Babuk ransomware first started operating in 2021 with an aim to target organizations and steal and encrypt their data for double-extortion. Since then, much water has flown under the bridge. Last year, a threat actor leaked the source of Babuk, which helped multiple threat groups build their own malware. In November, Morphisec observed a new Babuk ransomware variant that was used to target a large-scale enterprise.
Diving into details
Attackers have amalgamated Babuk ransomware’s leaked source code with evasive open-source software and side-loading techniques to create a previously-unseen strain.
They used this new Babuk variant to target a multibillion-dollar manufacturing enterprise with over 10,000 servers and workstations.
The attackers had two weeks for reconnaissance before launching the attack. They infected the firm’s domain controller and disseminated ransomware to all devices within.
Why this matters
The primary malware component masquerades as a legitimate DLL used by NTSD.exe and abuses the DLL side-loading vulnerability.
Dropping the malicious DLL results in the execution of the legitimate Microsoft signed process, which ensures that machine learning thresholds for suspicious classification are reduced.
The new and the old
Both the old and new Babuk ransomware variants possess similarities in the overall execution flow and code structure.
They share the same encryption algorithm, configuration, and usage.
However, the new strain’s shadow copy deletion routine is different from the previous one. While the former uses COM objects to iterate over the Shadow Copies, the latter deletes them by creating new cmd.exe processes.
The bottom line
Attackers know that monitoring and scanning solutions have weaknesses, and they attempt to maintain stealth within the memory of an application. This new Babuk variant implements side-loading, executes within legitimate applications, and implements reflective loading functionality to hide the rest of its execution steps.