Ransomware

Click, Clock... Analysis of Cloak ransomware TTPs

Le Blavec Erwan
Analyst - OWN-CERT
19/4/2024
Avec cet article, OWN fournit des éléments techniques et contextuels sur l’acteur du rançongiciel Cloak et dresse ainsi un état de la menace le concernant.OWN Security

KEY TAKEWAYS

At the end of our investigations, there are several key points to remember:

• Cloak is the successor of ARCrypter.

• Cloak made a name for itself with a major campaign in August 2023, when the ransomware first appeared.

• Cloak uses Neshta as a dropper/worm.

• Victim claims are made on a "random" basis (nothing between September and November, then 10 claims in December).

• Cloak uses the RGPD guilt leverage in the ransom note.

ABOUT CLOAK

The Cloak group, also known as "GoodDay", is a group of cybercriminals active since August 2023, mainly targeting running Microsoft Windows. Their aim is to infect the victim's system in order to plant ransomware and obtain payment from victims.

Although the group was one of the most active at the time of its discovery (24 claims for the month of August 2023), it publishes its victims' data on its blog randomly. The group's activity peaked in December (10 victims in the month). Between December 2023 and early February 2024, only three claims were made by the group.

Cloak uses a double extortion technique on several victims. In other words, the group exfiltrates the data from the victim's compromised machines before encrypting them and then posts them on an .onion website (screenshot below).

Screenshot from the Cloak blog.
Source: OWN-CERT

The names of organizations that have recently fallen victim to the ransomware are only partially revealed. The names of organizations that were affected longer ago and did not pay the ransom are released in full.

Cloak uses a special double ransom system:

• First case: the victim has recently been hit by the ransomware.
When an attempt is made to interact with the data using the "view more" button, a username and password are requested: the data cannot be viewed.

• Second case: the victim was hit by the ransomware a long time ago and did not pay the ransom.
The data can be viewed by anyone.

• Third case: the data has been sold.
The data shows "Sold" on the site and the "view more" button has disappeared (screenshot below). It is possible that the data has been sold to third parties via cybercriminal forums, or that the victim has paid the ransom.

Screenshot from the Cloak blog.
Source: OWN-CERT

One of the likely reasons why Cloak is not publishing the names of the websites of organizations that have recently been attacked, or their data, is to use the RGPD as additional leverage to encourage the victim to pay the ransom. The ransom note reads: "You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/".

By not revealing the content of the stolen data or the name of the organization, the latter may be more inclined to pay the ransom in order to protect its financial and reputational interests.

Screenshot of the ransom note.
Source: OWN-CERT


Warnings about the possible consequences for the victim if they do not pay the ransom are also included in the note[1].

One of the interesting tactics used by Cloak is the creation of a unique chat panel per victim. The victim goes to the URL indicated in the ransom note and can enter a login and password specific to the sample that infected their system.

COMMENT
This tactic is increasingly used by attacker groups when negotiating with victims. It enables the group to limit its exposure, essentially in terms of the payment portfolios potentially passed on to the victim.

A chat is then opened between the victim and the group Cloak [2]. The victim is greeted with a "Good Day!", which explains one of the group’s names.

Screenshot of the chat panel login.
Source: SentinelOne

Finally, the group states that if there is a problem with the chat system, it can be contacted by email via the address "MikLYmAklY555[@]cock[.]li". This address has already been used in other campaigns, such as Astralocker and Babuk, as a point of contact.

It is likely that this address is a centralized contact service used by some ransomware operators.

TACTICS, TECHNIQUES AND PROCEDURES

INITIAL ACCESS

Two initial access techniques have been observed for the Cloak ransomware.

• The first technique was identified in CyberInt's telemetry: the use of Initial Access Brokers.

Some of the Cloak group's victims have seen their access data put up for sale [3], particularly following campaigns by information thieves RedLine, Lumma and Aurora.

It is likely that once a successful connection has been made to a compromised account, the group will try to gain access to an administration account using a brute force attack.

• The second technique involves exploiting a vulnerability on a vulnerable endpoint device and then carrying out a brute-force attack targeting the administrator's RDP account.

Once Cloak has gained access to the administrator's account, the AnyDesk software is installed, enabling remote administration.

It is highly likely that the executable containing the malicious payload will be downloaded via this software.

Diagram summarizing the initial access phase.
Source : OWN-CERT

MALWARE ANALYSIS

The malware analysed tries to masquerade as the "WindowsUpdate.exe" executable so as not to arouse the suspicions of the victim's system administrators or security analysts.

Once executed, the malware drops two executables on the system:

• The ransomware payload.

• Neshta" malware developed in Delphi. This serves as an injector for the ransomware payload.

The payload is created in the path "C:\Users\Admin\AppData\Local\Temp\sample.exe" and the file infector in the path "C:\Windows\svchost.com".

NESHTA‍ ANALYSIS

The Neshta worm was discovered in the early 2000s.

OWN-CERT is highly confident that this malware is of Belarusian origin. It has the ability to propagate on one or more systems, thanks to its ability to replicate on removable media, and to inject itself into legitimate executables[4].

In this case, Neshta is copied in :

« %Temp%\3582-490\<filename> »

And it injects malicious code into all executables present in the ProgramFiles, Temp or Windows folders. Each time an executable is launched, the malicious code is immediately executed. Here, the malicious code injected is the ransomware code.

Neshta is then uploaded to the "C:Windows\svchost.com" path and a registry key is modified:

MODIFIED REGISTRY KEY

HKLM\SOFTWARE\Classes\exefile\shell\open\command - Valeur: %SystemRoot%\svchost.com "%1" %*

This modification allows Neshta to launch itself each time an executable is launched on the system.

Une fois les exécutables du système infectés et la clé de registre modifiée, Nestha écrit et exécute un fichier dans le chemin « C:\\Users\\Admin\\AppData\\Local\\Temp\\[0-9]{6}.exe ». Ce fichier est la charge utile du rançongiciel.

As indicated in the introduction to this section, Nestha's ability to infect allows it to replicate itself. In this case, for example, where the victim machine is connected to a shared drive, Neshta has the ability to corrupt the executables on that volume. Simply launching a binary infected by Neshta can cause the volume to be completely encrypted.

Once the ransomware has finished encrypting the files, the process has stopped and the batch file has self-deleted, Neshta in turn deletes the executable from the payload.

PAYLOAD EXECUTION

Once executed by the injector, the payload creates a registry key:
C:\Windows\system32\cmd.exe/c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate/t REG_EXPAND_SZ /d C:\Users\Admin\AppData\LocalTemp\sample.exe /f (Command launched by Cloak to modify the registry key. Source : OWN-CERT)

Once the command has been executed, a notification appears on the screen indicating that the system update is malfunctioning. This notification cannot be closed by clicking on the cross, and if the victim clicks on "close program" the sample.exe executable will launch again.

Malfunction notification.
Source: OWN-CERT

This registry key enables the payload to be launched when a user logs on and therefore to be persistent on the system if the machine is rebooted while the payload is running.

BATCH FILE ANALYSIS

Once payload persistence has been achieved, a batch file is placed on the system under the path "C:\ProgramData\Microsoft\Settings\sample.bat".

The contents of this file are as follows:
@ECHO OFF SET X=0 :BEGIN TASKLIST |>NUL FINDSTR /B /L /I /C:payload.exe || SET X=1 TASKLIST |>NUL FINDSTR /B /L /I /C:payload.exe || START /b "" cmd /c "C:\Users\Admin\AppData\LocalTemp\payload.exe" IF %X% EQU 0 (TIMEOUT /T 1 /NOBREAK>NUL) ELSE (START /b "" cmd /c DEL "%~f0"&EXIT /b) GOTO :BEGINUsers\Admin\AppData\Local\Temp\payload.exe /f (Command launched by Cloak to modify the registry key. Source : OWN-CERT)

This batch script ensures that the payload is running. If it is not, the payload is restarted, and the batch script deletes itself to avoid creating duplicates on the system.

PAYLOAD ANALYSIS

The payload then performs malicious actions on the system.

It copies itself to the path "C:\Users\2dW1h.exe" and executes itself in the background via WMIC.


Copy to C:\Users and run the process in the background.
Source: OWN-CERT

The various system volumes are enumerated using the "WNetOpenEnum" function.

Launch WNetEnum to retrieve available volumes.
Source: OWN-CERT

This command enables the ransomware to find out which volumes are available for encryption.

The list of processes on the system is retrieved using the GetCurrentProcess function. Processes present in a list defined  in the malware's character strings are stopped:

Function to find and stop processes.  
Source: OWN-CERT
List of stopped business processes.
Source: OWN-CERT

Stopping these processes removes the lock that those applications put on open files to allow them to be encrypted. This also allows the malware to gain resources to enable faster encryption.

The process stop function is also used to stop processes relating to system security or backups in order to avoid detection of the ransomware and make remediation more complex. In the sample analyzed, the security-related processes were all related to tool services published by Checkpoint.

List of security and backup stopped processes.
Source: OWN-CERT

Cloak also includes a "whitelist" process to avoid encrypting certain folders or critical files on the system. This list is described in the table below:

White list of files and folders to not encrypt.
Source: OWN-CERT

In order to complicate remediation in cases where the victim has not made backups, Cloakdeletes system restore points via "vssadmin".

Removal of the shadow copies.
Source: OWN-CERT

Cloak uses "FindFirstFile" and "FindNextFile" to browse the files to encrypt.

Iteration on system files.
Source: OWN-CERT

Other registry keys are added to the system to make remediation more complex:

Adding of the legal registry keys.
Source: OWN-CERT

These registry keys can be used to remove the "Logout" option from the server start menu, prevent the task manager from being used to stop the ransomware, log out or change user.

Finally, the files are probably encrypted using the Rijnadel (AES) algorithm. This hypothesis is supported by the identification, during the investigation, of a Rijnadel s-box present in the decompiled code of the ransomware.


S-box Rijnadel found in the sample.
Source: OWN-CERT

The software also has the ability to empty the Windows recycle bin to erase all traces of its passage, making it difficult to recover artefacts.

Fonction de vidage de la corbeille.
Source : OWN-CERT

SIMILARITIES WITH ARCRYPTER

When we analysed this sample, we were able to identify a few similarities with ARCrypter.

The first is the presence of strings that are also present in ARCrypter samples.


Strings similar to ARCrypter.
Source: OWN-CERT

These strings are used when encrypting files in order to import cryptographic libraries in C++.

A second similarity is the extension with which the files are encrypted. In the ARCrypter and Cloak malware, files are encrypted with the extension "crYptA", then "crYptB", ... until "crYptF".

A third similarity is that both malwares use the same command to ensure that remote volumes remain connected in the event of server shutdown.

Command used to prevent the remote volume disconnection.  
Source: OWN-CERT

Like ARCrypter, Cloak adds the registry keys "legalnoticecaption" and "legalnoticetext" so that the messages "ALL YOUR FILES HAS BEEN ENCRYPTED" and "For unlock your files follow the instructions from the readme_for_unlock.txt" are displayed when viewing files in Windows Explorer. This technique is also used by groups such as LokiLocker and Pysa.

Registry keys added.
Source : OWN-CERT

Finally, the ARCrypter and Cloak notes contain the same warnings[4] and direct the user to a single chat panel with the actor.

DATA EXFILTRATION

Once the encryption operations have been completed, Cloak uses WinRAR software to create a .rar archive containing the data to be exfiltrated.

COMMENT‍

It should be noted that Cloak exfiltrates already been encrypted, which is quite rare in the ransomware ecosystem. As a general rule, data is exfiltrated before it is encrypted by the ransomware.


CLOAK ATTRIBUTION

It is difficult to estimate the geographical origin of the group with any certainty, given that the compilation language of the sample is English and that the value of the locales compared in the binary could not be recovered.

However, we can look at the information contained in the Neshta malware. This code injector has two variants, "NeshtaA" and "NeshtaC", according to the Wikipedia page on Neshta (available in Ukrainian, Belarusian, Russian and Romanian) dating from 2013. Variant A contains a string that appears to be a message from the author.

STRINGS FROM THE NESHTA.A VARIANT (BIELORUSSE)

Delphi-the best. F**k off all the rest. Neshta 1.0 Made in Belarus. Прывiтанне усiм ~цiкавым~ беларус_кiм дзяучатам. Аляксандр Рыгоравiч, вам таксама :) Восень- кепская пара... Алiварыя - лепшае пiва! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

STRING FROM THE A VARIANT (TRANSLATION)

Delphi is the best language, to hell with the rest. Neshta 1.0 produced in Belarus. Greetings to all the interesting Belarusian girls and to Alexander Grigorievich. Autumn is a bad season. Alivaria is the best beer. Congratulations to Tommy Salo. [Nov-2005] all the best to you [Dziadulja Apanas].

There are several points to highlight in this message:

- An allusion to Alivaria, a Belarusian beer.

- Greetings to Aleksandr Grigorievich, most likely referring to Aleksandr Lukashenko

In the sample analysed by OWN-CERT, the message is drastically reduced:

STRINGS FOUND IN THE OWN-CERT ANALYZED SAMPLE (2023)  

Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.

:)

! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

We note that the original string mixes English and Belarusian and censors the "Fuck off". The second version replaced the paragraph written in Belarusian with a smiley face.

There are two possible hypotheses:

- The Cloak group removed the Belarusian channels to avoid geographic allocation.

- The Neshta software continues to be updated and is potentially sold on cybercriminal markets.

This second hypothesis seems more likely, as Neshta is also used by other ransomware groups such as Zeppelin [5].

The use of a Belarusian injector by the Cloak ransomware, the shutdown of both Western (Veam, Checkpoint, etc.) and even Chinese (zhudongfangyu) security services, and the broken English used when modifying the "legalnoticecaption" and "legalnoticetext" registry keys, all point to a medium level of confidence in the attribution to a Russian-speaking country or to Russian-speaking members.

VICTIMOLOGY

The data in the various graphs in the victimology section relate to publications of victims' names on the Cloak blog.

Organizations that have recently been victims of Cloak and whose data and names have not been published have been considered in the statistics.

Répartition sectorielle des victimes de Cloak.
Source : OWN-CERT

As shown in the graph above, although the sectors are diverse, we can see that companies producing services [6] are the most affected, ahead of the industrial and energy sectors. It should be noted that the group also targets the public sector (attacking the customs of a Caribbean country) or non-profit organizations.

Geographical distribution of Cloak victims. Source: OWN-CERT

The geographical distribution is relatively varied, although more than half of the group's victims are located in Western and developed countries (70%). The rest of the countries are more heterogeneous, with countries affected in Africa, Asia and the Caribbean.

Map showing the geographical distribution of Cloak victims.
Source : OWN-CERT

The group claimed a total of 37 victims between the end of August and the beginning of February, giving an average of around 7 victims per month.

CONCLUSION

The Cloak group has been active since August 2023. Following investigations into incidents involving this group and developed in this article it is likely that the group is a new brand of the ARCrypter variant as mentioned in the SentinelOne article "Good Day's Victim Portals and Their Ties to Cloak".

Its new campaign in August 2023, which affected more than thirty victims, indicates that the group is becoming more professional. The infection chain has been revised to include a file infector, the group's TTPs continue to evolve, and the group seems to want to implement greater operational security (updating the binary, introducing a captcha on their blog and creating a dedicated exchange channel for each victim).

After the massive campaign in August, the group published other victims on its blog throughout December, then two victims in January and finally one victim in February.

The similarities between Cloak and ARCrypter are very significant, whether at a technical level or in terms of using the same contact email address, the same ransom note, or the separation of the exchange channel for victims.

What's more, the Cloak group seems to have emerged just as ARCrypter is ceasing operations.

COMMENTS ON THE GROUP'S DEVELOPMENT

The Cloak group therefore seems to be one of the players to watch in the short term. The professionalization of its TTPs and the number of victims may suggest that the group want to increase its volume of attacks.

What's more, the group's blog posts are pretty inconsistent - it's hard to tell whether claims are posted all at once or whether the group has certain periods of high activity.

SOURCES

- blogs.blackberry.com, "Threat Spotlight: Neshta File Infector Endures." https://blogs.blackberry.com/en/2019/10/threat-spotlight-neshta-file-infector-endures (accessed Oct. 11, 2023).

- "Neshta," Wikipedia. Apr. 21, 2020. Accessed: Oct. 11, 2023. [Online]. Available: https://ro.wikipedia.org/w/index.php?title=Neshta&oldid=13379892

- A. Bleih, "Cloak Ransomware: Who's Behind the Cloak?," Cyberint, Aug. 29, 2023. https://cyberint.com/blog/other/cloak-ransomware-whos-behind-the-cloak/ (accessed Oct. 11, 2023).

- "ARCrypt Ransomware Leverages New Tactics To Target Victims," Jul. 07, 2023. https://thecyberexpress.com/arcrypt-ransomware-new-tactics-target-victims/ (accessed Oct. 11, 2023).

- "Previously unidentified ARCrypter ransomware expands worldwide," BleepingComputer. https://www.bleepingcomputer.com/news/security/previously-unidentified-arcrypter-ransomware-expands-worldwide/ (accessed Oct. 11, 2023).

- cybleinc, "ARCrypt Ransomware Evolves with Multiple TOR Communication Channels," Cyble, Jul. 06, 2023. https://cyble.com/blog/arcrypt-ransomware-evolves-with-multiple-tor-communication-channels/ (accessed Oct. 11, 2023).

- By, "Novel ARCrypter Ransomware Expanding Operations Worlwide," Binary Defense. https://www.binarydefense.com/resources/threat-watch/novel-arcrypter-ransomware-expanding-operations-worlwide/ (accessed Oct. 11, 2023).

- blogs.blackberry.com, "ARCrypter Ransomware Expands Its Operations From Latin America to the World." https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world (accessed Oct. 11, 2023).

- J. Walter, "Threat Actor Interplay | Good Day's Victim Portals and Their Ties to Cloak," SentinelOne, Aug. 30, 2023. https://www.sentinelone.com/blog/threat-actor-interplay-good-days-victim-portals-and-their-ties-to-cloak/ (accessed Oct. 11, 2023).

INDICATORS OF COMPROMISE

BLOG ONION

cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion

SHA256 HASHES

DOMAINS 

ATT&CK MATRIX

Footnotes

[1] Identity theft, risk of lawsuits...

[2] Presumably to negotiate the ransom and provide the means of payment.

[3] The data are: user name, password and application concerned.

[4] Legal action, RGPD fines, ...

[5] According to CISA's Yara rules on Zeppelin detection

[6] Lawfirms, technology firms, …

Partager l'article :

Your OWN cyber expert.