返回 TI 主页

Overview

From December 2023 to the present, QiAnXin Threat Intelligence Center observed that a ransomware written in rust language is very active on the Chinese Internet, and a large number of machines in China have been ransomed, with up to more than 20 victimized units only in the terminals of government and enterprises, which we call Rast ransomware.

After a long time of tracking, we have captured three versions of Rast ransomware, and the versions are still iterating. rast ransomware has a very special logic: after the ransomware is completed, it will upload the machine name and unique identifier of the local machine to the remote mysql database. Through reverse analysis we got the mysql database account password and statistics of victims in the database, and found that in just ten months more than 6,800 terminals were controlled, of which more than 5,700 were successfully encrypted, and the scale of the impact is far beyond our expectations.

A large number of Chinese machine names were found while sorting out the ransomed machine names (some of the machine names involved personal names, which we partially coded), such as "V Electromechanical Lighting Zhang X", "Accounting Section 08", "Financial VMware Server", "Technology Department - Yang X Lin", "Project Team 001", "Comprehensive Section Liu", "Electromechanical Institute Yin X Zhou 2", "Command Center - 99", "Geological Early Warning Platform 1", etc. We also counted the timeline when the Rast ransomware was distributed: between 20:00 pm and 5:00 am the next day, presuming that the attackers were located in Europe.

Although the gang technically fell short of our naming rules for UTG-Q organizations, it had a very bad impact on the country, and internal discussions led to the naming of the operator of the rast ransom as the Rast gang, a criminal gang whose attack methods were very similar to those of the well-known ransomware that delivered Buran, GlobeImposter, Phobos, GandCrab, and other ransomware back in the day operators were very similar.

We recommend our government and enterprise customers to deploy Skyrocket EDR in both office and server areas and turn on the cloud checking function to protect against unknown threats.


Introduction to Rast Gang

Rast Gang is a fast-paced ransom operator, does not pursue lateral movement in the target target intranet, the majority of cases of as long as there is a server access to immediately release rast ransom, the border servers of the security protection of the greater challenge. Its earliest active time in the country coincides with the appearance of rast ransom in the country, from December 2023 to the present day to deliver three versions of Rast ransomware, no trend has been found in the group to deliver other ransom families, the attacker invaded the border server through a combination of RDP blasting and Nday.


Blast Node

The blast nodes controlled by Rast gang are relatively new, all the nodes are Win platform VPS servers, among which China has the most controlled nodes, and the distribution of node IP countries is as follows:

The above nodes have fewer hits in the QiAnXin global honeypot system, and only some of them were found to be used as proxies to blast the target's outlook mailboxes:


delivery module

After getting access to the boundary server, Rast gang logs in to the target server via RDP to manually drop various components:

- -
Path MD5
%userprofile%\documents\zapp.exe 6966d86f2bc4bbc5a3ea002baf4c5b4a

The main function of Zapp is to stop the specified process name and service:

Deleting Volume Shadows and Logs:

- -
Cmd
Vssadmin delete shadows /all /quiet
Wevtutil cl security
wmic.exe SHADOWCOPY /nointeractive

Upload Revo Uninstaller installer to force uninstallation of security software after EDR blocking behavior is detected:

- -
Path MD5
%userprofile%\documents\revouninprosetup.exe a02622dd81e76d917f857df0c765fb1a

Drop off mimik kits to take off machine credentials:

- -
Path Cmd
%UserProfile%\Documents\Mimik\Mimik\Mimik\x64\mimik.exe "privilege::debug" "sekurlsa::bootkey" "token::elevate" "event::clear" "log . \!logs\Result.txt" "sekurlsa::logonPasswords" "vault::cred" "lsadump::secrets" "lsadump::cache" "lsadump::sam" exit

Copy kportscan and netscan scanner to turn on intranet scanning:

- -
Path MD5
%UserProfile%\Documents\netscanold\netscanold.exe bb7c575e798ff5243b5014777253635d
c:\users\administrator\documents\а\kportscan 3.0@blackhathackeers\kportscan3.exe c0a8af17a2912a08a20d65fe85191c28

Rast gang releases rast ransomware as Dropper in 3582-490 directory and launches it as Neshta-infected virus.

- -
Neshta (Path) MD5
%userprofile%\documents\runtime.exe e96dc82b080bc4c229cc5c049c0a187b
%UserProfile%\Documents\netpass64.exe b53f2c089d4a856f72b98564afd30aaf
%userprofile%\appdata\local\microsoft\onedrive\onedrivestandaloneupdater.exe 9e1108f9808a4a117d15c4afe0472061
%UserProfile%\Documents\CRYP.exe 673630ad8254a52b7eb9897518129aeb

During 2019-2021 we have observed an unknown ransomware operator delivering Buran, GlobeImposter, Phobos, GandCrab and other well-known ransomware via Neshta, using tools and techniques that are very similar to those of Rast Gang.


Rast ransomware

We have captured the following information about Rast ransomware, which is written in the rust language:

- -
Path MD5
%UserProfile%\Documents\svhost.exe (Interim version) e3d2e511a9a783f6ff3c25e305821be7
%userprofile%\documents\recovery.exe (earlier versions) 4680edef53618e2dbda7832492ede62e
%UserProfile%\Documents\svhost.exe (latest version) e96dc82b080bc4c229cc5c049c0a187b

The latest version of the rast ransomware displays a console interface upon startup that requires the attacker to manually operate it in order to initiate the ransom process, and that logic sets the tone for the rast gang's attack: criminal gangs have to RDP-login to the target server to manually operate it in order to run the ransom.

A hotkey Ctrl+Shift+F1 is registered, which can only be pressed to execute the subsequent processes, otherwise the interface will be blocked at Welcome to the RUNTIME program!

When pressed, a subsequent screen is displayed and the correct PIN code must be verified to continue.

Verify and go to Mode Selection, Encryption Method:

Encrypted Content:

If the third option Encrypt multiselect is selected, the storage device to be encrypted will be selected one additional time.

After the selection is completed, the file will be encrypted according to the selected mode, and the encryption public key is as follows

The encryption also generates a victim message that is sent to the attacker's MySQL database, first connecting to the database 94.232.249.179:3306

Log in to the database with the account password decrypted in memory:

Inserts generated victim information into the database, including randomly generated company_id, computer name, designated contact e-mail address, etc.

The generated ransom note is below:


Early version

Earlier versions of the Rast ransomware were called recovery.exe and did not have a console interface to simply verify that they were in the %userprofile%\documents folder.

The encrypted file uploads the victim's information to the attacker's FTP server 179.43.172.241:21, which is now unreachable.


mid-term version

The mid-range version includes a console interface, a startup hotkey, and PIN verification, and also requires itself to be located in the %userprofile%\documents folder (the latest version does not), with the initial interface as follows:

The PIN code is requested after pressing the startup hotkey:

Go to Mode Selection and there are fewer options for encryption methods compared to the latest version:

The C2 for uploading victim information in this version is the same as the latest version, which is 94.232.249.179:3306


Database Analysis

We stripped the mysql database where the attacker stored the victimization information, and only the machine names in the uploaded information are related to the victimized machines, so we can only do some more superficial statistics to show the actual impact range and activity curve of the Rast ransomware. The attacker first started testing Rast ransom on 2023-12-25, using the email address "test@yadas.com".

All the emails used by Rast ransomware in Wild attack are listed below:

- -
Ransom Mailbox
backup@waifu.club
BaseData@airmail.cc
BitCloud@cock.li
dataserver@airmail.cc
Fat32@airmail.cc
hashtreep@waifu.club
Hoeosi@airmail.cc
MyFile@waifu.club
Qyxugani@airmail.cc
Rast@airmail.cc
user1@email.com

Then we counted the machine names by Chinese, Pinyin, and English.

The fact that Chinese and Pinyin account for fewer victims does not mean that there are fewer domestic victims, and the meaning of many English machine names still indicates that the victims are located in China:

The word clouds generated for Chinese machine names and Pinyin machine names are as follows, which gives a good visualization of the victim domains and the corresponding functions of the servers.

If the statistics are taken from the dimension of ransom time, it can be found that there are some consecutive machine name numbers encrypted on the same day, which means that there may have been a lateral movement behavior in the same unit's intranet, where servers of the same number type were encrypted uniformly.

The final statistics Rast a total of what business affected, purely from the point of view of the machine name there are the following categories of business: ERP (Enterprise Resource Planning System), MES (Manufacturing Execution System), DC (Domain Controls), ECM (Enterprise Content Management System), EPSM (Enterprise Project and Service Management System), etc., involving the specific application layer of services are: Vmware, ipguard, Veeam, Jenkin, Hikvision, and so on.

In summary, Rast ransomware, as a "new force" in ransomware, has reached such a large scale in ten months, demonstrating its high adaptability and destructive power in the field of cyberattacks. This rapid rise not only reflects the technical skill and innovation of its developers, but also reveals the vulnerability of the current network security defense system and the lack of response capability. With the escalation of attack methods and the increasing sophistication of strategies, government and enterprises must strengthen their security awareness and upgrade their defense measures to cope with this emerging threat. At the same time, the cooperation of global countries in cybersecurity has become increasingly important, and only through a joint crackdown can the momentum of ransomware proliferation be effectively curbed.


Summary

Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.


IOC

MD5:

6966d86f2bc4bbc5a3ea002baf4c5b4a

bb7c575e798ff5243b5014777253635d

c0a8af17a2912a08a20d65fe85191c28

e96dc82b080bc4c229cc5c049c0a187b

b53f2c089d4a856f72b98564afd30aaf

9e1108f9808a4a117d15c4afe0472061

673630ad8254a52b7eb9897518129aeb

e3d2e511a9a783f6ff3c25e305821be7

4680edef53618e2dbda7832492ede62e

e96dc82b080bc4c229cc5c049c0a187b

C2:

94.232.249.179:3306

179.43.172.241:21

RANSOMWARE RAST GANG