Introduction
‘Kasseika’ ransomware, recently discovered by TrendMicro researchers[1], is one of the latest malware strains to employ tools that use Bring Your Vulnerable Driver (BYOVD) technique to disable security software before encrypting data. Kasseika joins other ransomware groups such as Akira[2], BlackByte[3], and AvosLocker[4] that have used this technique.
BYOVD is a technique where attackers exploit a legitimate and signed vulnerable driver to perform malicious activity. Typically, threat actors exploit kernel-mode drivers to achieve kernel-level privilege escalation, granting them the highest level of access to resources which allows then to interfere with the operation of endpoint protection software such as EDR and AV products.
The attack consists of three main stages. The first stage involves gaining access to the network and dropping all necessary files for the attack. This stage is accomplished using phishing technique (T1566 – Phishing[5]) and credential stealing. The second stage is distributing the malware throughout the victim’s network and terminating AV products. This stage is achieved by abusing a legitimate driver that is a component of TG Soft's VirtIT Agent System (BYOVD), and the PsExec[6] utility. The final stage is Kasseika ransomware deployment which depends on the success of previous stages and is implemented through psExec and a batch script. Files targeted by the ransomware are encrypted using encryption algorithm key, ChaCha20, along with the RSA encryption algorithm from open-source C++ library CryptoPP, and appends extension .CBhwKBgQD to the encrypted files.
TrendMicro’s researchers revealed in their article that the indicators and source code of the new ransomware were found to be similar to BlackMatter ransomware. Given that BlackMatter's source code has not been publicly leaked since its shutdown in late 2021, it is likely that Kasseika was developed by former members of the threat group or experienced threat actors acquired its code.
In this article our analysis will start from the second stage discussed above. In this analysis we will demonstrate how FortiEDR protects against the defense evasion techniques employed by processes prior to the Kasseika ransomware deployment as well as how FortiEDR detects Kasseika ransomware execution and its encryption process. At the end of the article, you will find threat hunting queries to support proactive detection efforts along with MITRE ATT&CK mapping and IOCs.
FortiEDR was configured in “Simulation” mode for the purpose of this article, allowing the malware to execute. All the detected activity would be blocked if set to “Prevention mode”.
Attack Diagram
Figure 1. Attack flow diagram for Kasseika ransomware.
Analysis
Following initial access, threat actors associated with reported Kasseika ransomware used valid credentials to establish themselves within a network, performing lateral movement using PsEXec. PSExec is a legitimate remote access tool, widely used by administrators but also exploited by threat actors to remotely execute commands and malicious files on compromised machines. Once they have performed data exfiltration to meet their extortion needs, they drop five files into a network shared folder. The content of the shared folder includes vulnerable viragt64.sys driver (named ‘Martini.sys’), malicious executable (‘Martini.exe’), Kasseika ransomware (‘smartscreen_protected.exe’), the batch file that will launch the attack chain on each individual system (‘test.bat’) and another batch file that will clear the attack’s traces (‘clear.bat’).
The distribution process from the shared folder to the machines is achieved by again abusing PsExec and previously compromised credentials to download and execute the ‘test.bat’ (SHA1: 78f86e7248492797101cb8e922f1f5e7f542d99f) batch file from the network shared folder. This batch file coordinates the remaining stages of the attack. A screenshot of the ‘test.bat’ file has been included below in Figure 2.
Figure 2. Kasseika ransomware deployment script, ‘test.bat’.
The batch file ‘test.bat’ starts by setting several environmental variables that will later be used for downloading and executing the various malicious payloads from the network shared folder. The layout of this script indicates it has been designed so that these variables are the only components that need to be changed between intrusions, meaning that functionally the behavior of this batch script will be identical between intrusions. After the variables are set the script looks for running processes with an executable path matching that saved in the ‘Martini’ variable – in this instance ‘force.exe’. If a matching process is found it will be terminated so it does not interfere with the payload and if not found, the script will print “process not found” and will proceed with execution. Following this, the script recursively deletes the directory tree for the directory saved in the ‘localpath’ variable – in this instance a directory called ‘AntiVirus’ in the relative path. It then copies all the content from the network shared folder into the previously referenced directory using legitimate Microsoft ROBOCOPY (Robust File Copy) tool.
Figure 3. FortiEDR threat hunting telemetry which captures Robocopy activity. Note the file location was modified from the script shown in Figure 2 to facilitate testing.
Following copy action, the batch script enters the location of Martini.exe and executes it with “start” command which opens new command prompt before execution. FortiEDR detects Martini.exe as Trojan_Win64_PINCAV.A which is a type of Trojan with the ability to steal sensitive data as shown in Figure 4 below.
Figure 4. FortiEDR security event detects file read attempt of Martini.exe.
Upon execution Martini.exe creates a Windows service, a very common technique threat actors use to execute malicious files and also gain persistence and elevated privileges. Service creation creates a log in Windows System event logs (7045) and a value in the registry. This value creation activity generates a security event as shown in Figure 5 below.
Figure 5. FortiEDR security event generated because of OS modification attempt.
Service creation log in Windows System event log can also be collected through FortiEDR Threat Hunting telemetry as an ‘Event Log Entry Created’ as shown in Figure 6 below. Having access to this log data through the FortiEDR Threat Hunting interface allows an analyst to quickly triage anomalous service creation data.
Figure 6. Threat hunting log showing service creation.
As part of its execution, Martini.exe loads the vulnerable driver Martini.sys and exploits it to terminate a predefined list of security tools. Martini.sys is a legitimate and digitally signed TG Soft driver originally called ‘viragt64.sys’. FortiEDR detects and blocks the loading of this known vulnerable driver with the ‘Suspicious Driver Load - Attempt to load a suspicious driver’ rule in the Execution Prevention security policy. An example of this security event can be observed in Figure 7 below. This behavior can also be observed in Threat Hunting telemetry as a ‘Driver Loaded’ event as shown in Figure 8.
Figure 7. FortiEDR security event generated following attempt to load the vulnerable driver.
Figure 8. FortiEDR Threat Hunting Driver Loaded event associated with vulnerable driver load event.
The next payload launched by the batch script is the Kasseika ransomware ‘smartscreen_protected.exe’. The Kasseika executable is immediately detected by FortiEDR as malicious through hash-based detection, tagging it as ‘Ransom_Win32_KASSEIKA.YPDLDT’ which is a label assigned to detect specific variant of Kasseika ransomware.
Figure 9. FortiEDR security event detecting Kasseika ransomware as Ransom_Win32_KASSEIKA.YPDLDT
As seen in Figure 10 several rules were triggered while one of them is ‘File Encryptor – Suspicious file modification’ under ‘Ransomware Prevention’ security policy. This rule is triggered because there were multiple attempts to write into the TXT file by malicious ‘smartscreen_protected.exe’ file.
Based on the behavior of the encryption, which was mostly file read and write actions, we conclude the method used in the encryption is overwrite. This encryption method involves reading the file and then writing the encrypted content into the file. It means that without decryption key the data cannot be recovered because the data was overwritten.
At the time of the encryption Kasseika appends “.CBhwKBgQD” extension.
Figure 10. FortiEDR security event generated as a result of file write activity related to the encryption process.
During encryption, the ransomware drops a ransom note in every directory it has performed encryption – a screenshot of the ransom note can be observed in Figure 11 below. At the time of writing this article, only one version of Kasseika ransomware has been identified in the wild, using extension “.CBhwKBgQD”. However, it is possible that future variants may have different extensions.
Figure 11. Ransom note dropped in every directory Kasseika encrypted files.
The next stage of the test.bat script involves removing attack traces. This is implemented through a second batch script ‘clean.bat’ which utilizes the wevtutil[7] tool to erase Application, Security and System Windows event logs. This cleanup operation complicates the investigation for threat analysts and prevents security programs from detecting malicious activity. However, even if all logs are cleared a new Windows System event log generated 104, following clearing operation.
Figure 12. FortiEDR Threat Hunting ‘Event Log Entry Created’ event showing Windows event log associated with attempt to perform event logs cleanup.
Figure 13. FortiEDR Threat Hunting Process Creation event showing wevtutil.exe process being used to clear System event logs.
The test.bat script checks again for Martini.exe running process existence and terminates it if found. After which it deletes ‘localpath’ that was created prior ransomware execution and finally, test.bat script deleting itself.
Conclusion
FortiEDR has the ability to detect and block behavior associated with a Kasseika intrusion including detection of supporting files. Detections are a mixture of both signature-based detection, enabled through integrations with FortiGuard threat intelligence databases, and through analysis of endpoint behavior such as registry modification. At the time when this article was written there was only one known variant of Kasseika. Whilst atomic indicators like the encrypted file extension “.CBhwKBgQD” and executable filenames could be different in new variants, FortiEDR detections outlined in this article are predominantly behavioral based which should allow FortiEDR to remain effective against future Kasseika ransomware variants. In addition to the detection capability provided by FortiEDR security policies, FortiEDR Threat Hunting telemetry can provide additional insight into endpoint behavior and gives additional detection opportunities. To leverage this capability, threat hunting queries to allow detection of the behavior outlined in this article have been provided below. These can be tuned and loaded into FortiEDR as scheduled queries to provide another layer detection and to add context to existing detections. Also provided below are mappings of relevant MITRE techniques and associated observables.
Threat Hunting
The following Threat Hunting query returns existing objects of VirIT Agent System driver on the systems. It can indicate that the threat actor has gained a foothold in the system or simply presence of vulnerable drive that could be exploited in the future.
Type: "File Detected" AND Target.File.ProductName: "*VirIT Agent System*" AND (Target.File.Name:"Martini.sys" OR Target.File.Name:"viragt64.sys" OR Target.File.Name:"viragt.sys")
The following Threat Hunting query returns Driver Loaded events of Martini.sys\virtag64.sys. It’s a low volume and low false positives. This query may suggest that threat actors already have infiltrated the system.
Type:"Driver Loaded" AND Target.Executable.File.Name:"Martini.sys"
The following Threat Hunting query returns Pprocess Ccreation objects indicative of attempts to clear Windows Application, Security or System event logs using the wevtutil binary. This query may generate false positives when administrators perform maintenance tasks or troubleshooting procedures and should be tuned before deploying into production. This query is not unique to Kasseika and can be used for other malware.
Type: "Process Creation" AND Target.Process.File.Name:"wevtutil.exe" AND (Target.Process.CommandLine:"cl Application" OR Target.Process.CommandLine:"cl Security" OR Target.Process.CommandLine:"cl System")
The following Threat Hunting query returns Value Created events with a source process of system.exe and a registry value of ‘Martini.sys’. This is indicative of a service creation for the ‘Martini’ service used to load the Martini.sys driver.
In case future Kasseika campaigns employ different drive names, the last condition (Registry.Data:Martini.sys) can be removed or updated to the relevant drive name.
Type:"Value Created" AND Source.Process.Name:services.exe AND Registry.Path: ("hklm\\system\\controlset001\\services\\*") AND Registry.Data:Martini.sys
The following Threat Hunting returns File Create events related to the creation of ransom notes created by Kasseika ransomware. Note that if this behavior is observed, the corresponding endpoint is likely encrypted already, and a victim should begin IR triage as soon as practical. This query is included for completeness,; earlier detections should be used.
Type:"File Create" AND Target.File.Name: "CBhwKBgQD.README.txt"
MITRE ATT&CK
TA0002 - Execution
| Technique ID | Technique Description | Observed Activity |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Batch script is used to orchestrate the execution of pre-ransomware malware, ransomware and subsequent cleanup activities (a separate batch script). The main batch script is called ‘test.bat’ and the batch script used for cleanup is ‘clear.bat’. |
TA0003 - Persistence
| Technique ID | Technique Description | Observed Activity |
| T1543.003 | Create or Modify System Process: Windows Service | Martini.exe creates Windows service under the name “Martini” to ensure driver Martini.sys keeps running and to ensure it is loaded with the appropriate permissions. |
TA0004 – Privilege Escalation
| Technique ID | Technique Description | Observed Activity |
| T1068 | Exploitation for Privilege Escalation | Martini.sys\ viragt64.sys driver vulnerability is exploited to gain System access to disable security tools. |
TA0008 – Lateral Movement
| Technique ID | Technique Description | Observed Activity |
| T1570 | Lateral Tool Transfer | The threat actors abuse Psexec tool to spread malicious files across the network. Additionally, robocopy.exe is used within the main deployment batch script (test.bat) to pull malicious files from a network share within the victim environment. |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | Psexec.exe uses network shares to drop malicious files on remote machines and by this move laterally within the compromised network. |
TA0005 – Defense Evasion
| Technique ID | Technique Description | Observed Activity |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | Following encryption a second batch file, ‘clear.bat’, is used to clear Windows event logs (Application, Security and System) using the wevtutil.exe binary. |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Threat actors used BYOVD technique by exploiting vulnerable Martini.sys\ viragt64.sys driver to disable security tools. |
| T1070.004 | Indicator Removal: File Deletion | The main deployment batch script (test.bat) deletes the local directory it created and its content and also the script itself. |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Threat actors named their malicious file as ‘WindowsDefender.exe’ in attempt to appear as legitimate. |
TA0040 - Impact
| Technique ID | Technique Description | Observed Activity |
| T1468 | Data Encrypted for Impact | Kasseika ransomware encrypts the files on the victim endpoint using overwrite method which cannot be recovered without decryption key. |
IOCs
| Indicator Description | Indicator | Indicator Type | Associated Tactic | Notes | First Observed |
| Malicious Executable | c67835ca9504049a350fdb023ec7975cccce1674 | SHA1 Hash | Installation | Kasseika Ransomware | 2023-12-27 |
| c33acab1ddbee95302f0d54feb1c49c40dec807cec251fb6d30d056f571155e0 | SHA256 Hash | ||||
| Malicious batch script | 78f86e7248492797101cb8e922f1f5e7f542d99f | SHA1 Hash | Installation | Batch file that executes the ransomware | 2024-01-08 |
| 8a0cd4fb3542458849e20c547a684578dd7fdd4317021dacf5517f607f8ceea7 | SHA256 Hash | ||||
| Malicious Executable | e7bf904f19581c7eebbbe06f997c3b3f7c1b7739 | SHA1 Hash | Installation | Martini.exe | 2024-01-08 |
| 22f8fa1b42e487f6f6d6c6a62bba65267e2d292f80989031f8529558c86a9119 | SHA256 Hash | ||||
| Vulnerable driver | 8058d29e23ca070a8fc6479a155c51fb7ff9512a | SHA1 Hash | Installation | Martini.sys | 2020-06-05 |
| a32806139db1f02442679cc20c0ca4d30f91c6a42c6205d347cbc374779900d2 | SHA256 Hash |
[1] https://www.trendmicro.com/en_no/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psex...
[2] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Akira-Ranso...
[3] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-BlackByte/t...
[4] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-AvosLocker/...
[5] https://attack.mitre.org/techniques/T1566/
[6] https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
[7] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
