of this, I guess it was like an Olay object and so on. Is it pretty likely that an endpoint detection product would have flagged that as worrying behavior or malicious behavior?

JOSEPH EDWARDS
A good endpoint solution would yes, I believe. But of course, when you have an object that is compressed, like we know, this OLE object in this case was not in itself compressed, but the file format of a Word document. Or it could have been an RTF rich text format document. They can both embed OLE objects. And so it's very easy for us at ReversingLabs to extract an OLE object and then extract the executable from that. But for an antivirus, just directly looking at the bites of a Word document, not necessarily. 

PAUL ROBERTS
Joseph Edwards, thank you so much for coming on and talking to us about your work and the analysis you did of this AstraLocker malware. And great work. And we look forward to having you on again.