Researchers have recently noted the emergence of a new ransomware operator calling itself ‘Mindware’. The gang is thought to be responsible for a number of attacks beginning around March to April 2022, with suggestions that the malware was used to attack a not-for-profit mental health provider. Aside from targeting organizations in the Healthcare sector,  Mindware has posted data on its leaks site belonging to organizations in sectors such as Finance, Engineering and Manufacturing. Mindware has a number of overlaps with an earlier ransomware strain known as SFile (aka SFile2, Escal). In this post, we review how Mindware differs from other ransomware families, note its similarities to SFile, and provide technical indicators to aid threat hunters and detection teams.

Overview

According to one source, the Mindware gang first became active in March 2022. By April, the group was practicing double extortion and operating its own leaks site. Mindware received further attention in April when it was noted by a different researcher to have attacked a mental health provider.

Mindware samples use a distinctive Reflective DLL injection technique. This, along with other indicators described below, show strong overlaps with SFile ransomware samples. Although we do not yet have specifics as to how Mindware attacks are initiated, SFile is known to use RDP bruteforce as an entry vector into an organization.

Each Mindware payload is configured for a specific target. Upon infection and successful execution, the payload drops a hardcoded ransomware note containing a combination of instructions and threats.

In common with a move made by other ransomware groups recently, Mindware attempts to discourage victims from contacting ‘recovery companies’, negotiators or authorities, threatening to immediately leak data should they do so. Victims are provided with a .onion URL as a means to make contact with the attackers and to decrypt two “random files” as proof that the operators possess a decryption key. Victims that refuse to pay are listed on the Mindware ransomware public leaks site.

Mindware Technical Analysis

As noted above, Mindware uses Reflective DLL Injection, a technique in which the shellcode dynamically retrieves handles to key API functions like LoadLibraryA() and GetProcAddress() by locating function addresses through the Export Address Table loaded by the host process.

This allows the shellcode to be position-independent by building its own import table and parsing through when executed in memory. This means a PE file could be loaded in the form of shellcode or a DLL entirely from memory.

The technique, which has also been noted in other ransomware families such as BlackMatter, avoids searching for module names directly and instead checks for hashes precalculated with a ROT13 algorithm.

Mindware and SFile samples require kernel32.dll and ntdll.dll. The APIs are searched for using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Address Table) and enumerating all function names.

As  noted, the same technique is characteristic of SFile ransomware samples, first seen in 2020 and active through 2021. Interestingly, SFile attacks seem to have been on hiatus over the last 9 months or so, and the emergence of Mindware samples with strong overlaps is indicative, as other researchers have noted, of a possible rebrand.

Both SFile and Mindware ransomware payloads accept the following parameters:

    --enable-shares -> encrypt network shares
    --kill-susp -> Triggers process termination

The ransomware checks for and then encrypts internal, removable and remote drive types.

Over 200 file types are targeted for encryption, denoted by a hardcoded list of file extensions. However, the following files are specifically excluded from encryption:

• autorun.inf
• desktop.ini
• ntuser.ini
• boot.ini
• iconcache.db
• thumbs.db
• bootfont.bin
• ntuser.dat
• bootmgr
• bootsect.bak
• ntuser.dat.log
• message_to_<>.txt
• ! cynet ransom protection(don’t delete)

Similarly, files in the following locations are also excluded from encryption:

In order to protect itself and prevent other running processes from interfering with the encryption process, Mindware kills all other processes, with the exception of the following:

SFile and Mindware samples are PEs typically around 250-300KB in size.

SFile and Mindware Ransomware Targeting

Analysis of the SFile payloads shows that SFile ransomware was mostly used against U.S organizations in Manufacturing, Mechanical, and Automobile sectors.

Mindware samples also show a strong preference for businesses in similar industries.

How To Protect Against Mindware and SFile Ransomware

The SentinelOne Singularity platform detects and prevents execution of Mindware and SFile ransomware strains.

For organizations not currently protected by SentinelOne, please see the list of Indicators of Compromise at the end of this post and the technical indicators described above.

Conclusion

Indications suggest Mindware is likely a rebrand of SFile, or at least that the same source code or builder for SFile is available to Mindware operators. While neither strain has achieved the notoriety of some of the more well-known ransomware strains that have been circulating recently, it may be that flying under the radar and hitting selective targets without attracting too much public attention is exactly what the gang are aiming for.

We hope that the information in this post serves to enable security teams to ensure that they have adequate resources to detect and prevent this threat. The SentinelOne Singularity platform detects and protects against SFile, Mindware and all other known ransomware threats. For more information about ransomware protection, see here. To learn more about how SentinelOne can help protect your organization from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Mindware Onion Address

https[:]//dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd[.]onion/

Mindware Samples, SHA1
ae974e5c37936ac8f25cfea0225850be61666874
e9b52a4934b4a7194bcbbe27ddc5b723113f11fe
9bc1972a75bb88501d92901efc9970824e6ee3f5
f91d3c1c2b85727bd4d1b249cd93a30897c44caa
46ca0c5ad4911d125a245adb059dc0103f93019d

Mindware Samples, SHA256
c306254b44d825e008babbafbe7b07e20de638045f1089f2405bf24e7ce9c0dc
00309d22ab53011bd74f4b20e144aa00bf8bb243799a2b48f9f515971c3c5a92
32c818f61944d9f44605c17ca8ba3ff4bd3b2799ed31222975b3c812f9d1126c
81828762ebe7ea99b672c8ac07dc3c311487a5a246db494c7643915f6c673562
d1a0a2dc26603b2e764ee9ab90f3f55a2f11a43e402dd72f4a32a19b0ac414b5

MITRE ATT&CK
TA0005 – Defense Evasion
T1485 – Data Destruction
T1486 – Data Encrypted for Impact
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
T1112 – Modify Registry
TA0010 – Exfiltration
T1018 – Remote System Discovery
T1082 – System Information Discovery

The Good

The European Union Agency for Law Enforcement Cooperation (Europol) has successfully shut down one of the fastest-spreading mobile malware strains in today’s cyber landscape.

According to a statement from Europol, the European Cybercrime Centre (EC3) coordinated with 11 law enforcement agencies around the world to respond to a global campaign involving FluBot, an Android-based malware that was first sighted in December 2020.

Takedown of SMS-based FluBot spyware

International law enforcement operation involving 11 countries
Fastest-spreading mobile malware to date
The Android malware has now been rendered inactive

More https://t.co/YcMC5XRS6o pic.twitter.com/ksPuSHk6aW

— Europol (@Europol) June 1, 2022

The FluBot malware spreads through SMS, masquerading as package tracking or voicemail notifications. When an Android user clicks the link in these text messages, they’re prompted to install FluBot, which is disguised as another application.

Once installed, the FluBot app will ask for accessibility permissions, which are used to disable a phone’s security and exfiltrate credentials for the user’s banking accounts and cryptocurrency wallets. The malware then spreads even further by accessing an infected device’s contact list and sending malicious messages to each entry.

After its initial sighting in 2020, FluBot quickly spread through a large number of devices in Spain and Finland. As the malware spread through Europe and Australia, Europol brought in law enforcement agencies from multiple impacted nations (Australia, Belgium, Finland, Hungary, Ireland, the Netherlands, Spain, Sweden, Switzerland, and the United States) to create a joint strategy and offer digital forensic support.

Earlier in May, the Dutch police completed the final takedown and took control of FluBot’s infrastructure, making the malware strain inactive.

Although Europol is still looking for the threat actors behind the campaign, operations like these show that an international infrastructure to proactively respond to malware is still coming together. Concerned users can follow Europol’s guidance on identifying and resetting phones infected with FluBot here.

The Bad

This week, cyber criminals wiped hundreds of unsecured Elasticsearch databases and sent ransom notes to admins demanding 0.012 Bitcoin in exchange for their data.

According to a report, the threat actors responsible have already wiped over 450 indexes, and analysts have identified over 1,200 Elasticsearch databases containing the ransom note.

The attackers use an automated script to handle most of the work, including parsing vulnerable databases, deleting the indexes and dropping a ransom note.

In the ransom note, the attackers demand approximately $620 worth of Bitcoin within seven days. If the initial deadline isn’t met, victims have an additional week to submit a payment before the attackers permanently delete their data.

Although the individual ransoms are only around $620, all 450 ransom payments totals up to almost $280,000. However, at the time of publication, the Bitcoin wallets in the ransom note appear to be empty.

Analysts believe that even if victims paid the ransom, it’s unlikely they would be able to recover their databases. Although an attacker could have exfiltrated the data, researchers pointed out that storing this data would be “prohibitively expensive.”

To mitigate the risk of falling victim to one of these attacks, security experts emphasize that like other cloud resources, Elasticsearch databases should not be Internet-facing unless it’s necessary for day-to-day operations. Enforcing multi-factor authentication (MFA) and adopting strong cloud security measures are also essential.

While these attacks aren’t unique, such widespread campaigns also provide an alarming reminder that organizations should review their cloud security policies to ensure they’re properly protected.

The Ugly

Security researchers have identified and are working to quickly respond to a critical zero-day vulnerability in Microsoft Windows’ Support Diagnostic Tool (ms-msdt), tracked as CVE-2022-30190 and dubbed “Follina”.

Follina allows threat actors to execute arbitrary code on a vulnerable machine by calling the tool’s ms-msdt protocol, and impacts all Windows versions currently supported by Microsoft.

While the most commonly observed approaches abuse Microsoft .doc and .rtf files to call the ms-msdt protocol and execute malicious code, other execution methods such as using WGET are continuing to emerge as the zero-day gains traction.

In recent weeks, researchers identified the first public sample of a malicious Word document designed to abuse this vulnerability, and observed both a Belarus-based threat actor exploiting the flaw through Word’s ability to load HTML to execute PowerShell code, and a Chinese APT using a C2 domain (tibet-gov.web[.]app) to execute their code.

Follina has the potential to impact unprepared organizations in a not dissimilar way to the recent log4j vulnerability. As in that case, security teams are strongly advised to be proactive and to determine the risk and take appropriate mitigation steps without delay.

Executive Summary

• On May 27th 2022, @nao_sec identified a malicious Microsoft Word document using a “ms-msdt” protocol scheme for arbitrary code execution.
• As the industry continues to identify novel ways to abuse this ability over the weekend, Microsoft assigned it as CVE-2022-30190.
• Similar to what we observed with Log4j, the methods of execution and outcomes of this vulnerability continue to expand as it gains more researcher and attacker attention.
• Specific attackers have been observed exploiting the vulnerability. Chinese APTs have potentially made use of it around May 20th, 2022, but first samples identified as easily as mid-April 2022.
• Defenders should consider it a critical vulnerability and seek mitigation steps immediately. Additional effort should then be made to hunt for execution prior to public knowledge as attackers could have already abused it.

Background

Concerns are rising after Microsoft confirmed that its Microsoft Windows Support Diagnostic Tool (ms-msdt) contains a zero-click remote code execution vulnerability. The zero day appears to have been exploited in the wild since at least early April 2022, based on current reports.

The vulnerability, dubbed “Follina”, makes use of how the ms-msdt handles URLs. In its simplest form, calling ms-msdt can allow attackers to execute code on a machine. The vulnerability impacts all Windows versions currently supported by Microsoft.

The call to ms-msdt with code execution is most commonly being reported on through the abuse of Microsoft ,.doc and .rtf files. However, as we continue to gain new insight into the vulnerability, newer methods are coming to light. For example as Will Dormann observed, a WGET to an attacker domain can return HTML content with the call to ms-msdt to run code on the machine running the WGET.

Observed Threat Activity

Since we are in the very early stages of this vulnerability being publicly known, we expect to update this section as we continue our analysis and research. However, at the time of writing our colleagues from Malwarebytes identified the first public sample (f531a7c270d43656e34d578c8e71bc39) of a matching Word document on April 12th 2022. This sample is themed around the Russian invasion of Ukraine.

On May 27th 2022, @nao_sec tweeted about a file uploaded to VirusTotal from Belarus (52945af1def85b171870b31fa4782e52) that uses Word’s external link to load HTML and then uses the “ms-msdt” scheme to execute PowerShell code. In this sample, the file beacons out to xmlformats[.]com, which at the time of discovery resolved to 141[.]105.65.149. Note that the actor behind this particular sample began their infrastructure build around May 19th.

Subsequently, on May 30th 2022, a Chinese APT was observed by Proofpoint abusing the vulnerability through the C2 domain tibet-gov.web[.]app.

Mitigation Guidance

You can disable “Troubleshooting wizards” in one of two ways. Either through GPO:

HKLMSOFTWAREPoliciesMicrosoftWindowsScriptedDiagnostics - EnableDiagnostics - 0

or in the user interface:

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics. Set "Troubleshooting: Allow users to access and run Troubleshooting Wizards" to "disabled".

Microsoft has also recommended disabling the MSDT URL Protocol by executing the following command:

reg delete HKEY_CLASSES_ROOTms-msdt /f

SentinelOne vs CVE-2022-30190 (Follina)

The SentinelOne agent detects the execution of known “Fallina” samples exploiting CVE-2022-30190.

SentinelOne customers can use the following STAR rule for real-time behavioral detection or as a hunting rule in Deep Visibility:

EndpointOS = "windows" AND
EventType = "Process Creation" AND
TgtProcName Contains Anycase "msdt.exe" AND
TgtProcCmdLine Contains Anycase "PCWDiagnostic" AND
(TgtProcCmdLine Contains Anycase "IT_BrowseForFile" OR 
TgtProcCmdLine Contains Anycase "IT_RebrowseForFile")

Additional Resources

• Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
• SANS Internet Storm Center Analysis and Summary
• Summary and Analysis by researcher Kevin Beaumont
• Additional Research by Will Dormann