Security researchers have recently discovered a new fileless ransomware, dubbed “Sorebrect,” which injects malicious code into a legitimate system process (svchost.exe) on a targeted system and then self-destruct itself in order to evade detection.
Unlike traditional ransomware, Sorebrect has been designed to target enterprise’s servers and endpoint. The injected code then initiates the file encryption process on the local machine and connected network shares.
“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs,” Trend Micro says.
Sorebrect Also Encrypts Network Shares
Sorebrect also scans the local network for other connected computers with open shares and locks files available on them as well.
“If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted,” researchers say.
The nasty ransomware then deletes all event logs (using wevtutil.exe) and shadow copies (using vssadmin) on the infected machine that could provide forensic evidence such as files executed on the system and their timestamps, which makes this threat hard-to-detect.
SOREBRECT’s stealth can pose challenges
While file encryption is SOREBRECT’s endgame, stealth is its mainstay. The ransomware’s self-destruct routine makes SOREBRECT a fileless threat. The ransomware does this by injecting code to a legitimate system process (which executes the encryption routine) before terminating its main binary. SOREBRECT also takes pains to delete the affected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps (i.e. appcompat/shimcache and prefetch). These deletions also deter analysis and prevent SOREBRECT’s activities from being traced.
When we first saw SOREBRECT in the wild, we observed a low distribution base that was initially concentrated on Middle Eastern countries like Kuwait and Lebanon. By the start of May, however, our sensors detected SOREBRECT in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Affected industries include manufacturing, technology, and telecommunications. Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service.
Figure 1: SOREBRECT’s attack chain
SOREBRECT’s code injection makes it a fileless threat
SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. The misuse of PsExec to install SOREBRECT indicates that administrator credentials have already been compromised, or remote machines were exposed or brute-forced. SOREBRECT isn’t the first family to misuse PsExec—SAMSAM, Petya, and its derivative, PetrWrap (RANSOM_SAMSAM and RANSOM_PETYA, respectively), for instance, use PsExec to install the ransomware on compromised servers or endpoints.
Read more about SOREBRECT here