Malware Analysis - Buran Ransomware-as-a-Service

Attack Vector

Infection vectors vary based on the specific version of Buran; primary methods have involved a RIG exploit kit1 or malspam:

• Version I was spread via CVE-2018-8174, a Microsoft Internet Explorer VBScript Engine Remote Code Execution (RCE) vulnerability, which could corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited this could gain the same user rights as the current user.2 

• Version II was reported by open sources to being spread by various malspam campaigns: 

  • One malspam campaign targeted various German entities via an eFax-themed email message that contained an infected Microsoft Word document that downloaded the Buran payload. 

  • Another campaign spread Buran to victim hosts via Microsoft Excel Web Queries (i.e., IQY mail attachments).

  • Kroll assesses that malspam campaigns distributing Buran and Maze ransomware may be connected, due to a shared email address observed in Start of Authority (SOA) records for multiple campaigns.

Kroll-Observed Attack Vector

Kroll incident response teams have observed the ransomware spreading via RDP access coupled with privilege escalation. In one case, an organization’s RDP was misconfigured to be open to the internet:

• Attackers connected to the network via RDP over port 3389 from the IP address 98.110.78[.]226

• Once inside the network, attackers connected 53 times from 14 unique IP addresses to three separate accounts

• One of the compromised RDP accounts established an FTP session with ftp://ftp.bit[.]nl/upload. The FTP connection occurred before any privilege escalation or network reconnaissance. 

• The FTP activity was followed by privilege escalation along with network reconnaissance. Kroll assessed it was likely that credential harvesting tools (e.g., Mimikatz) were utilized via the RDP accounts to capture credentials to gain access to the administrator level. 

• Once the actor gained access to the administrator level, Buran was deployed (buran_2019-06-28_04-40[.]exe).  

In another Kroll investigation, the actor(s) actively cleared event logs and deleted Windows volume snapshots, making it difficult to ascertain the initial infection vector:

• As for the attack itself, a batch file (def.bat) was executed that contained PowerShell script to download from IP address 45.142.213.167, which geolocated to Russia at the time of the investigation.

  • PowerShell is a native component of the Windows operating system used by administrators. For this reason, a malicious PowerShell script is potentially less likely to be detected than other attacker methods.

• Seconds later, the Buran binary was uploaded to the client’s Kaseya server via the portal (/SystemTab/uploader.aspx). 

• The actor(s) then used the Kaseya server to push out tools and the ransomware to target systems. 

Dark Web Updates

Kroll has observed that since being advertised in May 2019, Buran has been updated on six separate occasions. 

• During a notable update in June 2019, Buran was enhanced to support a PowerShell script that contains the Buran bootloader. (See Figure 2 for dark web update listing.)

• The actor behind the “buransupport” moniker advertised an additional update to Buran on January 16, 2020. No details were provided on new features of this build. 

• “Buransupport” is also advertising a second ransomware variant, Zeppelin, which has been observed to have data exfiltration capabilities. Zeppelin was first advertised in November 2019 on Russian forums. It is similar to Buran as they are both variants of the VegaLocker family and Delphi code based.

• Zeppelin ransomware is extremely configurable and is able to be deployed as EXE Startup and IOCsStartup and IOCs

Startup and IOCs

• Dark web ads for Buran claim the ransomware can scan local drives and network paths, delete recovery points and encrypt without changing file extensions. 

• Leverages several anti-forensic measures, such as clearing Windows event logs and disabling the Windows event log service prior to encrypting the victim host
  Numerous indicators of compromise exist for Buran. (See Figure 3 for a list of IOCs current as of this writing.)

• Buran authors have built in an abort feature if a scan of the victim host detects it is registered in one of the former Soviet Russia Commonwealth of Independent States (CIS) or Ukraine

• Buran encrypts all files unless the file name, extension or directory has not been included. Buran does not encrypt the following extensions: 

• .bat

• .buran

• .cmd

• .com

• .cpl

• .dll

• .exe

• .lnk

• .log

• .msc

• .msp

• .pif

• .scr

• .sys

Preemptive Recommendations

• Maintain consistent backups. Recovery is always easier if organizations have a valid and intact backup system. Offline backups make it even harder for attackers to compromise data. 

• Conduct routine security risk assessments. These include vulnerability and penetration testing to decrease the likelihood of infection. 

• Implement an endpoint monitoring, detection and response solution.
  Use a firewall to prevent public access to the service message block (SMB/port 445) and the Remote Desktop Protocol (RDP/port 3389).

• Apply two-factor authentication (2FA) to user log-in credentials and implement least privilege for file, directory and network share permissions.