Fileless threats and ransomware aren’t new, but a malware that incorporates a combination of their characteristics can be dangerous. Take for instance the fileless, code-injecting ransomware we’ve uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B . We first encountered SOREBRECT during our monitoring in the beginning of second quarter this year, affecting the systems and networks of organizations in the Middle East. Extracting and analyzing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Its abuse of the PsExec utility is also notable; SOREBRECT’s operators apparently use it to leverage the ransomware’s code injection capability.While file encryption is SOREBRECT’s endgame, stealth is its mainstay. The ransomware’s self-destruct routine makes SOREBRECT a fileless threat. The ransomware does this by injecting code to a legitimate system process (which executes the encryption routine) before terminating its main binary. SOREBRECT also takes pains to delete the affected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps (i.e. appcompat/shimcache and prefetch). These deletions also deter analysis and prevent SOREBRECT’s activities from being traced. When we first saw SOREBRECT in the wild, we observed a low distribution base that was initially concentrated on Middle Eastern countries like Kuwait and Lebanon. By the start of May, however, our sensors detected SOREBRECT in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Affected industries include manufacturing, technology, and telecommunications. Given ransomware’s potential impact and profitability , it wouldn’t be a surprise if SOREBRECT turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service.

Figure 1: SOREBRECT’s attack chain

SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. The misuse of PsExec to install SOREBRECT indicates that administrator credentials have already been compromised, or remote machines were exposed or brute-forced. SOREBRECT isn’t the first family to misuse PsExec— SAMSAM Petya , and its derivative, PetrWrap (RANSOM_SAMSAM and RANSOM_PETYA, respectively), for instance, use PsExec to install the ransomware on compromised servers or endpoints. SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging. Why PsExec? While attackers can both use Remote Desktop Protocol (RDP) and PsExec to install SOREBRECT in the affected machine, its code injection capability makes the attack more effective. Compared to using RDP, utilizing PsExec is simpler and can take advantage of SOREBRECT’s fileless and code injection capabilities. PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs. In SOREBRECT’s case, it makes more sense for the attackers to use PsExec since once the main binary is executed, the svchost.exe process injected with malicious code can still carry out the payload. To cover its tracks, SOREBRECT also utilizes wevtutil.exe to delete the system’s event logs, and vssadmin to delete shadow copies. The svchost.exe process that was injected with malicious code executes the payload—encrypting the files of the local machine and network shares. SOREBRECT uses the Tor network protocol to anonymize its connection to its command-and-control (C&C) server.

Figure 2: SOREBRECT appends encrypted files with a .pr0tect extension Figure 3: One of SOREBRECT’s ransom notes

SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It does so by scanning the network for asset discovery and enumerating open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network. Once a live host is identified, it initiates a connection after discovering the shares. Authentication would succeed if it’s an open share. If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted.

Figure 4: SOREBRECT’s network scanning activity to enumerate machines with open shares Figure 5: SOREBRECT initiating a connection on the share on a live host

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS Protection for Small-Medium Businesses Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware. Ransomware behavior monitoring IP/Web Reputation Protection for Home Users Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat. IP/Web Reputation Ransomware Protection

4854A0CA663588178B56754CD50626B2E8A121F66A463E1C030836E9BD5B95F8

AC4184EEC32795E1CBF2EFC5F4E30D0CBE0B7F982BC2060C180BE432994DCEFF

05CEFE71615F77D9A386BF6F48AD17ACA2BAE433C95A6F2443184462832A3E90

36fa4c4a7bd25f086394b06fe50e41410f78dbb3

9f327c5168b07cec34e1b89aba5f45b78f20e753

4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

Given the potential damage SOREBRECT can cause to an enterprise’s servers and endpoints, IT/system administrators and information security professionals who secure them can adopt these best practices for defending against ransomware Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro™ Deep Discovery™ Inspector detects ransomware on networks, while Trend Micro™ Deep Security ™ stops ransomware from reaching enterprise servers–regardless if they’re physical, virtual, or in the cloud. For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.Detected as RANSOM_SOREBRECT.A (SHA256):Detected as RANSOM_SOREBRECT.A (SHA-1):Detected as RANSOM_SOREBRECT.B (SHA256):We updated the appropriate name of the process that was injected.