Security news that informs and inspires

Threat Group Exploits SonicWall Flaw to Deploy FiveHands Ransomware


Researchers observed a new ransomware variant, called FiveHands, being deployed by an “aggressive” financially motivated threat group in January and February.

According to a FireEye Mandiant report, the UNC2447 group exploited a critical SonicWall vulnerability (CVE-2021-20016) prior to a patch being available. The group leveraged this exploit as a foothold in order to deploy the previously-discovered SombRAT malware, as well as FiveHands.

“UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” said researchers with FireEye Mandiant.

UNC2447 (“UNC” being FireEye’s designation for unclassified threat groups) was first discovered by researchers in November, when they observed the group using a PowerShell dropper in an attempt to install malware at two unnamed companies. In January, the UNC2447 group was then observed exploiting the SonicWall flaw, a critical SQL injection vulnerability in Secure Mobile Access (SMA) 100 Series VPN appliances, which allows unauthenticated attackers to achieve remote code execution. Before SonicWall patched the flaw in February, it revealed that it had "identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."

Justin Moore, threat analyst with Advanced Practices at FireEye Mandiant, said researchers have not observed any FiveHands intrusions since patches have been deployed - however, organizations that have not yet patched their systems remain at a high risk of compromise from any group.

“While the most recent details of the FiveHands attacks are currently published in the blog, including hashes and comparisons to other ransomware variants, there have been at over 100 SonicWall SMA 100 series VPN compromises during this campaign,” said Moore. “UNC2447 related actors have credentials for these organizations and may still have access to deploy ransomware despite patches being applied.”

Researchers said they believe that the FiveHands ransomware is a new rewrite of the existing DeathRansom ransomware, which was first observed in November 2019. FiveHands, which is written in C++, shares several features, functions and coding similarities with DeathRansom. However, researchers noted that the function calls and code structure used to implement the majority of its functions are written differently. One significant departure from DeathRansom is FiveHands' use of a memory-only dropper, which upon execution expects a command line switch of -key followed by the key value necessary to perform decryption of its payload, said researchers. Additional code in the ransomware - not found in DeathRansom - uses the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted, they said.

“The payload is stored and encrypted with AES-128 using an IV of ‘85471kayecaxaubv,’” they said. “The decrypted FiveHands payload is immediately executed after decryption.”

Researchers also noted similarities between FiveHands and HelloKitty, a ransomware that has also been reportedly built from DeathRansom. While both FiveHands and HelloKitty share several high-level functionalities with DeathRansom, both have their own marked differences. For instance, similar to HelloKitty, FiveHands lacks a language check, which was used by DeathRansom to check for several languages on infected systems.

In addition to FiveHands, UNC2447 was deploying SombRAT, malware first reported in November by Blackberry Cylance researchers, who noted that the backdoor's primary purpose is to download and execute plugins provided via the C2 server. The version of SombRAT utilized in this attack features additional obfuscation to evade detection and discourage analysis, said researchers.

Researchers said that while they observed FiveHands being deployed by UNC2447, not all intrusions may have been conducted by this group. They believe that FiveHands - along with HelloKitty - may be used in attacks by different groups participating in underground affiliate programs.

“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” they said.

Researchers warn that UNC2447 continues to pose a threat to organizations - particularly as ransomware attacks continue to hit companies worldwide. The issue has turned the heads of both tech companies and government regulators: This week, for instance, a ransomware task force announced it had developed a broad set of recommendations to help address these ransomware attacks.

“UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics,” researchers said.