Chris Swagler | May 11th, 2022

Threat operators exploit vulnerabilities in companies’ networks to gain access; however, a researcher turned the table by discovering exploits in the most common ransomware and malware being distributed. Malware from ransomware operations, including Conti, the reborn REvil, the newcomer Black Basta, the very active LockBit, or AvosLocker, all have security issues that can be exploited to prevent the final and most damaging stage: file encryption.

A security researcher analyzed malware stains from the ransomware groups and discovered the samples were vulnerable to Dynamic Link Library (DLL) hijacking, a method used by attackers to inject malicious code into a legitimate application. The researcher provides a report, for each malware piece analyzed, describing the type of vulnerability discovered, the hash of the sample, a proof-of-concept (PoC) exploit, and a demo video. DDL hijacking is a Windows-only attack that takes advantage of the way applications look for and load DLL files into memory. A program with insufficient checks can load a DLL from a location other than its directory, elevating privileges or executing unwanted code. To leverage the vulnerabilities in the malware from the aforementioned groups, the researchers developed exploit code needed to be compiled into a DLL with specific name that the malicious code recognizes as its own and loads to begin encrypting the data.

The DLL can be installed in a position where cybercriminals are likely to launch their ransomware, including a network location with vital data, to protect against the ransomware families. The ransomware deployment should terminate before beginning the data encryption process once the exploit DLL is loaded. According to the researcher, even though malware can disable security solutions on the compromised machine, DLL are simply files stored on the host’s disk that are inactive until loaded. It’s unclear which ransomware malware hyperlinx versions discovered to be vulnerable to DLL hijacking.

If the samples are new, the exploit will likely only function for a short time because ransomware groups are notorious for quickly fixing bugs, especially when they hit public space. Even if the results prove to be useful for a little longer, companies targeted by ransomware groups still risk having crucial files stolen and leaked, as exfiltration is part of threat actors’ tactic of pressuring victims into paying a ransom. Hyperlinx’s exploits, however, may be valuable in preventing operational disruption, which can cause significant damage.

The researcher demonstrated how a vulnerability that’s affecting numerous ransomware families can be exploited to control and terminate the malware before it encrypts files on compromised systems. The researcher developed a project called Malvuln, which catalogs vulnerabilities uncovered in various malware. Launched in early 2021, the Malvuln project had two dozen entries in January and reached 260 entries in June. Currently, the Malvuln project has cataloged nearly 600 malware vulnerabilities.

In May, 10 new entries were added, detailing vulnerabilities discovered in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. The researcher discovered that DLL hijacking vulnerabilities affect these and other ransomware families. When it comes to ransomware, an operator can build a DLL file with the same name as a DLL the ransomware looks for and loads. If placed next to the ransomware executable, the new DLL will be executed instead, which can intercept and terminate ransomware and stop encryption.

The DLL can be hidden, according to the researcher, who uses the Windows “attrib +s +h” command in his PoC videos. Even though endpoint security systems and antivirus can be eliminated before executing malware, the method can’t because there’s nothing to kill and DLL just lives on disk waiting. As a layered approach, the DDL can be added to a specific network share containing important data from a defensive standpoint. While some ransomware versions tested were new, the method seems to work against all ransomware. Authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other types of vulnerabilities detected in malware are all stored in the Malvuln database.

Adversary3, an open-source Python-based tool known as a malware vulnerability intel tool for third-party attackers, is designed to make it easier to access data from the Malvuln database and allow users to search for vulnerabilities based on the exploit category. The technology can be valuable in red teaming operations. For instance, testers can search for devices infected with malware and exploit vulnerabilities in the malware to escalate privileges. When the project first launched, some cybersecurity community members expressed concerns that the information can be beneficial to malware developers, assisting them in fixing vulnerabilities, some of which may have been exploited for threat intelligence purposes. The ransomware vulnerabilities and the Adversary3 tool, on the other hand, demonstrate how the project can benefit the cybersecurity community.

Even with the latest insight on how to exploit ransomware vulnerabilities to prevent file encryption, it’s always important for companies to remain vigilant on the current threat landscape and regularly update their data network security infrastructure. At SpearTip, our 24/7/365 Security Operations Center protects companies with continuous threat monitoring and instant access to our team of certified engineers. Our engineers go beyond simple alerting, taking action within environments when a threat is identified. SpearTip examines companies’ security posture from top-down to improve the weak points and provide technical roadmaps to ensure their companies have the awareness and support to optimize their overall cyber security posture. Our ShadowSpear Platform delivers a cloud-based solution collecting endpoint logs regardless of machine location. Additionally, it detects sophisticated unknown and advanced threats with comprehensive insights using unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.