Introduction
In October 2023, the source code for a ransomware family dubbed ‘HelloKitty’ was leaked on the XSS forum[1]. This variant is suspected to be a later iteration of the FiveHands ransomware[2] based on shared infrastructure and code similarity. Similarly, the TellYouThePass variant also has notable similarities with this family of ransomware[3] and exhibits similar ransomware behavior on execution. Because of these similarities, FortiEDR detections are identical for each of these families and variants so this article has been adapted to provide details of coverage for all of them. Note that these families and variants are operated in many cases by different threat groups and are grouped in this article based on the behavioral characteristics of the ransomware payloads.
Both HelloKitty and TellYouThePass are built using the Go programming language, and both have variants able to target Windows and Linux endpoints for encryption. Both variants employ the ‘NTRUEncrypt’ public key encryption scheme and perform extensive encryption preparation to maximize the effectiveness of their encryption processes.
Analysis
To demonstrate FortiEDR’s ability to detect and mitigate the execution and behavior of HelloKitty/TellYouThePass ransomware, a recent sample was detonated in a test environment. During this testing FortiEDR was configured in ‘Log Only’ mode which allows the malware to execute without impeding its activity. All behavior detected in this configuration would be blocked once FortiEDR is put into ‘Prevention’ mode. Analysis of similar samples demonstrated identical behavior from FortiEDR’s perspective so the analysis in this article will focus on the behavior of a single sample.
The sample analyzed in this article is an msi file (SHA1: 5ea03fa8326ed87a0c81740092c131f23bc5f651) associated with a recent HelloKitty campaign targeting vulnerable Apache ActiveMQ software from late 2023[4]. As part of this campaign the associated threat actor used their access through the CVE-2023-46604[5] vulnerability to execute a remote hosted malicious msi package through msiexec (T1218.007 – System Binary Proxy Execution: Msiexec). This proxy execution was emulated by locally hosting the msi package. This method supports more realistic emulation of the attack chain used as part of the recent campaign. When observed in an attack related to exploitation of Apache ActiveMQ, organizations will identify the msiexec.exe process starting from a cmd.exe process spawned from the java.exe process hosting the Apache ActiveMQ instance, rather than a powershll.exe process as shown in this analysis. A visualization of the reported campaign is shown below in Figure 1.
Figure 1. Attack flow diagram for HelloKitty ransomware campaign targeting vulnerable Apache ActiveMQ software in late 2023.
Execution
FortiEDR is integrated with FortiGuard threat intelligence feeds, allowing it to detect known threats based on file hash and other static indicators. In addition to these known indicators, FortiEDR includes machine learning and sandboxing to detect unknown variants of known malware families as well as behavioral detections that are able to identify anomalous behavior in known good applications. In the case of the analyzed sample, the malicious msi package was identified based on a known hash. The ‘Malicious File Detected’ security event generated by FortiEDR can be seen below in Figure 2.
Figure 2. FortiEDR security event showing the HelloKitty ransomware msi package being identified as malicious based on a known signature.
Encryption Preparation
Once executed the HelloKitty ransomware begins to kill many processes that may lock databases, consume large volumes of resources, or otherwise reduce the efficiency of the encryption process. FortiEDR detects these attempts to target key services as a ‘Service Access’ or ‘File Service Access’ security event. An example of one of these security events is shown below in Figure 3.
Figure 3. FortiEDR security event showing a service access attempt from the HelloKitty ransomware as it attempted to kill running SQL services in preparation for encryption.
In the sample analyzed as part of this article, 40 different applications were targeted for termination using the ‘taskkill.exe’ binary. Each one of these terminations is performed by a separate child ‘cmd.exe’ -> ‘taskkill.exe’ process which can be observed in the FortiEDR Threat Hunting telemetry shown in Figure 4 below. A complete list of the processes targeted by the analyzed sample is also shown in Table 1.
Figure 4. FortiEDR Threat Hunting telemetry showing process creation events for a number of the taskkill commands issued by the HelloKitty ransomware sample.
|
Executable |
Description |
|
agntsvc.exeisqlplussvc.exe |
Agent service associated with Oracle SQL*Plus, a command-line tool for Oracle databases. Filename is anomalous but legitimate. |
|
encsvc.exe |
Likely associated with the Citrix Encryption Service. |
|
isqlplussvc.exe |
Associated with Oracle SQL*Plus, a command-line tool for Oracle databases. |
|
dbeng50.exe |
Related to Sybase SQL Anywhere, a relational database management system. |
|
dbsnmp.exe |
Associated with Oracle's Database SNMP Agent for SNMP monitoring of Oracle databases. |
|
excel.exe |
Microsoft Excel, a spreadsheet program for data analysis and visualization. |
|
firefoxconfig.exe |
Not widely recognized, likely linked to the use of Mozilla Firefox browser but purpose is unclear. |
|
infopath.exe |
Microsoft InfoPath, a discontinued application for electronic forms. |
|
msaccess.exe |
Microsoft Access, a database management system. |
|
msftesql.exe |
Associated with Microsoft SQL Server Full-Text Engine for full-text search capabilities. |
|
mspub.exe |
Microsoft Publisher, a desktop publishing application. |
|
mydesktopqos.exe |
Likely part of Oracle MyDesktop QOS Service that is designed to monitor and manage the performance of Oracle MyDesktop software. |
|
mydesktopservice.exe |
Main executable associated with Oracle MyDesktop software. |
|
mysqld-nt.exe |
Related to MySQL, an open-source relational database management system. |
|
mysqld-opt.exe |
Variant of MySQL database server with optimization features. |
|
mysqld.exe |
Associated with MySQL, an open-source relational database management system. |
|
ocautoupds.exe |
Likely the main executable associated with the Oracle Connector Automatic Updates Service, used to manage updates for Oracle software. |
|
ocomm.exe |
Likely Oracle Communicator, an application used to support Oracle Fusion. |
|
ocssd.exe |
Associated with Oracle Cluster Synchronization Service Daemon. |
|
onenote.exe |
Microsoft OneNote, a digital note-taking application. |
|
oracle.exe |
Likely associated with Oracle Database software, specific role depends on context. |
|
outlook.exe |
Microsoft Outlook, an email client and personal information manager. |
|
powerpnt.exe |
Microsoft PowerPoint, a presentation program. |
|
sqbcoreservice.exe |
Related to SQL Backup Core Service for SQL Server backup solutions. |
|
sqlagent.exe |
SQL Server Agent, automates tasks in Microsoft SQL Server. |
|
sqlbrowser.exe |
SQL Server Browser, provides information about SQL Server instances on the network. |
|
sqlservr.exe |
Main executable for Microsoft SQL Server, manages and serves SQL databases. |
|
sqlwriter.exe |
Associated with the SQL Writer Service for managing backup and restore operations. |
|
steam.exe |
Steam, a digital distribution platform for video games. |
|
synctime.exe |
Executable used by Oracle to perform time synchronization tasks. |
|
tbirdconfig.exe |
Associated with configuring settings for the Thunderbird email client. |
|
thebat.exe |
Main executable of Windows email client called ‘The Bat!’. |
|
thebat64.exe |
A 64-bit version of ‘The Bat!’, a Windows email client. |
|
thunderbird.exe |
Mozilla Thunderbird, an open-source email client and newsreader. |
|
tnslsnr.exe |
Associated with Oracle Net Listener, used for establishing connections to Oracle databases. |
|
visio.exe |
Microsoft Visio, a diagramming and vector graphics application. |
|
winword.exe |
Microsoft Word, a word processing application. |
|
wordpad.exe |
WordPad, a basic word processing program included with Windows. |
|
xfssvccon.exe |
Oracle WebDav software that allows users to quickly publish content or files via WebDav aware utilities. |
Table 1. List of processes killed by HelloKitty ransomware as part of encryption preparation.
In addition to terminating these processes that may interfere with the encryption, the HelloKitty sample also attempted to delete volume shadow copies to impede recovery from backups (T1490 – Inhibit System Recovery). The FortiEDR security event related to this behavior can be seen in the screenshot in Figure 5.
Figure 5. FortiEDR security event showing a service access attempt from the HelloKitty ransomware as it attempted to delete volume shadow copies in preparation for encryption.
As part of its encryption preparation, the HelloKitty executable will also attempt to establish a network connection to HelloKitty C2. The purpose of this network connection is likely to share information on the victim and notify the HelloKitty operators associated with an intrusion that a potential victim has been affected. FortiEDR detects this behavior as can be seen from the screenshot in Figure 6.
Figure 6. FortiEDR security event showing attempted network connection from the msiexec process used to execute the HelloKitty ransomware.
Analysis of the IP address associated with this network connection using FortiGuard Central Threat System (CTS) identifies this IP is a known indicator for HelloKitty ransomware. This can be seen in Figure 7 below.
Figure 7. FortiGuard CTS information identifies this C2 IP address as being associated with previous HelloKitty ransomware operations.
Encryption
Following preparation of the victim endpoint for encryption, the HelloKitty ransomware begins the encryption process. The encryption method is through the file copy method i.e. each file is copied and the copied file is encrypted and then the original file is deleted. The encrypted file is copied with the new file extension ‘.locked’ appended to the existing filename. This encryption process results in a large volume of file write and file create operations. FortiEDR detects these anomalous file operations and flags them with the ‘File Encryptor’ rule. This detection is behavior based and would prevent files from being encrypted if the ransomware was able to execute. The security event generated by this behavior can be seen in Figure 8.
Figure 8. FortiEDR security event showing large volume of file write operations detected by FortiEDR caused by HelloKitty encryption activity.
Following successful encryption, the HelloKitty ransomware writes ransom notes to all directories where a file was encrypted and the victim desktop. The ransomware note is a html file with filename ‘READ_ME4.html’. Compared to other ransomware ransom notes the HelloKitty note is very simple. The security event related to these ransom notes being created can be seen in the screenshot in Figure 9 and a screenshot of the ransom note itself can be observed in Figure 10.
Figure 9. FortiEDR security event showing the large volume of file creation operations detected by FortiEDR caused by HelloKitty encryption activity.
Figure 10. HelloKitty ransom note written as part of the above dynamic analysis.
Conclusion
As demonstrated in the above analysis, FortiEDR is able to detect and mitigate the risk associated with the execution and subsequent encryption by HelloKitty/TellYouThePass ransomware. FortiEDR’s detections are both signature and behavior based, providing protection detection capabilities for new variants that exhibit similar suspicious behaviors. In addition to these protections, FortiEDR Threat Hunting telemetry can also be used to build additional detections for associated behavior which may be shared with other ransomware families. Some useful threat hunting queries are provided below to support proactive threat hunting efforts.
Threat Hunting
The following query will identify cmd.exe Process Creation events where the cmd.exe process spawns from misexec.exe processes with the debug commandline argument. This will identify all cmd.exe sub-processes spawned as part of the encryption preparation activity for HelloKitty ransomware highlighted above but will also generically apply to anomalous msiexec child processes. This query may generate false positives as this behavior can often be exhibited by benign installers (legitimate use of msexec.exe) so as with all queries, this rule should be tuned before deploying in production.
Type:"Process Creation" AND Source.Process.Parent.Path:"*\\Windows\\System32\\msiexec.exe" AND Source.Process.CommandLine:"debug" AND Target.Process.Name:cmd.exe
The following query will identify Process Creation events for taskkill.exe processes spawning from an msiexec based process chain. This will detect encryption preparation activity highlighted above. As with all queries, this rule should be tuned before deploying in production.
Type:"Process Creation" AND Source.Process.Parent.Path:"*\\Windows\\System32\\msiexec.exe" AND Target.Process.CommandLine:"taskkill"
The following query will identify Socket Connect events related to network connections to known C2 associated with apache ActiveMQ exploitation and HelloKitty campaigns. These are high confidence indicators. As with all queries, this rule should be tuned before deploying in production.
Type:"Socket Connect" AND Source.Process.Parent.Path:"*\\Windows\\System32\\msiexec.exe" AND RemoteIP:("137.175.17.221" OR "45.32.120.181" OR "38.6.160.44" OR "23.225.116.3" OR "172.245.16.125" OR "193.187.172.73" OR "4.216.93.211" OR "4.216.93.211" OR "137.175.17.172" OR "27.102.128.152" OR "172.245.16.125" OR "159.203.182.45")
The following query will identify File Create events related to the creation of files matching the filename of the HelloKitty ransom note. Note that if this behavior is observed, the corresponding endpoint is likely encrypted already, and a victim should begin IR triage as soon as practical. This query is included for completeness; earlier detections should be used.
Type:"File Create" AND Source.Process.Parent.Path:"*\\Windows\\System32\\msiexec.exe" AND Target.File.Name:"READ_ME4.html"
The following query will identify File Create events related to the creation of files with the ‘.locked’ file extension. This extension is added when HelloKitty ransomware encrypts a file. This file extension is also a legitimate extension used by some software to lock files when they are in use so there may be false positives. Tuning of this rule before deploying in production is recommended. Note that if this behavior is observed, the corresponding endpoint is likely encrypted already and a victim should begin IR triage as soon as practical. This query is included for completeness; earlier detections should be used.
Type:"File Create" AND Target.File.Name:"*.locked"
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
HelloKitty loader (embedded ransomware) |
3d33fe9ab068dc7a97a9cd3181a4d198f9a696c6 |
SHA1 Hash |
Installation |
.NET executable contained within malicious msi package used to decode embedded HelloKitty ransomware dll. |
2023-12-11 |
|
HelloKitty loader (embedded ransomware) |
6d031c12833df6d9dd2cd0c8eee61b728f2876ca |
SHA1 Hash |
Installation |
.NET executable contained within malicious msi package used to decode embedded HelloKitty ransomware dll. |
2023-12-11 |
|
HelloKitty installer package |
62ac3497a1a58604c57e6fa52b5224f8d44751e9 |
SHA1 Hash |
Installation |
Malicious msi package containing HelloKitty ransomware. |
2023-11-28 |
|
HelloKitty loader (embedded ransomware) |
68cd750e0204b1b947f0bb7eda5818c3bced395c |
SHA1 Hash |
Installation |
.NET executable contained within malicious msi package used to decode embedded HelloKitty ransomware dll. |
2023-11-18 |
|
HelloKitty loader (embedded ransomware) |
c789942d013d8b45b6988ecc6491f5f1a1746311 |
SHA1 Hash |
Installation |
.NET executable contained within malicious msi package used to decode embedded HelloKitty ransomware dll. |
2023-11-14 |
|
HelloKitty installer package |
5ea03fa8326ed87a0c81740092c131f23bc5f651 |
SHA1 Hash |
Installation |
Malicious msi package containing HelloKitty ransomware. (Sample analyzed in this article) |
2023-11-10 |
|
HelloKitty installer package |
5fc62671aef4b355d2050bf2904c7615cb0795ea |
SHA1 Hash |
Installation |
Malicious msi package containing HelloKitty ransomware. |
2023-11-10 |
|
HelloKitty installer package |
f28c9eed11aed240979e9df53b16d7e47e71fd2a |
SHA1 Hash |
Installation |
Malicious msi package containing HelloKitty ransomware. |
2023-11-10 |
|
HelloKitty installer package |
e33704acf3e7b6066f990b87488b7aa572f275b1 |
SHA1 Hash |
Installation |
Malicious msi package containing HelloKitty ransomware. |
2023-11-10 |
|
IP linked to Apache ActiveMQ exploitation. |
137.175.17.221 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
20-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
137.175.17.172 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
20-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
45.32.120.181 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
07-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
38.6.160.44 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
07-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
23.225.116.3 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
07-11-23 |
|
IP hosting malicious msi packages. |
172.245.16.125 |
IP Address |
Installation |
IP hosting malicious msi packages. |
07-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
193.187.172.73 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
06-11-23 |
|
IP hosting malicious msi packages. |
4.216.93.211 |
IP Address |
Installation |
IP hosting malicious msi packages. |
03-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
159.203.182.45 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
03-11-23 |
|
IP linked to Apache ActiveMQ exploitation. |
27.102.128.152 |
IP Address |
Exploitation |
IP linked to Apache ActiveMQ exploitation. |
28-09-23 |
[1] https://twitter.com/3xp0rtblog/status/1710387356979560800
[2] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-FiveHands/t...
[3] https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ranso...
[4] https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-4...
