Attack surface management , Fraud and cybercrime management , Ransomware
Red Team Tool’s Self-Signed Certificate Leads to a “Smoking Gun”
Brian Pereira (digital_belief) •
July 23, 2022
An internet scan of pen testing tools on Russian servers exposed a network of hosts potentially used to launch ransomware attacks by a criminal group known to target the healthcare sector.
Censys Attack Surface Risk Enterprise said he came across a Russian server with a collection of red team tools used to compromise hosts and maintain control. Further analysis connected the initial server to another Russian server, which as recently as mid-June contained a malware kit pointing to an online domain used by the MedusaLocker group.
The US federal government has issued a Attention only earlier this month about MedusaLocker ransomware, noting that it runs insecure remote desktop software and uses phishing campaigns. Cyberseason in 2020 found malware prevalent in the healthcare industry. Medical centers are particularly susceptible to paying ransomware given practitioners’ reluctance to disrupt patient care (see: Hackers claim to have stolen drug data as reports warn healthcare sector).
Censys says it identified the server with the MeduaLocker malware kit through an iterative process that began with a review of 7.4 million Russian hosts visible on its Internet scans. Two hosts stood out as they contained the Metasploit pen tester and Deimos C2, an open source command and control tool. Further analysis revealed that one of the hosts also had an Acunetix web vulnerability tester and had used PoshC2, a red team tool used after the exploit.
The presence of PoshC2 notably led Censys to the server with signs of connections to MedusaLocker. By default, PoshC2 creates a self-signed certificate for its HTTP server, whose values are stored in
poshc2/server/Config.py case. These values are not stored in the
config.yml configuration file, and are therefore more difficult to modify.
The certificate used on the server is listed as indicator of compromise by developer PoshC2 and Censys was able to locate it on only eight other servers after a worldwide search. The company later discovered a ninth host. Other servers in this group also contained malware kits, but only the server contained what Censys calls proof of login to MedusaLocker.
Namely, the presence of a malware kit with
[email protected][.]cyou appended to each file. MedusaLocker uses
decorous[.]cyou domains to send emails to victims.
It’s possible, the company admits, that the server in question is the victim of hackers, but the persistence of a malicious kit that has been modified over time is more in line with the behavior of attackers, it adds.
Censys also spotted servers with the malicious PoshC2 certificate in California, Ohio, and Taiwan, as well as other servers in Russia. An active Malware Bazaar user with handle @r3dbU7z lists one of the other Russian hosts that are part of the MeduaLocker group.