Maze Ransomware Analysis
On October 29th, a campaign was found spreading the Maze malware to Italian users. Traditionally, the malware has used numerous methods to gain access, mainly through using exploits kits, remote desktop connections with weak passwords, or through email manipulation, or via various agencies or businesses. Those emails came with a Word file that used macros to run the system malware.
The malware is hardcoded with several tricks to avoid its reversal and complicate static analysis.
Maze ransomware is a malware which targets organizations in many industries worldwide. The Maze is believed to run over an affiliated network where Maze developers share their proceeds with different groups that implement Maze in organizational networks. Maze operators are reputed to take advantage of resources in one network to switch to other networks laterally.
Anatomy of Attack
Let’s review the operation of Maze ransomware:
The techniques used by Maze operators are, in most instances, authentic credentials that log into the network through an internet-facing server. It may be an open RDP server or a Citrix / VPN server. How the preliminary credential is being exploited is uncertain; But, common methods of attack contain guessing passwords or spear-phishing via a targeted email with a.docx attachment that includes a malicious macro.
When an initial computer is infected in the network, the malware begins scanning the network for vulnerabilities. The malware scans specific facets like available SMB shares, network setup, and multiple features of Active Directory, including licenses, accounts, and domain trusts. Known open-source software like smbtools.exe, Adfind, BloodHound, and built-in Windows commands may be used to perform the scanning.
Airgap Defense: Airgap’s Zero Trust Isolation technology blocks any lateral scanning attempt and presents the responses as if none of the members are present on the network.
After gathering information on the network for a few days, the malware begins spreading laterally inside the network. Finding passwords on the compromised computer is the best choice. This may be Kerberos tickets or hashes of passwords; Maze even scans infected computers for files holding passwords in plaintext. If these are not detected, the malware attempts to move laterally in the same network leveraging LLMNR / NBT-NS Poisoning to capture network packets for subsequent NTLM cracking and/or NTLM relay threats.
Finally, if neither of these methods works, the malware may try to find vulnerable passwords by brute-force user/service accounts. When a legitimate credential is being detected, the malware utilizes known Windows interfaces like SMB, WinRM, and RDP to move laterally on remote machines and execute the code.
Airgap Defense: Airgap’s Zero Trust Isolation technology blocks all unauthorized lateral movement within the network.
The escalation of privilege is kind of a dance. The attacker laterally moves to new machines. Once they are on new machines, they can use the same techniques of lateral movement and find new credentials to compromise and keep moving to additional machines. Usually, this dance will be over once domain admin credentials are discovered. The attacker can easily compromise any computer in the network at this stage.
The operator is keen to retain his presence as long as needed in the network. That means adding different backdoors and means to take back control of the network. That is achieved if malware is found and disabled, then a second time the operator will breach the network. The approach discovered here is primarily to collect as many login credentials as possible and eventually to establish new privileged network accounts.
The key concern is that, during the compromise, much of the fraudulent activities are conducted with legitimate user credentials. The malware is extracting credentials in a variety of ways. Tools such as Mimikatz are used to collect local credentials and then carry out the Pass-the-Hash attacks. Maze tries to locate passwords that are held on hard drives and often also targets insecure accounts containing poor credentials using brute force and authentication scanning techniques.
Maze Ransomware operators utilize traditional techniques and open source software such as BloodHound and Mimikatz to exploit and move laterally through networks. They’ve been doing this with tremendous results for a time. Enterprise networks are often exploited through a compromised password and authentication-based attacks. Easy measures such as checking bad passwords, restricting account rights, identifying stealthy administrators, and implementing proactive security will reduce much of the chance of being the next ransomware target.
About Airgap Networks
Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent-pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes, not months. Visit airgap.io to learn more or to schedule a demo.