This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Sanfor Technologies Blog Background Image

All you need to know about Hauhitec Ransomware | How to Fix Tips by Cyber Experts

2021-11-11
0
HouHitec Ransomware Article

1. Background 

Recently, The Sangfor Security Emergency Response Center and Endpoint Security Team caught a new ransomware sample that Sangfor FarSight Labs has named “Hauhitec”. According to gathered threat intelligence, many companies in China have been attacked by Hauhitec, especially in developed coastal regions. The attack characteristics and behavior of the group are very similar to the Anonymous group, and it is believed that this group has opened a new branch.


The attacker used the " EternalBlue" vulnerability (MS17-010) and WMI, to propagate across the intranet. After a successful attack, the attacker used Powershell to run malicious programs for encryption and extortion. FarSight Labs named the ransomware Hauhitec, based on the encrypted file suffix.


The Anonymous group first appeared in March 2019. In the early days, it mainly infiltrated using the EternalBlue vulnerability and used the endpoint’s resources for mining. In August 2020, they updated their Rootkit, and after invading a system, a botnet was set up to conduct long-term mining.


The EternalBlue vulnerability was disclosed in 2017 and has been previously used as an exploit by the Anonymous organization. EternalBlue was used to spread the WannaCry ransomware virus worldwide, breaching the intranets of many universities, large corporations, and government agencies. To this day, the EternalBlue vulnerability is still unpatched in many systems around the world and still exploited by various viruses to infiltrate and spread.


2. Attack process

After entering the internal network using a blasting technique, the attacker uses the Ladon tool to perform MS17-010 detection on the internal network host.

 image1

After the discovery is completed, the intranet is attacked to obtain permissions on other hosts. This is a rare extortion method that exploited the EternalBlue vulnerability, to spread laterally (horizontally) across networks in recent years.


image2

In addition to exploiting the EternalBlue vulnerability, the attackers also used a variety of methods to carry out intranet attacks. Judging by the "k8gege" feature, the attacker maliciously used the k8gege toolkit to attack the victim.


The attacker uses WIMEXEC to send PowerShell commands to other hosts on the intranet for execution.

image

Security researchers discovered that by decrypting base64, the command exists in a resident form and performs file downloads every 20 minutes.

image5

Dump the file, and see the data is in decimal ASCII code.

image6

After decryption, it is seen that key parts are still encrypted by base64 and need to be decrypted again.

image7

The action involves downloading nc.jpg from the C2 server.


3. Sample analysis

As the content of the nc.jpg is also encrypted using base64, it is important that the file is decrypted in the correct sequence. There is an MZ header, and the program is confirmed to be a dll program according to relevant characteristics of PE.

image9

The dll will look for, and create, the svchost.exe process.

image10

The shellcode is copied into the memory to the heap space.

image11

The first copy shows that the program mainly splices the contents of a PE file.

image12

Finally, the process injection is implemented which injects the shellcode code into the process of the created svcshot.exe.

image13

The thread is restarted to execute the shellcode.

image14

The debugger is used to load the svchost.exe process and dump the injected shellcode.

image15

The main function of Shellcode:

image16

There are many empty functions, but the main function exists in sub_401030.

image17

Ransomware public key information.

image18

Initialize the ransomware text message.

Encrypted file suffix information:

image20

Obtain username information, and splice jsxccc.txt.

image21 image22

Determine the hostname, IP address, MAC, operating system, operating system version, and motherboard of the victim to determine if it is a server. 

image23

Determine whether it is a server.

image24 image25

Combine the information and submit it by post.

image26

Upload the information and set filename as txt file, spliced with host name.

image27

If the upload is successful,  the attacking group will use the data to determine whether host information is a server and adjust the extortion accordingly.

image28

Identify all logical host drives.

image29

Determine how many drive letters exist on the hard disk.

image30

A ransomware file named RESTORE_FILES_INFO.txt is generated under each drive letter

image31

The generated ransom note includes a key which has been generated in the early stage of the sample run. As an identifier for each run, the hacker will provide a corresponding decryption tool based on this identifier.

image32

 

4. Encryption process

Before encryption, the relevant services and some content related to the extortion are closed, and xm.exe is added to the task list.

 

image33

Exclude the filtered directory and suffix from encryption and check for information about the MS17-010 vulnerability.

image34

Search all files on the C drive and encrypt the files that do not match the directories and suffixes above.

image35

File traversal and cyclic encryption of files starts.

 

image36

The program loads the file into memory, and the current file state is determined before encryption.

image37

Initialization before encrypting the file.

image38

Encrypt files to be extorted.

image39

The ransomware was found to have encrypted only a portion of the file's content, and the encryption key was written to the end of the file.

image40

image41

 

Encrypted file

image42

image43

Compare the file size. If the file is larger, add the suffix directly, without encrypting it.

image44

If the encrypted file is small, it will be encrypted, and the suffix information is appended.

image45

Move the file and add the ransomware information to the file suffix.

image46

After the encryption is complete, ransomware note is created in the directory of the encrypted file.

image47

Run until all files are encrypted. After the encryption is complete, clean up the corresponding volume shadows, logs, and task schedules.

image48
image49

5. Protection Recommendations

  1. Set up access permissions for important files, turn off unnecessary file sharing features, and perform regular non-local (offline) backups.
  2. Use a highly secure host password, avoid multiple devices using the same password, and do not map ports like 3389 directly to the external network to prevent brute-force cracking.
  3. Avoid opening emails, links, and URL attachments of unknown origin. Do not attempt to download non-genuine software from unofficial channels. If you find that the file type does not match the original icon, you should first use endpoint detection software to detect malicious code within the file.
  4. Regularly scan the system for vulnerabilities and install patches in a timely manner.

6. Sangfor Endpoint Secure:

image50
  1. Detect system vulnerabilities and repair them in real-time with patches, enable Endpoint Secure light or virtual patching for vulnerabilities
  2. Enable Fileless Attack Protection to intercept suspicious Powershell scripts in real time.
  3. Enable RDP Brute Force Attack Prevention to prevent attackers from brute-force cracking into the system.

7. Sangfor Security Solutions

  1. For users of Sangfor Cyber Command, NGAF, and Endpoint Secure, it is recommended that the system engines and signature databases are upgraded regularly.
  2. Connect to Neural-X and use Cloud Sandbox to detect and defend against new threats.
  3. Sangfor provides free bot and virus removal tools to users. You can download the following virus detection and protection tools here: https://page.sangfor.com/anti-bot-tool.
  4. Sangfor Engine Zero malware detection engine is integrated into most Sangfor security products to provide precision defense against unknown viruses and malware.
  5. Sangfor has a suite of Security Assessment Services to help users quickly identify gaps in the security architecture and develop remediation plans. Sangfor Security Assessment Services provides security device policy inspection, threat hunting and detection, and vulnerability inspections to ensure that risks are immediately identified, and remediation strategies developed to prevent successful attacks in the future.