EGREGOR RANSOMWARE
Introduction
Egregor ransomware made its first appearance in 2020 as it was being distributed by phishing emails that has a malicious attachment.
Attacks involving the Egregor ransomware have been frequent and have been recorded to target organisation of medium to large size from many countries including US, Japan, and UK.
There is no decryptor for any of the active variants of the Egregor ransomware and the average ransom required is $700,000 which can be paid via provided Tor chat addresses in the ransomware note.
Modus Operandi
Initial access
The threat actor uses a phishing email with a Microsoft Office word document file which contain a malicious macro script. As soon as the attachment is opened, the macro attempts to run a PowerShell code which attempts to download a banking Trojan like Qbot, icedID or Ursnif. These banking Trojans allows the threat actor to install a Cobalt Strike beacon that will give themself the capability to interact with the system to be download other payloads, collect credentials, disable security measures, and harvest information, for the purpose of lateral movement and privilege escalation.
Then Egregor will communicate to the C&C to download additional payloads. Two files that are downloaded are a batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload and a Zip file that contains an RClone client that is renamed as “svchost”, and RClone config files that are need for exfiltration. To avoid detection and prevention during the installation of Egregor, the threat actor creates a Group Policy Object (GPO) to disable Windows Defender and then attempts to take down any third-party antivirus software.
Installation
To install Egregor, Bitsadmin is used to download the Egregor DLL from the C&C server before Rundll32 executes the DLL with the key “-passegregor10”. If the key isn’t used, then the DLL remains encrypted until the right key is provided. Therefore, DLL cannot be analyzed, either manually or using a sandbox. During the execution of the payload, Egregor checks the default language ID of the system and user it has infect to determine if it will continue its attack as the threat actors don’t want to target machines from Commonwealth of Independent States.
Encryption
Before Egregor encrypts any files, it deletes any shadow copies and then will attempt to kill processes and stop services based on a list of predefined service and process names. The encryption process is a 2048-bit RSA key pair is generated and then the private key is encrypted with ChaCha using a randomly generated key and IV. The ChaCha keys is encrypted using the function CryptEncrypt and the hardcoded RSA public key. The encrypted ChaCha key and the encrypted session key are saved to disk.