CISA Alerts to New Ransomware, Trojan Using Public Pen Testing Tools

FiveHands ransomware has been spotted in the wild paired with a remote access trojan. Its actors used publicly available pen testing and exploitation tools to steal data.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert for a newer ransomware variant and remote access trojan (RAT) spotted in the wild using publicly available pen testing and exploitation tools to steal and obfuscate data.

FiveHands is a novel ransomware that relies on a public key encryption tactic called NTRUEncrypt.com. It also uses Windows Management Instrumentation to begin enumeration, then deletes the Volume Shadow copies and encrypts files in the recovery folder.

The methods are designed to thwart administrators from recovering the data. After encrypting the files, the program writes a ransom note to each folder and directory on the connected systems.

The variant has already successfully exploited one organization. CISA analyzed the threat and released a report to shed light on the threat actor’s tactics, techniques, and procedures, along with indicators of compromise.

The hackers used FiveHands and SombRAT in combination with the publicly available tools for network discovery and credential access, then to steal data, obfuscate files, and demand a ransom from the victim.

The initial access point was the exploit of a zero-day flaw in a virtual private network (VPN). Once inside, the attacker used the standalone version of the SoftPerfect Network Scanner for Discovery, netscan.exe, to find hostnames and network services.

“The SoftPerfect website states that the "SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices, via WMI, Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), and PowerShell,” officials explained. 

“It also scans for remote services, registry, files and performance counters; offers flexible filtering and display options and exports NetScan results to a variety of formats from XML to JSON," they added. “The utility can also be used with Nmap for vulnerability scanning. The utility will generate a report of its findings called netscan.xml.”

The threat actor used PsExec to launch ServeManager.exe, which is the legitimate remote administration program and part of Microsoft’s Sysinternals tool suite. The CISA report provides administrators with the ransomware’s artifacts to support identification.

CISA also provided insights on the RAT, SombRAT, which uses batch and test files to execute and launch PowerShell scripts that can decode a SombRAT loader and allowed the PowerShell to bypass the entity’s anti-malware program.

The analysis of the successful cyberattack showed the RAT’s loader was a “64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries (DLL) plugins on the affected system.” 

“The loader used hardcoded public RSA keys for command and control (C2) sessions,” officials explained. “The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors.”

“The malware does contain hardcoded commands that it uses to evaluate against operator-provided data,” they added. “These commands are encoded within the binary, and they are not encoded before being compared against operator-provided data—indicating the malware expects the remote operator to encode the commands before passing them to the RAT. 

CISA shared the indicators of compromise to support detection and identification and encouraged administrators to review the previously provided Ransomware Response Checklist, which also contains steps for ransomware detection, analysis, containment, and eradication.

Entities were also encouraged to strengthen the overall cybersecurity posture, including maintaining up-to-date antivirus and patching processes, disabling file and printer services, decommissioning unused VPN servers, and monitoring traffic for unexpected or unapproved protocols.

Healthcare organizations can alro review free ransomware insights from NIST, Microsoft, and the Office for Civil Rights to better defend against ransomware, overall.

Next Steps

Dig Deeper on Cybersecurity strategies