Exchange servers targeted by ‘Epsilon Red’ malware

Recent research shows that threat actors deployed a new ransomware using a set of encrypted PowerShell scripts that exploits vulnerabilities in unpatched Exchange servers to attack corporate networks.

Researchers at security firm Sophos discovered the new ransomware, dubbed Epsilon Red, while investigating an attack on a US-based hospitality company, Sophos principal researcher Andrew Brandt wrote in a report published online. .

The name was coined by the attackers themselves, who may be the same people who used the REvil ransomware to attack, and the name is the name of an obscure enemy character in the X-Men Marvel comics. The character is a “super soldier purportedly from Russia” while also equipped with four mechanical tentacles. This appears to represent the way ransomware is extending its reach inside businesses.

He wrote: “While the malware itself is an unpacked 64-bit Windows executable written in the Go programming language, its delivery system is a bit more complex, relying on a series of PowerShell scripts to provide victims with machine is ready for the ransomware payload and eventually launches it.”

Brandt wrote that we found some links to the REvil group in the ransomware message left on the infected computer, which is very similar to the note left by the Revil ransomware, with some minor grammatical corrections, so that for native English speakers easier to read. However, the ransomware tool and name appear to be custom made by the attackers and bear no other similarities to the previous REvil attack vector.

According to the report, Sophos’ victims in the observed attack ended up paying a ransom of 4.29 bitcoins on May 15, the equivalent of around $210,000 at the time.

Offensive PowerShell

The initial entry point was an attack on an unpatched corporate Microsoft Exchange server, where attackers could use Windows Management Instrumentation (WMI) software – a scripting tool that automates operations in the Windows ecosystem, and then install other software into the They can be accessed from the Exchange server on machines within the network.

It’s not entirely clear whether attackers took advantage of the infamous Exchange ProxyLogon vulnerability, a high-severity vulnerability that Microsoft exposed earlier this year. However, unpatched servers used in the network are indeed vulnerable to this vulnerability, according to Brandt’s observations.

During this attack, the attackers used a series of PowerShell scripts, numbered 1.ps1 to 12.ps1, as well as scripts named after individual letters of the alphabet, to prepare the attacked machine for the final payload. The scripts also delivered and launched the Epsilon Red payload, he wrote.

The PowerShell script uses a rudimentary form of obfuscation, but that didn’t prevent Sophos researchers from analyzing it, but Brandt noted: “This may be enough to evade detection by an anti-malware tool, which can then scan without a hitch. files on the hard drive, which is exactly what an attacker needs.”

delivery of payload

Brandt explained: “The ransomware itself is a file called RED.exe, which is compiled using a tool called MinGW and packaged using a modified packaging tool UPX. The payload contains a file named RED.exe on GitHub. Some code for the open source project “godirwalk” to make it scan directory paths on the hard drive it runs on and compile it into a list.”

“The ransomware then spawns a new subprocess that encrypts each subfolder individually, which in a short period of time causes many ransomware copy processes to run concurrently,” he wrote.

Brandt observes that the executable itself is a small file, a very simple program that just encrypts files on the target system, does not have a network connection or any other critical functions, all of which are in PowerShell implemented within the script.

Since the entry point of the attack is unpatched Microsoft Exchange servers, which are vulnerable to the ProxyLogon vulnerability, Sophos recommends that administrators update and patch all servers as soon as possible to prevent attacks from occurring.

The Links:   CM200DY-34A MG200H2CK1