Report: New Ransomware Variant Targeting Microsoft Exchange Servers

June 07, 2021 - Threat actors with likely ties to REvil ransomware are targeting and successfully exploiting vulnerabilities in Microsoft Exchange Servers with a new malware variant in cyberattacks against enterprise networks, according to a recent Sophos report.

Observed in attacks launched last week, the malware variant called Epsilon Red is written in Go programming language and deployed during the final executable payload of a human-operated cyberattack.

The ransomware variant is relatively simple but it’s attack features a host of steps and obfuscation techniques that could challenge IT teams with detection and remediation, including the use of PowerShell scripts in every early stage component.

“[Epsilon Red is] compiled using a tool called MinGW and packed with a modified version of the runtime packer UPX,” researchers explained. “The executable contains some code taken from an open source project called godirwalk, which gives it the ability to scan the hard drive on which it’s running for directory paths and compile them into a list.”

“The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously,” they added.

READ MORE: Microsoft: Active NOBELIUM Malware Actors’ Spear-Phishing Campaign

The ransomware is relatively small and makes no network connections. It’s only used to encrypt files on the targeted system, including everything inside the targeted folder like the DLL or other executables, the report explained. Instead, the malware relies heavily on PowerShell scripts.

Sophos researchers analyzed the attack, launched against a hospitality company in the US. In at least one other successful attack, the victim paid an approximate $210,000 ransom.

“While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections,” researchers explained.

“There were no other obvious similarities between the Epsilon Red ransomware and REvil,” they added. “The name Epsilon Red... is a reference to pop culture [and] was a relatively obscure adversary of some of the X-Men in the Marvel extended universe.”

According to the analysis, the attackers gained a foothold onto the network through Microsoft Exchange. The researchers could not fully determine how the attack was enabled, but it appears likely that an unpatched Exchange server was at fault.

READ MORE: Joint Fed Guidance on Russian APT Cyberattacks, Exploits, Malware

Federal agencies and Microsoft have repeatedly warned of critical flaws found in Exchange servers under active attack. While many vulnerable entities applied Microsoft’s software update, unpatched servers were being routinely exploited by these hacking groups.

In the latest attacks, the threat actors used Windows Management Instrumentation (WMI) to install malicious software onto the victim’s network, in network locations able to be reached through Exchange.

Upon initial access to a victim’s network, the attackers download and install a copy of the remote utilities and the TOR Browser. Researchers believe this may be an attempt from the attackers to establish an alternative foothold, if a security team blocks its initial access point.

Notably, the remote utilities software is a free, commercially available tool. An individual simply needs to submit an email address through the company website to obtain a free license key for up to 10 machines at the same time.

After launching an attack, the actors then launched a series of PowerShell scripts that prepped the victims’ machines to accept the final ransomware payload, which was then delivered and deployed.

READ MORE: Secure Communication Used in 50% Malware Attacks to Evade Detection

The Epsilon Red deployment enabled the script to retrieve and accept the remaining malicious PowerShells, as well as the ransomware and executables, in addition to setting up Scheduled Tasks to run additional scripts.

About an hour after scheduling tasks to deploy the shells, the malware then executes commands able to modify the firewall rules meant to block inbound connections to all TCP ports, except remote desktop protocol (RDP) 3389/tcp and the communications port 5650/tcp.

To accomplish this, the malware first blocks inbound traffic to ports 80 and 443, then another full, random range of ports -- excluding RDP utilities ports.

The report showed in one attack, the malicious script executed commands that deleted Volume Shadow Copies from the victims’ computers.

“This is an important precursor to the attack, as these files could be used to recover some or all of the files encrypted by the attackers,” the report authors explained.

“A PowerShell script named c.ps1 appears to be a clone of an open source tool called Copy-VSS, part of a suite of penetration tester tools named Nishang,” they added. “The Copy-VSS script permits an attacker to copy the SAM file, which an attacker could use to retrieve and crack passwords saved on the computer.”

For Sophos, a primary concern is that the malware uses PowerShell script that uses basic obfuscation techniques, adding code in brackets and braces at random to break up the script code, then strips out the brackets.

The method doesn’t harm the ability to review the attack means, but could be used to evade detection from a range of antimalware tools that scan for files on the hard drive during deployment.

The malware also installs a file created from an open source tool called EventCleaner, designed to erase or manipulate the contents of event logs in Windows. The attackers use the tool to wipe away all evidence of their nefarious activities.

The Sophos report includes a range of indicators of compromise, as well as a breakdown of the large amount of PowerShells used in the attak, which can help with identifying successful exploits.