The Cybersecurity and Infrastructure Security Agency (CISA) has published a new report on FiveHands ransomware, SombRAT and a publicly available network scanner used in a cyberattack against an organization.
CISA issued a summary of the cyberattack in the analysis report:
“Threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan (RAT), to steal information, obfuscate files, and demand a ransom from the victim organization. Additionally, the threat actors used publicly available tools for network discovery and credential access.”CISA
SoftPerfect network scanner
The attack involved a publicly available network scanner called SoftPerfect, used to scan and discover hostnames and network services.
“SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices, via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), and PowerShell. It also scans for remote services, registry, files and performance counters; offers flexible filtering and display options and exports NetScan results to a variety of formats from XML to JSON,” as described on the SoftPerfect website.
SoftPerfect scanner artifacts include netscan.exe (stand-alone scanner), netscan.xml (scan results) and netscan.lic (license file).
According to CISA, FiveHands is a “novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt.”
FiveHands performs the following steps as part of the attack:
- Uses WMI to first enumerate then delete Volume Shadow copies
- Encrypts files in the recovery folder.
- After the files are encrypted, it writes a ransom note to each folder and directory on the system.
Moreover, the bad actors use PsExec to execute “ServeManager.exe,” which is actually the FiveHands ransomware.
To make matters worse, the threat actors also leverage SombRAT, a custom remote access Trojan (RAT) designed to download and execute malicious payloads.
“The threat actors used batch and text files to execute and invoke PowerShell scripts that decoded a SombRAT loader and enabled PowerShell to bypass the organization’s anti-malware program,” CISA warned in the advisory.
The SombRat artifacts include: WwanSvc.bat, WwanSvc.txt, WwanSvc.a, WwanSvc.b and WwanSvc.c.