Elpaco ransomware, a Mimic variation, has been identified where attackers were able to connect via RDP to the victim’s server following a successful brute force attack and subsequently execute the ransomware.
The variant abuses the Everything DLL, which is used for file discovery and gives the attacker a user-friendly graphical user interface (GUI) to customize the malware’s actions.
Further, it also provides tools for executing system instructions and turning off security measures.
The Attackers’ Tactics, Techniques, And Procedures (TTPs)
The sample was revealed to have abused the Everything library, a legitimate filename search engine that offers quick searches and real-time updates by indexing files on Windows PCs.
Similar to the Mimic ransomware that TrendMicro had previously identified, the artifact exploited this library by including malicious payloads in a password-protected package called Everything64.dll and legitimate Everything apps (Everything32.dll and Everything.exe).
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The remaining file inside the package was a legitimate 7-Zip utility that could extract the malicious archive contents.
Upon execution, the malware unpacked the archive and placed the required files in a different directory called %AppData%Local, which had a randomly generated UUID as its name.
According to Kaspersky, using Everything APIs, the Mimic ransomware looks for specific files, encrypts user information, requests ransom payments, and uses advanced features like multi-threaded encryption to speed up the attack.
Additionally, Mimic evades detection by obfuscating its code, making it more difficult for security tools to identify and terminate the attack.
The archive contents are necessary to encrypt files and conduct other operating system functions.
The Defender Control tool, for instance, is the DC.exe file, which is used to enable and disable Windows Defender. Once unpacked, the sample initiates it.
The malware’s primary console, svhostss.exe, is the most interesting artifact, too. It is important to note that this name closely resembles the real Windows process svchost.exe.
During memory analysis, threat actors frequently employ this naming pattern to confuse less knowledgeable people.
In the same directory, the malware includes a GUI titled gui40.exe. Through console interaction, it makes it easier to carry out tasks like modifying ransomware features, such a ransom note or permitted directories/files, and taking action on the target machine.
“In the GUI, the operator can select entire drives for encryption, perform a process injection to hide malicious processes, customize the ransom note, change the encryption extension, set the order of encryption based on the original file format, and exclude specific directories, files or formats from encryption”, the researchers said.
It is also possible to execute system commands and kill specific processes that the operator specifies, making this threat extremely customizable.
The Elpaco and Mimic variants look at the victim’s files using the SetSearchW function, which is exported from the legitimate Everything DLL.
Using the Del command to remove all executables, configuration files, DLLs, batch files, and database-related items from the ransomware directory is the final stage of malware execution.
It’s interesting to note that the sample safely deletes the svhostss.exe file without any chance of recovery.
Elpaco samples and other Mimic variants are mainly targeted at the United States, Russia, the Netherlands, Germany, and France.
According to researchers, the encryption mechanism prevents decrypting files on an infected machine without the private key, making this threat difficult to deal with. Elpaco also has the ability to erase files after encryption to avoid detection and analysis.
Large-scale attacks using Elpaco and other mimic samples have been reported recently, affecting numerous nations throughout the globe.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar