From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection

By James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, and Shai Tilias

Overview

In a recent IR engagement, our team happened upon a rather interesting packer (aka crypter or obfuscator) that was ultimately utilized to construct and execute shellcode responsible for downloading a Cobalt Strike Beacon. The sample at the end of this chain is not necessarily sophisticated or particularly novel, but it does leverage an interesting obfuscation technique that we have dubbed “IPfuscation”.

In this post, we describe this novel technique as it is used across several variants of malware. Along with the IPfuscation technique, we have identified a number of markers which have allowed us to pivot into additional discoveries around the actor or group behind this campaign.

Technical Details

The samples in question are 64-bit Windows Portable Executables, each containing an obfuscated payload used to deliver an additional implant. The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode.

The general flow is:

1. Iterate through “IPs” (ASCII strings)
2. Translate “IPs” to binary to reveal shellcode
3. Execute shellcode either by:
   • Proxying execution via callback param passed to EnumUILanguagesA
   • Direct SYSCALLs

Using byte sequences, sequences of WinAPI calls, and some hardcoded metadata affiliated with the malware author, we were able to identify a handful of other variants of this loader (hashes provided below with the IOCs), one of which we have dubbed “UUIDfuscation” and was also recently reported on by Jason Reaves. A Golang Cobalt Strike loader was also discovered during the investigation, which had a hardcoded source code path similar to what we have already seen with the ‘IPfuscated’ samples, suggesting that the same author may be responsible for both.

Tools, COTS, LOLBINs and More

The TTPs uncovered during the incident align with previous reporting of the Hive Ransomware Affiliate Program, with the attackers having a preference for publicly available Penetration Testing frameworks and tooling (see TTPs table). Like many other ransomware groups, pre-deployment Powershell and BAT scripts are used to prepare the environment for distribution of the ransomware, while ADFind, SharpView, and BloodHound are used for Active Directory enumeration. Password spraying was performed with SharpHashSpray and SharpDomainSpray, while Rubeus was used to request TGTs. Cobalt Strike remains their implant of choice, and several different Cobalt Strike loaders were identified including: IPfuscated loader, Golang loader, and a vanilla Beacon DLL. Finally, GPOs and Scheduled Tasks are used to deploy digitally signed ransomware across the victim’s network.

IPfuscated Cobalt Strike Loader

Our team discovered and analyzed a 64-bit PE (4fcc141c13a4a67e74b9f1372cfb8b722426513a) with a hardcoded PDB path matching the project structure of a Visual Studio project.

C:UsersAdministratorsourcereposConsoleApplication1x64ReleaseConsoleApplication1.pdb

This particular sample leverages the IPfuscation technique. Within the binary is what appears to be an array of IP addresses.

Each of these “IP addresses” is passed to RtlIpv4StringToAddressA and then written to heap memory.

What is interesting is that these “IP addresses” are not used for network communication, but instead represent an encoded payload. The binary representation of these IP-formatted strings produced by RtlIpv4StringToAddressA is actually a blob of shellcode.

For example, the first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. Together, they create the below sequence of bytes.

Disassembling these “binary representations” shows the start of shellcode generated by common pentesting frameworks.

Once the shellcode has finished being deobfuscated in this manner, the malware proxies invocation of the shellcode by passing its address to the EnumUILanguagesA WinAPI function. This is achieved by supplying the shellcode address as the UILanguageEnumProc, which is a callback routine to be executed.

The shellcode is the common Cobalt Strike stager to download and execute Beacon. Here is a look at the PEB traversal to find one of the modules lists, followed by the ROT13 hash being calculated for target WinAPIs to execute.

Hell’s Gate Variant

A handful of additional samples were found with a similar sequence of functions and static properties, including the same error message. The Hell’s Gate variant (d83df37d263fc9201aa4d98ace9ab57efbb90922) is different from the previous sample in that it uses Hell’s Gate (direct SYSCALLs) rather than EnumUILanguagesA to execute the deobfuscated shellcode. This sample’s PDB path is:

E:UsersPCsourcereposHellsGate+ipv4x64ReleaseHellsGate+ipv4.pdb

In this variant, the IP-formatted strings are procedurally placed in local variables, rather than being looped through as seen previously.

Once all the IP strings have been defined within the scope of this function, memory is allocated with NtAllocateVirtualMemory via a direct SYSCALL, and the deobfuscation loop commences.

Following the loop, a few SYSCALLs are made to pass control flow to the deobfuscated shellcode.

IPfuscation Variants

Among the discovered variants were three additional obfuscation methods using techniques very similar to IPfuscation. Rather than using IPv4 addresses, the following were also found being used to hide the payload:

• IPfuscation – IPv6 addresses
• UUIDfuscation – UUIDs & base64 encoded UUIDs
• MACfuscation – MAC addresses

Here we can see the original IPfuscated sample versus the UUID variant being translated via UuidFromStringA.

The UUID variant stores the obfuscated payload in the same manner as IPfuscated samples.

The MAC address variant translates the shellcode via RtlEthernetStringToAdressA and then uses a callback function, a parameter to EnumWindows, to pass control flow to the shellcode. Again, the MAC addresses forming the payload are stored the same as with previous variants.

The IPv6 variants operate almost identically to the original IPfuscated sample. The only difference is that IPv6-style address are used, and RtlIpv6StringToAddressA is called to translate the string to binary data.

Golang Cobalt Strike Loader

Among other samples discovered during the incident was a Golang-compiled EXE (3a743e2f63097aa15cec5132ad076b87a9133274) with a reference to a source code Golang file that follows the same syntax as one of the identified IPfuscated samples.

[0x0045d2c0]> iz~go~Users
4542 0x000d62e9 0x004d78e9 27   28   .rdata  ascii   
C:/Users/76383/tmp/JzkFF.go

GetProcAddress is called repeatedly, with 8 byte stack strings being used to form the WinAPI names to be located in memory.

The shellcode is stored as a cleartext hexadecimal string in the .rdata section.

This string is read into a buffer and translated into binary, somewhat similar to the IPfuscated flow.

Before translation into binary:

After translation into binary:

Control flow is then passed to the shellcode, which is yet another Cobalt Strike stager attempting to download Beacon.

Conclusion

Our incident response team is constantly intercepting early-use tactics, techniques and artifacts, with IPfuscation just the latest such technique deployed by malware authors. Such techniques prove that oftentimes a creative and ingenious approach can be just as effective as a highly sophisticated and advanced one, particularly when enterprise defense is based on security tools that rely on static signatures rather than on behavioral detection.

If you would like to learn how SentinelOne can help protect your organization regardless of the attack vector, contact us or request a free demo.

Indicators of Compromise

YARA Rules

import "pe"

rule IPfuscatedCobaltStrike
{
	meta:
		description = "IPfuscated Cobalt Strike shellcode" 
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
		reference = "https://s1.ai/ipfuscation"

	strings:
		/*
			This rule will detect IPfuscated Cobalt Strike shellcode
			in PEs.

			For example:
				IPfuscated       | binary representation | instruction
				++++++++++++++++++++++++++++++++++++++++++++++++++++++
				"252.72.131.228" | 0xE48348FC            | CLD ...
				"240.232.200.0"  | 0xC8E8F0              | CALL ... 
		*/
		$ipfuscated_payload_1 = "252.72.131.228"
		$ipfuscated_payload_2 = "240.232.200.0"
		$ipfuscated_payload_3 = "0.0.65.81"
		$ipfuscated_payload_4 = "65.80.82.81"
		$ipfuscated_payload_5 = "86.72.49.210"
		$ipfuscated_payload_6 = "101.72.139.82"
		$ipfuscated_payload_7 = "96.72.139.82"
		$ipfuscated_payload_8 = "24.72.139.82"
		$ipfuscated_payload_9 = "32.72.139.114"
		$ipfuscated_payload_10 = "80.72.15.183"
		$ipfuscated_payload_11 = "74.74.77.49"
		$ipfuscated_payload_12 = "201.72.49.192"
		$ipfuscated_payload_13 = "172.60.97.124"
		$ipfuscated_payload_14 = "2.44.32.65"
		$ipfuscated_payload_15 = "193.201.13.65"
		$ipfuscated_payload_16 = "1.193.226.237"
		$ipfuscated_payload_17 = "82.65.81.72"
		$ipfuscated_payload_18 = "139.82.32.139"
		$ipfuscated_payload_19 = "66.60.72.1"
		$ipfuscated_payload_20 = "208.102.129.120"

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		5 of ($ipfuscated_payload_*)
}

rule IPfuscationEnumUILanguages
{
	meta:
		description = "IPfuscation with execution via EnumUILanguagesA"
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
		reference = "https://s1.ai/ipfuscation"

	strings:
		// hardcoded error string in IPfuscated samples
		$err_msg = "ERROR!"

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		$err_msg and
		// IPfuscation deobfuscation
		pe.imports("ntdll.dll", "RtlIpv4StringToAddressA") and
		// shellcode execution
		pe.imports ("kernel32.dll", "EnumUILanguagesA")
}

rule IPfuscationHellsGate
{
	meta:
		description = "IPfuscation with execution via Hell's Gate"
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "d83df37d263fc9201aa4d98ace9ab57efbb90922"
		reference = "https://s1.ai/ipfuscation"

	strings:
		$err_msg = "ERROR!"

		/*
			Hell's Gate / direct SYSCALLs for calling system routines

			4C 8B D1               mov     r10, rcx
			8B 05 36 2F 00 00      mov     eax, cs:dword_140005000
			0F 05                  syscall             
			C3                     retn
		*/
		$syscall = { 4C 8B D1 8B 05 ?? ?? 00 00 0F 05 C3 }

		/*
			SYSCALL codes are stored in global variable

			C7 05 46 2F 00 00 00 00 00 00      mov     cs:dword_140005000, 0
			89 0D 40 2F 00 00                  mov     cs:dword_140005000, ecx
			C3                                 retn
		*/
		$set_syscall_code = {C7 05 ?? ?? 00 00 00 00 00 00 89 0D ?? ?? 00 00 C3}

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		all of them and
		// IPfuscation deobfuscation
		pe.imports("ntdll.dll", "RtlIpv4StringToAddressA")
}

rule IPfuscatedVariants
{
    meta:
    	author = "@Tera0017/@SentinelOne"
    	description = "*fuscation variants"
    	date = "2022-3-28"
	hash = "2ded066d20c6d64bdaf4919d42a9ac27a8e6f174"
	reference = "https://s1.ai/ipfuscation"

    strings:
    	// x64 Heap Create/Alloc shellcode
     	$code1 = {33 D2 48 8B [2-3] FF 15 [4] 3D 0D 00 00 C0}
     	// x64 RtlIpv4StringToAddressA to shellcode
     	$code2 = {B9 00 00 04 00 FF [9] 41 B8 00 00 10 00}
    
    condition:
     	any of them
}

MITRE ATT&CK – Hive Ransomware Gang