Kang-Wei Chang
Security Research Engineer
Blog

ATI Adds Maze Ransomware Attack Campaign

June 25, 2020 by Kang-Wei Chang

Last month, the Application and Threat Intelligence (ATI) Team released a new type of cyberattack for use with the Keysight BreakingPoint application and security test solution. BreakingPoint Attack Campaigns are smart StrikeLists that represent parts of a real-world attack kill chain. Attack Campaigns are a new feature we added this year and introduced in these two blogs: 

To keep our customers current, every two weeks we provide new application protocols and threats in our StrikePack updates. The ATI-2020-11 StrikePack also includes a new Attack Campaign: Maze Ransomware April 2020 Campaign.

According to FireEye, Maze Ransomware has been used in attacks from November 2019, and is still in the wild as of May 2020. To ensure our customers are prepared to recognize and stop these attacks, we have increased our coverage by adding their kill chain to our threat intelligence library. 

This new Attack Campaign simulates the malicious network communication that occurs after a user receives and interacts with a malicious Word document. By opening the document, the user will download and install a malicious executable file with a “tmp” file extension. From this point onward, the malware is retrieved and call-backs to the command and control (C&C) are executed. It is simulating the campaign documented here, and it includes 3 strikes as shown in the following image.

1

Maze Ransomware campaign 

The malware campaign begins with a malicious Word document file with fake RSA private key information. The first strike, M20-naq01, simulates a phishing Word document file download by performing an HTTP GET request, resulting in the download of the ‘Word’ pre-load module.

The second strike, M20-ks601, simulates the network-visible actions that occur if a user has opened the Word document. The strike performs an HTTP GET request, resulting in the download of the ‘Maze’ module over the transport protocol HTTP. 

The third strike, B20-jyu01, simulates the successful installation of the ‘Maze’ module, self-extraction and execution of the Maze malware, based on a report by BitDefender. The client sends an HTTP POST request with custom-encoded algorithm data that includes client host information such as machine name and username, to the command-control server. 

2

Custom-encoded data from infected client to C2 Server 

Malware can hide in many kinds of files, including the Microsoft Word document file format as an embedded Macro. It can spread via email or many other ways. All it takes is a single click to allow a malware infection, file encryption, or data exfiltration to compromise the targeted system. 

The ATI research team will continue to strive to deliver valuable, timely content of this nature in every release.  

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS 

Ixia's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Through the ATI subscription, BreakingPoint customers now have access to Attack Campaigns for different advanced persistent threats, allowing them to test the ability of their currently deployed security controls to detect or block such attacks.