A sustained ransomware campaign aimed at extorting Japanese companies now appears to have been part of an elaborate cyber-espionage operation that included destroying data to conceal evidence, according to cybersecurity firm Cybereason.
Based on malware analysis and other technical indicators discovered on victims’ networks, Cybereason concluded the two-part virus, dubbed “MBR-ONI,” was specially designed to target specific Japanese organizations in order to steal data during a certain timeframe.
While the infections first appeared to be limited to conventional, cybercrime-related ransomware, further inspection by Cybereason revealed hidden commands were taking place behind the scenes, including a script that wiped Windows event logs.
“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation,” a blog post published Tuesday by the company reads. “These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. Forensic artifacts found on the compromised machines show that the attackers made a significant attempt to cover their operation.”
Cybereason declined to provide CyberScoop with further evidence, including the malware hashes related to this malicious activity, stating: “we will not release IOCs in order to protect the privacy of the customers impacted.”
Security researchers with U.S. cybersecurity firm Cylance who previously studied related ransomware told CyberScoop they were aware of the general campaign mentioned by Cybereason, but were not able to independently confirm the MBR-ONI findings without other information.
“These are new variants of GlobalImposter [ransomware] and they are not widespread in Japan,” a Cylance spokesperson said. “It appears more as if the organizations are suffering from targeted attacks, based on previous experience and the Cybereason blog. We haven’t yet found samples with the MBR infection and unfortunately they don’t have any new information with which to comment on this.”
The incident underscores a broader trend witnessed by the security industry in recent months. Elite hacking groups appear to be increasingly disguising their operations by first disrupting an organization’s normal business processes. In these cases, after a target is infected, and in the middle of mitigating damages caused by file encryption, the hackers are reportedly then deploying other tools intended likely for data exfiltration and general reconnaissance.
“[We] discovered the same attack pattern in several customer environments and we started digging into that and were able to cross-reference data that would validate our findings across different environments,” said Assaf Dahan, a senior director of advanced security services with Cybereason. “Based on what I observed and know, I can tell that the [affected] companies come from different industries, they consist of medium-large companies, all based in Japan and of Japanese origin.”
MBR-ONI is at least the third case in recent months where researchers say that ransomware was effectively used as a smokescreen by hackers to conceal their primary mission. The first two are known as NotPetya and BadRabbit, respectively.
The name MBR-ONI references two separate functions. ONI is a relatively well-known ransomware variant seen by the Japanese cybersecurity community. The term MBR refers to a bootkit component within the malware. The bootkit in samples recovered by Cybereason is called DiskCryptor. BadRabbit and NotPetya also implemented this DiskCryptor disk encryption utility.
“Classifying ONI and MBR-ONI merely as ransomware leaves some open questions regarding the observed attacks.” Dahan said. “There’s enough evidence to suggest that ONI and MBR-ONI worked more like a wiper attempting to cover up an ongoing hacking operation by destroying data instead of a ransomware attack that encrypted files.”
The Israeli firm believes both ONI and MBR-ONI masqueraded as ransomware in targeted attacks as a means towards muddying the waters.
“Cybereason researchers … were able to link ONI to targeted attacks in Japan and provide more context around the ransomware,” Dahan said. “We concluded that both ONI and MBR-ONI stem from the same threat actor since they were used in conjunction in the same targeted attacks and their ransom note contains the same email address.”
Researchers told CyberScoop that MBR-ONI was spread through the use of carefully tailored, targeted phishing emails sent to specific Japanese corporations.
The booby-trapped emails contained password-protected zip files carrying weaponized Microsoft Office documents. Once the victims extracted the zip file and opened the document, they were lured into enabling a macro. That launched a VBScript that downloaded and executed the Ammyy Admin remote access trojan, said Dahan.
“Once the attackers gained foothold in the victim’s environment, their next step was to compromise critical assets including file servers, application servers and the DC. The attackers managed to move laterally within the internal network through shared network drives and other techniques,” explained Dahan. “We suspect that the threat actor used the NSA-leaked exploit EternalBlue, in conjunction with other tools to spread throughout the network.”
EternalBlue is an exploit that targets vulnerabilities in Microsoft’s SMB (Server Message Block) process. The tool, which has been linked to the NSA, was publicly released by a mysterious group known as The Shadow Brokers in April.
It’s not yet clear who was responsible for the covert operation against Japanese companies, but limited forensic evidence suggests the hackers may speak Russian, according to Cybereason.
“The Russian language traces found in the binary files could suggest that there is a Russian threat actor behind the attack,” Dahan said. “In addition, to the Russian language traces, there are other tools and techniques that are reminiscent of Russian threat actors. However, at this point there isn’t enough conclusive data.”
Cybereason was founded in Boston by former members of the Israeli intelligence group Unit 8200.