Some Kind of Monster: RaaS Hides Itself Using Traits From Other Malware
Ransomware is unique in the malware world, as it deliberately makes its presence known to the victim. But while the online extortionists behind these attacks need to announce their intentions in order to achieve their nefarious ends, that does not mean they wish to draw undue attention to themselves.
In fact, many of these actors would prefer to quietly cash in their bitcoin ransoms while remaining as anonymous as possible, and they are not above dropping a clue or two that might lead investigators — and authorities — astray. And so we see with this week’s feature focus, the ransomware-as-a-service (RaaS) known as Monster, and in our previous post on Monti, the ransomware authors involved seem to be including indicators of compromise (IoCs) in the malware’s makeup that point the finger at other threat groups, perhaps in order to slow attribution by research organizations and law enforcement.
At the time of writing, the example we are reporting on in this blog seems to have been abandoned by its makers. But this hiatus could be temporary, and the TTPs (tactics, techniques, and procedures) involved could be adopted and carried forward by copycats. So spreading awareness of this threat and how it operates can still bear fruit, giving security practitioners a chance to learn and prepare, before this attack method reappears and is used successfully.
Operating System
Risk & Impact
Technical Analysis
Monster is a new Delphi-based RaaS first seen in the wild in March 2022, including a case worked by our own BlackBerry Incident Response (IR) team. Posts advertising Monster’s capabilities, and an associated ransomware partnership program, were seen the following June, appearing on a Russian forum called Russian Anonymous Marketplace (RAMP).
In all samples examined by the BlackBerry Research & Intelligence team, Monster is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.
The ransomware works without any dependencies. It will create the following process upon execution:
C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\<[a-z]{8}>.exe
The new process then creates a mutex, “*** MONSTER ***,” to ensure that only one instance of the malware is running at a time.
Unlike other RaaS such as Buran, Monster does not create any Windows registry keys or seemingly establish any persistence. It does, however, use the aforementioned process to create three other files under the same directory, which in this case is C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\. The files are named as follows:
secure.sys
public.sys
private.sys
Monster Ransomware Avoids Certain Countries
As with many ransomware families that originate and/or are marketed in Eastern Europe, Monster avoids encrypting data on devices from specific countries. It retrieves a machine’s country code with the GetLocaleW function, to exclude the following 12 Commonwealth of Independent States (CIS) countries:
Armenia
Azerbaijan
Belarus
Georgia
Kazakhstan
Kyrgyzstan
Moldova
Russian Federation
Tajikistan
Turkmenistan
Ukraine
Uzbekistan
In addition to checking the victim’s machine country code, Monster also allows attackers to track their target’s IP addresses and location via the IP Logger web service. The malware will attempt to communicate with the IP Logger domain, with the User-Agent set to “Monster” and the referrer being the first 8 bytes from the “public.sys” file, “BB9C75A7” in this case, as shown in Figure 1 below.
As this service allows logging and analytics of people visiting the unique link, sending these strings to the receiving server is likely registering the campaign and victim with the author’s back-end infrastructure. This step does not check for internet connectivity, as the ransomware will still perform the encryption without any need for a connection.
Figure – 1 IPLogger connect for Victim registration
Monster Ransomware Targeted Services and Processes
After communicating with the IP Logger, Monster deletes items in the Recycle Bin. It does this because some programs use the Recycle Bin folder to store older versions or backups of files, which could be used by victims to retrieve their data — and so avoid paying the ransom. Monster deletes these files rather than encrypting the Recycle Bin, because it is a system folder, so encrypting could compromise system integrity.
Next, Monster invokes the command below:
C:\Windows\system32\cmd.exe /C CSCRIPT.EXE //E:JScript "C:\Users\<username>\AppData\Local\Temp\PRNALLRP.SYS"
The script contents are as follows:
for(p=new Enumerator(GetObject("winmgmts:\\\\.\\root\\default").ExecQuery("SELECT * FROM SystemRestore","WQL"));!p.atEnd();p.moveNext()){WScript.Echo(p.item().SequenceNumber)}
The script is used to create a connection, through the Windows Management Instrumentation (WMI) namespace, on a specified computer using a default object path. WMI provides high-level interaction with Windows objects via scripting languages, such as VBScript or C, and allows threat actors to abuse these services to enumerate resources, evade detection, or avoid virtual environments. Monster utilizes WMI to enumerate objects in the System Restore class in order to identify restore points for deletion.
Monster will then enumerate a list of services and processes, files and directories, and network shares. Threat operators stop a variety of different services and processes to ensure their activities run smoothly. They look for security and backup products, plus applications that maintain financial databases, to ensure that they aren't detected and can encrypt all valuable files on the system.
The list of services Monster targets is as follows:
AcrSch2Svc AcronisAgent |
CASAD2DWebSvc |
RTVscan |
memtas |
BackupExecAgentAccelerator |
DefWatch |
SavRoam |
mepocs |
BackupExecAgentBrowser |
GxBlr |
VSNAPVSS |
sophos |
BackupExecDiveciMediaService |
GxCIMgr |
VeeamDeploymentService |
sql |
BackupExecJobEngine |
GxCVD |
VeeamNFSSvc |
stc_raw_agent |
BackupExecManagementService |
GxFWD |
VeeamTransportSvc |
svc$ |
BackupExecRPCService |
GxVss |
YooBackup |
veeam |
BackupExecVSSProvider |
Intuit.QuickBooks.FCS |
YooIT |
vss |
CAARCUpdateSvc |
PDVFSService |
backup |
wscsvc |
|
QBCFMonitorService |
ccEvtMgr |
wuauserv |
|
QBFCService |
ccSetMgr |
zhudongfangyu |
|
QBIDPService |
|
|
Some of the unique processes threat actors target and stop are shown below:
- excel.exe
- firefox.exe
- notepad.exe
- onenote.exe
- outlook.exe
- powerpnt.exe
- steam.exe
- thebat.exe
- thunderbird.exe
- winword.exe
- wordpad.exe
To ensure that the ransomware performs as intended and does not break the target device, Monster will exclude the following file extensions and file names:
.bat|.cmd|.com|.cpl|.dll|.hta|.lnk|.log|.msc|.msp|.pif|.scr|.sys
autorun.inf|boot.ini|bootfont.bin|bootmgfw.efi|bootmgr|bootmgr.efi|bootsect.bak|deskto
p.ini|iconcache.db|ntdetect.com|ntldr|ntuser.dat|ntuser.dat.log|ntuser.ini|thumbs.db|dec
rypter.exe
|
Finally, it will also exclude the following folders to maintain the integrity of the underlying operating system:
- $Recycle.Bin
- Microsoft Visual Studio
- Microsoft.NET
- ProgramData
- System Volume Information
- Windows.old
- Windows
- Inetpub\logs
- \intel\
- \nvidia\
Monster will then drop a ransomware note into every directory it encrypts, as well as on the machine’s desktop, in either HTML or TXT format (as configured by the threat actor). The note is titled, “WE CAN RECOVER YOUR DATA.”
Each file will be encrypted with a randomly generated ID and extension (the default extension it uses is “.monster”). The contents of the ransom note and file extensions are subject to change, as the attacker can customize both aspects. Figure 2 shows an example of the text that can be used for the ransom note.
Figure 2 – Customizable ransom note
The ransomware encrypts files in blocks. It does so by using a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using an RSA implementation). An encrypted file gets appended with the following:
<complete contents of private.sys><complete contents of secure.sys><first 8 bytes from public.sys>MONSTER
This appended data is an implementation of server and client asymmetric encryption, plus symmetric encryption, to keep victims from decrypting files on their own.
In this scheme, a server public key is hardcoded, and the client keys are generated on the fly. The client private key will be encrypted using the servers’ public key, after which encryption will start using AES. After encryption concludes, the AES keys will be encrypted using the clients’ public key. Any decryption will need these AES keys, which now require the client private key, which will require the server private key. The server private key is kept by the adversary.
Monster also provides a user interface for the threat actor, which is visible by a “magic key” combination (Alt+Ctrl+Shift+M), or via a command line argument. The interface allows the operator to perform a variety of functions including the following:
- Mounting hidden partitions
- Freeing all busy files
- Stopping services and processes
- Emptying the Recycle Bin and restore points
- Self-deleting
- Enumerating resources
- Selective encryption
- Pause/stop/reset
Figures 3 and 4 show the user interface for Monster, including the function options that are available.
Figure 3 – Monster's basic user interface
Figure 4 – List of extra capabilities
After encryption has been completed, Monster will remove itself using the command below:
"C:\Windows\system32\cmd.exe" /c for /l %i in (1,1,1000) do (ping -n 2 localhost & del "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\hacpoytq.exe " & if not exist "C:\ProgramData\Installed Updates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\hacpoytq.exe " exit)
Monster as a RaaS
Monster was advertised with a RaaS licensing model on the RAMP forum (as shown in Figure 5), which has since been taken down. In this model, malware authors sell licenses and reap a percentage of the ransom as a fee.
Figure 5 – Monster advertisement on RAMP forum (source: https://twitter.com/S0ufi4n3/status/1542949894717161476)
RaaS models have become increasingly popular in recent years, as they enable a sort of “plug-and-play” attitude towards attacks, in that attackers can access it as a plug-in component, eliminating the need to create their own ransomware. The attacker is generally granted license access to a malware builder capability, and can use the author’s infrastructure in return for sharing a cut of any payments. (In the case of Monster, the author’s cut is 20%.)
Between the use of Initial Access Brokers (IABs), who’ve already infiltrated victim organizations, and RaaS offerings, the attacker’s job has become exceedingly easy. A malicious actor can simply choose a target, rather than spend time on intrusion, or building custom ransomware. On the downside, once defenders identify a particular threat and modify signatures and detection models to spot it, multiple subscribers’ ransom campaigns can be hindered or even curtailed in a single stroke.
Commonalities Cause Confusion
Numerous IoCs and TTPs are common between this builder and other ransomware instances. For example, one sample we found added the string “BURAN” to infected files, harking back to Vega/Zeppelin days. Like Vega, this ransomware is also configured to avoid “friendly fire” targeting of CIS countries by using calls to IPlogger.ru, with the referrer as the victim’s ID.
A number of these payloads generated by Monster recall preexisting campaigns, including HORSEMAGYAR and PIPIKAKI. These string IoCs, and even some of the ransomware’s behaviors, are easily changed and reused. As such, it is important for defenders to develop detections for higher-level TTPs such as behaviors, which are harder for adversaries to change.
Conclusion
Despite major takedowns of notable threat actors in the past year, such as Conti, ransomware remains the dominant threat in the cyber landscape today. The number of targeted ransomware attacks continues to trend upwards, fueled in part by the resurgence of malware, such as the return of the Emotet botnet, and new additions to the threat landscape.
While the Monster RaaS sales campaign has been taken down and activity seems to have ended at this time, it too could return in its current form, or as a new variant. Should that occur, its configurability and RaaS distribution model could combine once again to make it a potent threat.
Who is Affected?
Monster RaaS can be used to target a wide range of businesses and industries.
Monster checks the IP address of the infected host to exclude CIS countries (12 countries); the RaaS version is advertised on RAMP.
Mitigation Tips
MITRE ATT&CK
- T1083 – File and Directory Discovery
- T1057 – Process Discovery
- T1135 – Network Share Discovery
- T1486 – Data Encrypted for Impact
- T1047 – Windows Management Instrumentation
- T1490 – Inhibit System Recovery
- T1016 – System Network Configuration Discovery
- T1070.004 – Indicator Removal on Host: File Deletion
- T1036 – Masquerading
- T1055 – Process Injection
D3FEND
- Monitor accounts for unusual and unauthorized access that falls outside of the baseline (MITRE D3FEND techniques D3-AZET, D3-LAM).
- Audit and restrict low-level users’ access to resources and files (D3-UAP and D3-LFP).
Many RaaS threats leverage credentials obtained from access brokers. Some steps you can take to prevent credential-based attacks include the following:
- Frequently change passwords to network systems and accounts, and always avoid reusing passwords for different accounts.
- Frequently audit user accounts with high-level administrative privileges and configure access controls with least privilege in mind.
YARA Rule for Monster Ransomware
The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:
rule MonsterRaaS
{
meta:
description = "Detects Monster RaaS payloads"
author = "BlackBerry Threat Research Team"
date = "2022-09-01"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to
The BlackBerry Research & Intelligence Team"
strings:
$0 =
{D9420088EB4200B8D9420070EC4200B0D9420088EC4200A8D9420030EC4200A0D942003
8EC420098D9420038ED420090D9420034EC420088D942006CED420080D94200B4EC420078
D94200A0EC420070D9420074ED420068D9420058ED420060D9420044EC420058D942003C
ED420050D9420044ED420048D94200F4EB420040D94200D0EB420038D942009CEC420030
D94200E8EC420028D9420094EB420020D9420034ED420018}
$1 =
{2485633D4100BB3E4100C03D4100CC3D4100DE3D4100F03D4100023E4100143E4100143E
4100BB3E4100BB3E4100243E4100353E41003F3E4100BB3E41004D3E4100563E4100653E41
00743E4100833E4100913E4100A03E4100AE3E4100E9FB000000}
$2 =
{08C1E1188B742408C1EE080BCE33D9331C828B0C24331C8DE8DA4200895C8220FF04248B
4C8204334C8220894C82248B5C820833D9895C82288B7C820C33FB897C822C0FB64C822C8
B0C8D64DF4200894C24048BCFC1E9080FB6C98B0C8D64DF42008BDF}
$3 =
{FF24956DFB4000C1FB4000CDFB4000F5FB400010FC40002AFC40004BFC40006CFC400089F
C4000A6FC400076FD40008FFD4000BEFC400065FD400076FD40008FFD40008FFD4000D9FC
4000F4FC40000FFD40002AFD400048FD40}
condition:
uint16(0) == 0x5a4d and any of them
}
|
IoCs for Monster Ransomware
SHA256
99cb1513a0b129c85d10b008919e821584a2c17e17473c44e187a4e74b0af3ad
e1a3b9d2ef5542aeed963b0a0f231bfd358d169b46988c7810d9e13184cd2e0d
ef514a1192de894b489a74ff911f229f5767277b9a196849219f63b589ab9473
60597b4f50daaf773766c93babc213d51a3dd11ce29d86cdb3bf6b64d4882f49
79309a0bbff7a02e32a7fc520945d6ff4629632cdcce7fa472e006431aa1f07a
c633783df5d509e2355484357704a8ebb377b685915e2b2e8958d11c004a1a05
3ab9e296cdb7ad72d615a24385d796cf5a83a49aadca2903900bc6aee091601b
c814717e090af753c16d7c3c0cafc6e37190f5895df13aa3645f92ed0742e4d6
ef69981acf81355c16a4f2288b596b549234a85573308f2592f48ee897e52cc6
60c36040034a95c43dbd8de783c34207b59f02b03e2067b5e590c0aec23dfc9a
7c3a5a22a4d7f52dc97e05b36f05432acd0e5f6a8660fdc38ec6457314c60d81
0d1bb6cb4af4341355e0d50d37effbe84802fe3f99cb8b48c94d0fa4a7eab986
7b000720ffd32370560dcf92310f4f10d397bcc773e1eb08d28583c6e0817244
Bc67b94181dd4d613f3648c25c584aad5226cc1ec1999bd03d550c7f242eb7cb
0737DDBD894F37316EEE04C6739AC32F0C888535783A1AF8C873023BCEBBB8E8
URLS and IPs
iplogger[.]org
148[.]251[.]234[.]83
qtox[.]github[.]io
IMPHASH
55987a431e619a936b03bdae679cd0a5
RANSOM NOTE
We can recover your data.mht - SHA256:f447ca210f01966185a107226d91c9121952e567f02c2c60f700aec74503ed1c
WE CAN RECOVER YOUR DATA.txt
FILE EXTENSIONS
[<id>].dear_decript2022
[<id>].honest_decript2022
[<id>].monster
[<id>].@Thomasdecryption
[<id>].donkeyhot
[<id>].@PIPIKAKI
[<id>].@Ransomware_Decrypt
[<id>].fast_decript2022
[<id>].@HORSEMAGYAR - https://howtofix.guide/horsemagyar-virus/
[<id>].w3qupe
[<id>].sonickwall
[<id>].world2022decoding
EMAILS
xioxian@onionmail[.]org
dear_decript2022@jabbim[.]com
sonickwall@tutanota[.]com
FILE NAMES
C:\ProgramData\InstalledUpdates.{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}\<[a-z]{8}>.exe
|
BlackBerry Assistance
If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
About Alex Hegyi
Alex Hegyi is a Technical Lead for Threat Research at BlackBerry.
About The BlackBerry Research and Intelligence Team
The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.
Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.