Kaseya IOC

Fortify Security Team
Jul 3, 2021

Indicators of Compromise

agent.crt encoded dropper
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe dropper
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Payloads
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:

aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
f6908ef76b666157a13534db47652a845d8f7d985fdf944f7e43a3afd3f3d8c2
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471

MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

import "pe"
import "math"

rule cw_REvil_Kaseya_BUKTBAI_stolenCert
{
	meta:
		desc = "Stolen digital certificate: BUKTAI"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20"
		hash = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO"
			or
			signer.serial == "42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52"
			or
			signer.thumbprint == "282ebc0a99a6328343a7d7706465778c3925adb6"
		)
}

rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
		hash = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2"
		hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD."
			or
			signer.serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0"
			or
			signer.thumbprint == "11ff68da43f0931e22002f1461136c662e623366"
		)
}

rule cw_REvil_Kaseya_SAYLENT_stolenCert
{
	meta:
		desc = "Stolen digital certificate: PB03 TRANSPORT"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
	condition:
		uint16(0) == 0x5a4d
		and
		for any signer in pe.signatures:
		(
			signer.subject == "/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent"
			or
			signer.serial == "00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e"
			or
			signer.thumbprint == "0d61738e6407c01d5c9f477039fb581a5f81f436"
		)
}

rule cw_REvil_Kaseya_Dropper
{
	meta:
		desc = "Dropper for Microsoft Defender + Sodinokibi DLL Sideload"
		author = "JAG-S @ SentinelLabs"
		last_modified = "07.02.2021"
		version = "1.0"
		hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
		hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
		hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
		hash = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
	strings:
		$drop_ransom = "mpsvc.dll" ascii wide fullword
		$drop_defender = "MsMpEng.exe" ascii wide fullword
		$drop_path = "C:\\Windows\\" wide fullword
	condition:
		uint16(0) == 0x5a4d
		and
		(
			2 of ($drop*) 
			and
			pe.number_of_resources == 2
			and
			for all rsrc in pe.resources:
				(
				math.entropy(rsrc.offset, rsrc.length) >= 6.7
				)
		)
}

Recent Posts

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

CVE-2021-1675 and CVE-2021-34527 – PrintNightmare

Fortify 24x7 is tracking various public weaponized exploits for a remote code execution vulnerability affecting the Windows Print Spooler service (spoolsv.exe): CVE-2021-1675 and an out of band patch for CVE-2021-34527, also known as PrintNightmare. The vulnerability...

CVE-2021-36934 – HiveNightmare

Summary The default configuration in Microsoft Windows 10 v1809 and newer includes an elevation of privilege vulnerability, because of overly permissive Access Control Lists (ACLs) in the Security Accounts Manager (SAM) database, as well as multiple other system...

Increase in PYSA Ransomware Targeting Education Institutions

FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on...

Microsoft IOC Detection Tool for Exchange Server vulnerabilities

Microsoft has released the EOMT.ps1 tool that can automate portions of both the detection and patching process and help your organization check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities. In...

Trickbot Hash List

f2874391df65d47da6e5b72c904fd8d91c85232382dad677bb074767e51ffd85 879e8fc3f83f3444f12ca1f98389a1f5ee8c90deb713e33b35456ade8261ee91 7b7c58829aa5ead726e159c20def670e430b67d4cb995df00bc619edcde246c8 d07a963a14b759050f21fe96335876ff2bddd7c4a301c6625a6dba55c634310b...

Sodinokibi Ransomware Hash List

Threat actors using the Sodinokibi ransomware made “at least” $123 million in 2020, stealing roughly 21.6 terabytes of data. Sodinokibi was the most-used ransomware observed by the researchers, accounting for 22% of all incidents in 2020....