In a recent incident response engagement, a clever technique involving the misuse of the native BitLocker feature to encrypt entire volumes and steal decryption keys was identified. Attackers deployed an advanced VBS script that exploited BitLocker for unauthorized file encryption. The script was detected in various regions including Mexico, Indonesia, and Jordan. A detailed analysis of the malicious code revealed the tactics used by the threat actors and provided insights for mitigating such threats.
The attackers did not obfuscate the code, indicating they had full control of the target system when the script was executed. The script utilized Windows Management Instrumentation (WMI) to gather system information and identified specific Windows versions to determine further actions. It performed disk resizing operations on fixed drives by shrinking non-boot partitions, creating new primary partitions, and formatting them with specific settings. The script also made registry modifications to enable various security features and encryption options.
Further analysis exposed the script’s networking capabilities, as it created an HTTP POST request object to communicate with a Command and Control (C2) server. The script included details about the machine and generated encryption keys to be sent in the request. The attackers used obfuscation techniques with a legitimate domain trycloudflare.com to obscure their actual address.
Additionally, the script covered its tracks by removing BitLocker protectors, deleting certain files and registry entries, clearing logs, disabling system firewalls, and creating a forced shutdown. The recovery process for decrypting affected systems proved challenging due to unique variable values, making it difficult to obtain consistent decryption keys.
To mitigate such threats, it is advised to use robust Endpoint Protection Platforms (EPP), implement Managed Detection and Response (MDR) services, maintain strong BitLocker passwords, restrict user privileges, monitor network traffic, log PowerShell and VBS activity, backup data regularly, and store backups offline. Behavioral analysis for threat detection is vital in such scenarios where traditional rule-based methods may fail.
Our incident response and malware analysis provided insights into the evolving tactics used by threat actors to evade detection and carry out malicious activities. Kaspersky products are equipped to detect this threat with specific verdicts related to Trojan and Ransomware activities.
Indicators of compromise such as specific URLs, email addresses, and MD5 hashes have been identified for tracking malicious activities. Organizations are encouraged to remain vigilant and implement proactive security measures to defend against such sophisticated threats.