Skip to content
Right-Side-Virsec-Large Group-Dots-Light Sections
Dec 2, 2021 10:45:56 AM

Sabbath Ransomware Group: Using Memory-Based Attacks to Evade Detection

In a new report this week, Mandiant shared how the recently discovered Sabbath Ransomware group previously went under two other names, Arcane and Eruption -- all reinvented versions of the Threat Group UNC2190. In addition to repeatedly renaming itself to avoid detection, the group, which most recently targeted local school districts, has used several evasive techniques including:

  • The group’s ransomware, called RollCoast, loads in memory and erases its footprint on disk. As a result, there are no signatures of RollCoast files in malware databases like Virus Total.

  • The group has started “packing” their malware – this helps it avoid detection by network security tools like IPS, WAF etc. as the malware traverses networks on its way to the victim.

  • The group also cut back content in the “export table” of the malware to be more self-contained and to avoid detection.

  • They stopped using known Cobalt Strike Beacons that could be identified by EDR security controls

Ransomware can arrive on personal endpoints via phishing emails and on servers via vulnerabilities. For example, many schools use WordPress plugins for School Management Systems. WordPress has lately been in the news for a rash of vulnerabilities. Given that the attackers stole highly confidential content of the school district’s students and teachers, it is highly likely that the original infiltration source is a server rather than a personal endpoint. Memory-based attacks on servers are an increasingly common attack method.

Stealth Memory-Based Attacks: What We Know

All vulnerability exploitation occurs in memory. Memory-based attacks comprise the most insidious threats to critical applications, exploit the most common vulnerability in applications (buffer overflows), and represent the most frequently used advanced exploit over the last several years. Below are five key reasons why memory-based attacks continue to evade conventional security tools:

  1. Memory-based attacks leverage (un)disclosed or unpatched vulnerabilities and allow the bad actor to gain execution control within a legitimate software’s runtime. These attacks therefore cannot be identified via signatures, threat feeds and AI/ ML algorithms.

  2. Most security defenses focus on either network protection and authorization or activity logs, while memory-based attacks happen in the guts of applications and offer no clue to traditional security controls.

  3. Endpoint security is pervasive in enterprises but is premised on the local user’s actions not the remote bad-actor’s actions.

  4. Recent vulnerabilities such as ProxyLogon and PrintNightmare in products, released by top-notch ISVs such as Microsoft, have shown that it is impossible to build vulnerabilities out. Traditional application security solutions focus on eliminating code vulnerabilities, but not securing the applications at runtime.

  5. Many organizations fail to systematically patch vital applications and host OS binaries.

Using Virsec’s Proactive Approach to Protect Against Memory-Based Attacks

Today many IT professionals regard memory attacks as “indefensible” by today’s security products. Only Virsec Security Platform (VSP) secures the full-application stack – web, host, and memory -- at runtime, regardless of application type or environment. Using a deterministic approach, VSP ensures that the application executes only as intended – no deviations triggered by malicious code whether executing from a malicious file or directly from memory is allowed. Extortion attacks are identified and stopped immediately, regardless of the level of sophistication of the attack. This also means that despite any new tactics, techniques, and procedures (TTPs), your organization is still protected. To learn more how Virsec can help your organization protect against memory-based attacks, visit here.

Right-Side-Virsec-Large Group-Dots-Light Sections