Hackers use these new bootloaders to install ransomware on affected networks

A report from security firm FireEye specialists details the detection of multiple ransomware distribution campaigns in which operators abuse the new KEGTAP, SINGLEMALT and WINEKEY bootloaders. In some of the reported cases, the infection chain was completed within 24 hours after the attack began. 

The ransomware variants detected up to this point hold minimal similarities; however, experts discovered that they are all part of the same campaign after detecting that these variants interact with the same command and control server. These ransomware variants primarily target hospitals and health centers, a really worrying trend in the context of the pandemic.

For malware distribution, threat actors sent emails to employees of the targeted companies. These messages contained a link to a document in Google Docs, plus a link containing the payload of the ransomware in question.

La imagen tiene un atributo ALT vacío; su nombre de archivo es virus29102020.jpg

Clicking on the links would start downloading malware binaries with file names disguised as legitimate documents. After starting the bootloader and backdoor on the target system, the threat actors downloaded the POWETRICK and Cobalt Strike beacons, in addition to using other backdoor variants like ANCHOR for the use of the TrickBot ransomware.

In other attacks, malware binaries were hosted on a compromised infrastructure, but attackers soon switched to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile and JetBrains.

In at least one case, cybercriminals maintained access to the victim’s environment using stolen credentials to access a VPN infrastructure without multi-factor authentication, allowing them to deploy a variety of malicious actions, such as running PowerShell commands via Cobalt Strike beacons.

Finally, experts also reported attacks related to KEGTAP, including Ryuk, Conti and Maze ransomware infections, all related to the ANCHOR backdoor.