Sunday, November 24, 2024
Homecyber securityBeware of New ‘HelloFire’ Ransomware Actor Mimic as a Pentester

Beware of New ‘HelloFire’ Ransomware Actor Mimic as a Pentester

Published on

A new threat is the emergence of a ransomware encryptor dubbed ‘HelloFire.’

This new player in the cybercrime arena is employing deceptive tactics to disguise its malicious intent as legitimate penetration testing activities.

Here’s what you need to know about this emerging threat.

- Advertisement - SIEM as a Service

Masquerading as a Pentest

The ‘HelloFire’ ransomware is a recent addition to the cyber threat environment, notable for its lack of a traditional leak site or the usual ransomware branding.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The ransom note, which lacks uniqueness in its wording, clearly indicates that the threat actor poses as a pentester—a tactic previously seen with other cybercriminals.

However, the use of specific email domains in the ransom note, such as ‘keemail. me’ and ‘onionmail.org’, undermine the credibility of the attack as a legitimate pentest.

These domains have been associated with various threat actors since as far back as 2013.

ShadowStackRE recently shared a blog post regarding the emergence of a new threat landscape called hellfire Ransomware.

Potential Russian Threat Actor

The ransomware note and the PDB (Program Database) path contain references to the word ‘hello’ in both English and Russian (‘Zdravstvuy’), suggesting a potential Russian connection.

The encrypted files have the extension ‘.afire’, and the ransom note is in a ‘Restore.txt’ file.

‘HelloFire’ has a comprehensive list of services, directories, and files that it targets, indicating a well-researched approach to maximize the impact on infected systems.

Technical Analysis

Build Information

The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.

It was first detected on VirusTotal on March 16, 2024, with the SHA256 hash:3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b. 

The sample was first seen in VirusTotal on 2024-03-16
The sample was first seen in VirusTotal on 2024-03-16

Program Flow

The ransomware begins by acquiring a cryptographic context and uses the Windows API to handle the random number generator.

A new thread will be created to handle the encryption routine and file discovery.
A new thread will be created to handle the encryption routine and file discovery.

 It then inhibits system recovery by deleting Windows shadow copies, stopping a list of services and programs, and clearing the recycle bin.

A new thread is created to manage the encryption routine and file discovery, which includes enumerating volume drives and file shares connected to the target machine.

File shares that are connected to the target machine.
File shares that are connected to the target machine.

Inhibiting System Recovery

The malware dynamically obtains a handle to ‘kernel32.dll’ to disable WoW64 FS redirection and ensure that commands are executed correctly.

It uses ‘vssadmin.exe’ to delete Windows shadow copies, a common ransomware tactic quickly identified by many EDR or behavioral analysis systems.

Configuration

The configuration is stored in non-encrypted blocks within the .data section of the executable.

Executable List
Executable List

It includes a list of executables and services typically found on corporate machines, such as email clients, databases, and security software like Sophos.

The file and directory listings are also included, essential for the encryptor to avoid destabilizing the system before completing the encryption routine.

File and Directory Discovery

The encryptor uses Windows APIs to identify and map local volumes and network shares.

It then recursively processes the subdirectory tree to locate files for encryption.

Encryption Process

The encryption thread sets the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appends the ‘.afire’ extension.

It uses the restart manager APIs to ensure other processes do not lock files.

The Curve25519 algorithm is used for encryption, and it is commonly found in Babuk malware, indicating a clear overlap between the two encryptors.

The ‘HelloFire’ ransomware represents a sophisticated and stealthy threat that leverages the guise of legitimate security testing to carry out its attacks.

Organizations and individuals should be vigilant and ensure that their cybersecurity measures are up to date to protect against such deceptive threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...