An emerging threat actor called Tortilla has been exploiting known vulnerabilities in Microsoft Exchange servers in order to infect victims with the Babuk ransomware.
The campaign illustrates how new attackers are manipulating and deploying Babuk after the malware's source code and binary builder were leaked in September. The actor behind the attack, named Tortilla due to the payload file names used in the campaign, has only been operating since early July, making the somewhat novice group less experienced.
“The actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools,” according to Chetan Raghuprasad and Vanja Svajcer, Cisco Talos researchers, in research released on Wednesday.
The campaign, first uncovered by researchers on Oct. 12, was primarily affecting users in the US, with an additional smaller number of infections in the UK, Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
Researchers assessed with "moderate confidence" that attackers were targeting vulnerable Exchange servers and attempting to exploit the ProxyShell flaw in order to deploy Babuk. ProxyShell is a collection of Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that can be chained together to bypass authentication and execute code as a privileged user. The attackers would either use a DLL or .NET executable, which would then run as a child process of w3wp.exe and invoke the command shell to run an obfuscated PowerShell command. Researchers said that they also observed China Chopper installed on infected systems, which they believe ran the initial download command. China Chopper, which dates back to 2010, is a webshell that allows attackers to retain access to infected systems.
“The actor is experimenting with different approaches to attacking organizations."
The PowerShell command then downloaded a payload loader module, which then in turn downloaded an intermediate unpacking stage from a PasteBin clone site called pastebin.pl. This is a “somewhat unusual infection chain technique” that differentiates the variant, said researchers.
“The intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed,” they said.
This payload was then used to encrypt files on the victim’s server and the mounted drives, said researchers.
Tortilla is conducting internet-wide scanning efforts in order to exploit vulnerable hosts for several popular applications, including Microsoft Exchange, said researchers. They have also observed Tortilla experimenting with other payloads, including a PowerShell-based netcat clone called Powercat, with the goal of obtaining remote access to the infected systems.
“The actor is experimenting with different approaches to attacking organizations,” said Vanja Svajcer, threat research leader with Cisco Talos.
Researchers said that Babuk “is nefarious by its nature” - the ransomware encrypts the victim's machine, interrupts the system backup process and deletes the volume shadow copies. While a Babuk decryptor was released recently, researchers said that it can’t be used to decrypt files encrypted by this specific variant, as the decryptor is only effective with a number of leaked keys. To protect against this threat, researchers said organizations should regularly apply patches to their servers and applications.
“Organizations and defenders should remain vigilant against such threats and should implement a layered defense security with the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain,” they said.