FiveHands ransomware has been spotted in the wild along with a remote access Trojan. Its actors used publicly available pen testing and exploitation tools to steal data.
Yesterday, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) alerted about a new ransomware variant paired with a remote access trojan (RAT) that has been spotted in the wild. Its operators use publicly available pen testing and exploitation tools, their goal is data theft and encryption.
Dubbed FiveHands, the novel ransomware relies on a public key encryption tool NTRUEncrypt.com and Windows Management Instrumentation (WMI), and other legitimate tools. And to exfiltrate the victim’s data and encrypt files, hackers used FiveHands in combination with SombRAT Trojan.
To prevent administrators from recovering the data, the malware uses WMI for enumeration, then deletes the Volume Shadow copies, and encrypts files found in the recovery folder. After that, it creates a ransom note in each folder and directory on the connected systems.
At least one organization has been successfully exploited by FiveHands.
In a report released yesterday, CISA details the threat actor’s tactics, techniques, and procedures, and indicators of compromise.
Cybercriminals exploited a zero-day flaw in a virtual private network (VPN) for the initial entry point. Then the attackers used SoftPerfect Network Scanner for Discovery (netscan.exe) to find hostnames and network services. The SoftPerfect website says that the “SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices.
“It also scans for remote services, registry, files and performance counters; offers flexible filtering and display options and exports NetScan results to a variety of formats from XML to JSON,” the researchers said. “The utility can also be used with Nmap for vulnerability scanning. The utility will generate a report of its findings called netscan.xml.”
Then the hackers used a legitimate remote administration program PsExec to launch ServeManager.exe,
Hackers also relied on SombRAT, which is a RAT that uses batch and test files to execute and launch PowerShell scripts that can bypass the victim’s antivirus software.
“The [RAT’s] loader used hardcoded public RSA keys for command and control (C2) sessions,” CISA explained. “The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors.”
CISA shared the indicators of compromise for network administrators in a press release.