Industry News
A decorative header for Matt Suiche's CL0P Ransomware Post

CL0P: Hunting a New Kind of Ransomware

This is a post authored by Matt Suiche (Director, Memory, IR & R&D).

The Cybersecurity and Infrastructure Security Agency (CISA) & partners recently released a joint cybersecurity advisory uncovering techniques and tactics used by the threat actor behind the CL0P ransomware. This campaign was launched  using an SQL injection zero-day vulnerability (now labeled as CVE-2023-34362) to install a web shell named LEMURLOOT on MOVEit Transfer web applications.

We’ve covered how to hunt for web shells in memory in our last blogpost “Hunting “Volt Typhoon” State-Sponsored Actor in Memory With Magnet AXIOM Cyber.” In this post, we will dive into how we can achieve the same goal using the YARA rules published in the joint advisory.

What is CL0P?

CL0P is a notorious ransomware gang associated with the TA505 threat actor. First observed in 2019, CL0P has been prolific while operating as ransomware-as-a-service (RaaS). Their sophisticated malware infiltrates computer systems, encrypts files, and demands ransom in exchange for the decryption key.

Hunting for LEMURLOOT

LEMURLOOT is a web shell written in C# which is deployed on MOVEit Transfer web applications, it is dropped by the DLL with the hash c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf which drops the web shell (human2.aspx) which has been extracted and shared by security researcher John Hammond on GitHub.

The web shell includes several specific SQL queries which can be used for hunting such as:

-	SELECT Username FROM users WHERE InstID={0} AND Permission=30 AND Status='active' and Deleted=0
-	insert into activesessions (SessionID, Username, LastTouch, Timeout, IPAddress) VALUES ('{0}','{1}',CURRENT_TIMESTAMP, 9999, '127.0.0.1')
-	INSERT INTO users (Username, LoginName, InstID, Permission, RealName, CreateStamp, CreateUsername, HomeFolder, LastLoginStamp, PasswordChangeStamp)
-	Delete FROM users WHERE RealName='Health Check Service'

Like the YARA rules written for hunting “Volt Typhoon”—which were designed for physical files—include conditions specific to their “on-disk” attributes such as “filesize”. If we simply remove those conditions when performing memory scanning, we enable a new scope of search for those rules.

This also goes for checks where although we are looking for a web shell written in C#, we check the MZ header of the dll containing the initial web shell to be dropped such as “uint16(0) == 0x5A4D“ – or even file names.

This allows investigators and analysts to scan machines quickly and efficiently in a simple manner. For more information on using YARA rules in AXIOM Cyber check out: YARA Rule Processing in Magnet AXIOM Cyber

Find Out More About Memory Analysis in AXIOM Cyber

To learn more about the recently updated memory analysis capabilities of AXIOM Cyber check out Comae Memory Analysis Capabilities Integrated Into Magnet AXIOM Cyber.

To try the memory analysis capabilities of Comae in AXIOM Cyber for yourself, update to the latest version over at the Customer Portal or request a free trial today!

YARA Rules for Hunting “CL0P Ransomware”

rule MOVEit_Transfer_exploit_webshell_memory {
    meta:
        date = "2023-06-15"
        description = "Hunts for memory IOCs MOVEit Transfer exploitation."
        author = "Matt Suiche - Magnet Forensics"
        reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
        reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
        reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
        reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
        verdict = "dangerous"
        mitre = "T1505.003"
          platform = "windows"
        
    strings:
        $a1 = "SELECT Username FROM users WHERE InstID={0} AND Permission=30 AND Status='active' and Deleted=0" wide
        $a2 = "insert into activesessions (SessionID, Username, LastTouch, Timeout, IPAddress) VALUES ('{0}','{1}',CURRENT_TIMESTAMP, 9999, '127.0.0.1')" wide
        $a3 = "INSERT INTO users (Username, LoginName, InstID, Permission, RealName, CreateStamp, CreateUsername, HomeFolder, LastLoginStamp, PasswordChangeStamp)" wide
        $a4 = "Delete FROM users WHERE RealName='Health Check Service'" wide
    condition:
        all of them 
}

Related Resources

Blog

Blog

Magnet User Summit 2024: One for the ages 

It’s our favorite time of the year!

April 18, 2024 • About a 3 minute view
Blog

Blog

Introducing Magnet One: Redefining the pursuit of justice

At Magnet Forensics, we're thrilled to announce Magnet One, the digital forensics platform that aims to redefine the pursuit of justice.

April 16, 2024 • About a 4 minute view
Blog

Blog

Introducing Magnet Nexus: Large-scale investigations, made easy

In today’s workplace, employees and critical business assets are often spread throughout the globe. Employees may be working from home, the office, or a combination of both. To enable a

April 11, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top