(844) 627-8267
(844) 627-8267

Ransomware Spotlight: 8Base – Security News | #ransomware | #cybercrime

T1566 – Phishing:
Based on reports, 8Base ransomware gains initial access primarily through phishing emails. Once the victim engages with the phishing elements, an exploit kit will be executed.

T1547.001 – Registry Run Keys / Startup Folder: 
It creates the following registry entries for its autorun technique:

• HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
• {malware name} = %AppDataLocal%\{malware name}.exe
• HKEY_CURRENT_USER\ Software\Microsoft\Windows\ CurrentVersion\Run
• {malware name} = %AppDataLocal%\{malware name}.exe

It also drops a copy of itself on the %User Startup% folder.

T1134.001 – Token Impersonation/Theft
If the system OS version is > 6, it duplicates the token of explorer.exe

T1134.002 – Create Process with Token
8Base ransomware then creates a process using the API CreateProcessWithTokenW and the duped token of explorer.exe.

T1548.002 – Bypass User Account Control
It adds registry entries to bypass User Access Control (UAC)

• ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
• ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f
• • ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

T1546.008 – Accessibility Features
It modifies the following IFEO registry keys to attach cmd.exe to accessibility programs that are accessible from the lock screen:

• HelpPane.exe – ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe” /f /v Debugger /t REG_SZ /d “C:\Windows\system32\cmd.exe”
• utilman.exe – ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe” /f /v Debugger /t REG_SZ /d “C:\Windows\system32\cmd.exe”
• Magnify.exe – ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe” /f /v Debugger /t REG_SZ /d “C:\Windows\system32\cmd.exe”
• sethc.exe – ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /f /v Debugger /t REG_SZ /d “C:\Windows\system32\cmd.exe”

T1027.001 – Binary Padding
8Base ransomware uses garbage codes to make analysis difficult and confusing.

T1497.001 – System Checks
It uses SetErrorMode function to bypass Cuckoo Sandbox by terminating the process if the return value is 0x400.

T1562.004 – Disable or Modify System Firewall
It executes the following to disable firewall:

• netsh advfirewall set currentprofile state off
• • netsh firewall set opmode mode=disable

T1140 – Deobfuscate / Decode Files or Information
It uses SmokeLoader to decrypt and deliver the 8Base ransomware payload.

T1070.001 – Clear Windows Event Logs
Using wevtutil.exe, it clears Windows event logs.

T1083 – File and Directory Discovery
It enumerates and looks for files to encrypt in all local drives.
It contains a specific list of extensions and folders that it can use to verify which files to avoid encrypting (this can be found in the “Infection chain and techniques” section). 

T1082 – System Information Discovery
It obtains the OS major version to check if it is This ransomware also retrieves the volume serial number which will be used in generating the file extension that it will append on encrypted files.

T1135 – Network Share Discovery
It uses WNetEnumResource() to crawl network resources.

T1057 – Process Discovery
This ransomware enumerates processes for the purpose of terminating them to avoid conflict in its encryption routine. See the list of processes it terminates in the additional information provided at the end of the article.

T1486 – Data Encrypted for Impact
It uses AES-256 to encrypt target files and then encrypts the encryption key used using RSA-1024 with a hardcoded public key appended to the end of each encrypted file. It has an embedded configuration, decrypted during runtime, which contains the file extensions, file names, and folders to avoid. It avoids encrypting certain files. See the list of extensions it avoids encrypting in the additional information provided in the “Infection Chain and techniques” section.

It avoids encrypting files with the certain strings in their file name. See the full list in the additional information provided at the end of the article.
It avoids encrypting files found in the following folders:

• c:\windows
• c:\programdata\microsoft\windows\caches

It appends the following file extension to encrypted files:

• id[{Volume Serial Number}-{Generated ID}][email protected]].8base

It drops the following ransom notes:

• %Desktop%\info.txt
• %Desktop%\info.hta

T1490 – Inhibit System Recovery
It uses Vssadmin, WMIC, BCDEdit, and wbadmin to remove volume shadow copies.

T1218.005 – System Binary Proxy Execution: Mshta
It executes the following command to display the ransom note after encryption:

• %System%\mshta.exe %Desktop%\info.hta

Source link


National Cyber Security