The ransomware operation that began in July 2020 as a Ransomware-as-a-Service (RaaS) is now utilizing Windows Active Directory APIs to work its way through networks.

MalwareHunterTeam is credited for sharing a sample of a MountLocker executable which contains a new worm feature that allows it to move throughout networks and encrypt 0ther devices on it. XingLocker, a group that uses a customized version of MountLocker executables, is where the sample originated.

The worm can be enabled by running the sample with a /NETWORK command-line argument. Although, without a Windows domain, the sample will fail. More analysis of the sample by security researchers revealed the Windows Active Directory Service Interfaces API to spread throughout networks. The MountLocker ransomware uses the NetGetDCName() function in order to retrieve the name of the domain controller. After the name is retrieved, it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials on passed on the command line.

After connecting to Active Directory services, it goes through the database for objects of ‘objectclass=computer’. MountLocker will then attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder. The ransomware will then remotely create a Windows service to load the executable and encrypt the device.

By utilizing this API, the ransomware can move laterally and find all devices that are part of the compromised Windows domain and encrypt those with stolen domain credentials as well.

This isn’t the first time this API has been seen in malware, as TrickBot uses it, but it could be the first instance of a “corporate ransomware for professionals” to use these APIs to carry out built-in reconnaissance and spread throughout networks.

SpearTip’s engineers are dedicated to protecting networks from innovative threat actors. As these threat actors are always trying to improve their attack methods and processes, our team is improving defenses. It’s a tall task to keep up with the ever-changing threat landscape, but the continuous learning among our team allows us to stay ahead of these persistent threats.

A Security Operations Center as a Service (SOCaaS) is one of the best ways to begin protecting your organization. When issues arise, you’ll be able to communicate directly with the engineers in our US based SOC. This in combination with our proprietary ShadowSpear Platform will allow your organization to clearly understand your risk profile. There is no better tandem in the cyber industry for incident response, so call our SOC today to being protecting your company’s profits.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.