HQ/EMEAFind out how we can help your business
The Babuk ransomware campaign began operating last year with a primary objective of targeting organisations and stealing and encrypting troves of data for double extortion attacks. However, numerous events affected the Babuk operations, like the one instance where a threat actor leaked their source code.
The exposure of Babuk source code has aided several malicious threat groups in creating their malware. However, last month, researchers spotted a new Babuk ransomware variant utilised to target a large-scale company.
The ransomware authors integrated Babuk’s leaked source code with evasive open-source software and side-loading tactics to develop a previously unidentified strain. The attackers have used the new Babuk ransomware variant to target a billion-dollar worth manufacturing enterprise with more than 10,000 workstations and servers.
In addition, the threat actors had a couple of weeks to explore before launching attacks against their target. They compromised the enterprise’s domain controller and spread the ransomware to all devices inside the network.
The current Babuk ransomware variant exploits the DLL side-loading flaw.
Analysts explained that the latest version of the Babuk ransomware variant poses as a legitimate DLL utilised by NTSD[.]exe and exploits the DLL side-loading bug. Subsequently, dropping the malicious DLL will lead to running the fair Microsoft signed process, which ensures that devices will not quickly identify the hostile entity that breached the system.
The old and the new variants of Babuk ransomware share some overlaps, especially in its overall execution process and code structure. In addition, both variants have identical encryption algorithms, usage, and configuration.
The only thing that separates the new variant from the previous one is that it has a different shadow copy deletion mechanism. The previous version uses COM objects to iterate the Shadow Copies, while the new one deletes them by developing a new cmd[.]exe processes.
Threat actors are aware that scanning and monitoring solutions have flaws and weaknesses; hence, they try to maintain obfuscation within the memory of a compromised application. This new variant of Babuk implements side-loading executes within legitimate applications and employs reflective loading functionality to conceal the rest of its execution methods.
