Kaseya IOC

Fortify Security Team
Jul 3, 2021

Indicators of Compromise

agent.crt encoded dropper
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe dropper
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Payloads
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:

aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
f6908ef76b666157a13534db47652a845d8f7d985fdf944f7e43a3afd3f3d8c2
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471

MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

import "pe"
import "math"

rule cw_REvil_Kaseya_BUKTBAI_stolenCert
{
	meta:
		desc = "Stolen digital certificate: BUKTAI"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20"
		hash = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO"
			or
			signer.serial == "42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52"
			or
			signer.thumbprint == "282ebc0a99a6328343a7d7706465778c3925adb6"
		)
}

rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
		hash = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2"
		hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD."
			or
			signer.serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0"
			or
			signer.thumbprint == "11ff68da43f0931e22002f1461136c662e623366"
		)
}

rule cw_REvil_Kaseya_SAYLENT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent"
			or
			signer.serial == "00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e"
			or
			signer.thumbprint == "0d61738e6407c01d5c9f477039fb581a5f81f436"
		)
}

rule cw_REvil_Kaseya_Dropper
{
	meta:
		desc = "Dropper for Microsoft Defender + Sodinokibi DLL Sideload"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
		hash = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
	strings:
		$drop_ransom = "mpsvc.dll" ascii wide fullword
		$drop_defender = "MsMpEng.exe" ascii wide fullword
		$drop_path = "C:\\Windows\\" wide fullword
	condition:
		uint16(0) == 0x5a4d
		and
		(
			2 of ($drop*) 
			and
			pe.number_of_resources == 2
			and
			for all rsrc in pe.resources:
				(
				math.entropy(rsrc.offset, rsrc.length) >= 6.7
				)
		)
}

Recent Posts

Maui Ransomware – Technical Details

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...