Introduction –

Maze, also known as ChaCha, is a ransomware that had been first discovered in the month of May 2019. Maze ransomware is a sophisticated attack and is deemed to be an multi staged cyber attack.

The major goal of this ransomware attack is to encrypt all files present on the targeted system belonging to the victim’s organization and later demand ransom to recover the files.

 

Exploitation Techniques –

Unlike rest of the ransomware attacks that typically uses social engineering and spam email campaigns to gain entry to a targeted system, Maze ransomware attack uses exploit kits via drive-by downloads.

An exploit kit or exploit pack is a type of toolkit cyber criminals use to attack vulnerabilities in systems so they can distribute malware or perform further malicious activities.

Fallout is one of the exploit-kits used by Maze ransomware, that uses various exploits found on GitHub. Exploit kits use PowerShell commands instead of the web browser to run its payload.

Maze ransomware has been involved in spam emails sent by the Maze attack group by impersonating government websites. These attackers have emailed malicious Microsoft Word attachments to victims with macros embedded which if executed, executes a PowerShell script that downloads “Cobalt Strike” which is a penetration testing tool that has been repurposed by the attackers.

 

Attack in Action –

Maze ransomware attack key generation and file encryption process is depicted below –

Image Source: Bitdefender – A Technical Look into Maze Ransomware

Post the malware finishes encrypting the files, it changes the desktop wallpaper to the image as shown below –

Image Source: McAfee.com Blogs – Maze Ransomware

Recently, one of the largest tech giant and consulting company, has confirmed that it was hit by a Maze ransomware attack. The security incident involved breach to the organization’s internal systems which caused service disruptions for some of their clients.

The attackers gained administrator credentials on the internal corporate network; they then deployed the ransomware using tools like PowerShell Empire. Before deploying the ransomware, the Maze operators had stolen unencrypted files before encrypting them.

 

Recommendations –

  1. Network administrators are advised to block the IOC’s as mentioned in the “IOC’s” section of this blog.
  2. Network administrators should consider disabling PowerShell execution or reduce the capabilities by using AppLocker or Windows Software Restriction Policy (SRP) (as applicable).
  3. Organizations should educate employees in the organization to not to download any files from suspicious sources or click on suspicious links.
  4. Organizations should keep and maintain a reliable and tested backup of data which can be restored in case of an emergency.
  5. Security administrators should ensure encryption of sensitive files and data on all servers and systems.
  6. Employees and users should exercise caution while visiting unknown links or webpages.
  7. Keep AV signatures as well as the operating system and 3rd party application patches up-to-date.

 

Indicators of Compromise (IOC’s) [22nd April 2020] –

Hash Values (SHA256) –
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
9845f553ae868cd3f8d8c3f8684d18f226de005ee6b52ad88b353228b788cf73
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49

 

Indicators of Compromise (IOC’s) [19th April 2020] –

IP Addresses –
91[.]218[.]114[.]11
91[.]218[.]114[.]25
91[.]218[.]114[.]26
91[.]218[.]114[.]31
91[.]218[.]114[.]32
91[.]218[.]114[.]37
91[.]218[.]114[.]38
91[.]218[.]114[.]4
91[.]218[.]114[.]77
91[.]218[.]114[.]79
92[.]63[.]11[.]151
92[.]63[.]32[.]2
92[.]63[.]15[.]56
92[.]63[.]17[.]245
92[.]63[.]194[.]20
92[.]63[.]29[.]137
92[.]63[.]32[.]57
92[.]63[.]15[.]8
92[.]63[.]32[.]55
92[.]63[.]32[.]52
92[.]63[.]194[.]3
92[.]63[.]15[.]6
92[.]63[.]8[.]47
92[.]63[.]37[.]100

URLs –
antowortensienicht@bzst-infomieren[.]icu
info@agenziaentrate[.]icu
antwortensienicht@bzstinform[.]icu
uspsdelivery-service[.]com
hxxp://198[.]50[.]168[.]67/wordpack[.]tmp
hxxp://conbase[.]top/sys[.]bat
hxxp://104[.]168[.]198[.]208/wordupd[.]tmp
hxxp://104[.]168[.]215[.]54/wordupd[.]tmp
hxxp://104[.]168[.]174[.]32/wordupd_3.0.1[.]tmp
hxxp://192[.]119[.]68[.]225/wordupd1[.]tmp
hxxp://108[.]174[.]199[.]10/wordupd3[.]tmp
hxxp://54[.]39[.]233[.]175/wupd19823[.]tmp
hxxp://54[.]39[.]233[.]131/word1[.]tmp
hxxp://104[.]168[.]198[.]230/wordupd[.]tmp
hxxp://92[.]63[.]17[.]245
hxxp://92[.]63[.]37[.]100
hxxp://92[.]63[.]29[.]137
hxxp://92[.]63[.]8[.]47
hxxp://92[.]63[.]194[.]3
hxxp://92[.]63[.]11[.]151
hxxp://92[.]63[.]32[.]57
hxxp://92[.]63[.]15[.]8
hxxp://92[.]63[.]32[.]55
hxxp://92[.]63[.]194[.]20
hxxp://92[.]63[.]15[.]6
hxxp://92[.]63[.]32[.]52
hxxp://92[.]63[.]15[.]56
hxxp://92[.]63[.]32[.]2

Hash Values (SHA256) –
44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1
5a900fd26a4ece38de5ca319b5893f96c7e9e2450dbac796c12f85b99238ec18
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

Associated Filenames –
DECRYPT-FILES[.]html
%ProgramData%\foo[.]dat

Associated Email Addresses –
filedecryptor[@]nuke[.]africa

 

Indicators of Compromise (IOC’s) [25th November 2019] –

Hash Values (SHA256) –
44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a

Associated Email Addresses

antowortensienicht@bzst-infomieren[.]icu
info@agenziaentrate[.]icu
antwortensienicht@bzstinform[.]icu

Domains

uspsdelivery-service[.]com
hxxp://198[.]50[.]168[.]67/wordpack[.]tmp
hxxp://conbase[.]top/sys[.]bat
hxxp://104[.]168[.]198[.]208/wordupd[.]tmp
hxxp://104[.]168[.]215[.]54/wordupd[.]tmp
hxxp://104[.]168[.]174[.]32/wordupd_3.0.1[.]tmp
hxxp://192[.]119[.]68[.]225/wordupd1[.]tmp
hxxp://108[.]174[.]199[.]10/wordupd3[.]tmp
hxxp://54[.]39[.]233[.]175/wupd19823[.]tmp
hxxp://54[.]39[.]233[.]131/word1[.]tmp
hxxp://104[.]168[.]198[.]230/wordupd[.]tmp

 

References –

 

Note – This blog post is an updating story and was last updated on April 22, 2020.

Blog Author –

Poornima J.

Managed SOC Consultant