Trellix Insights: Karma ransomware
Technical Articles ID:
KB95196
Last Modified: 2022-09-05 08:55:18 Etc/GMT
Last Modified: 2022-09-05 08:55:18 Etc/GMT
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.
Summary
The Karma ransomware family was discovered in mid-2021 and shares characteristics with NEMTY, JSWorm, Nefilim, and GangBang. The threat actor behind the malware continues to improve the code with multiple variants released since appearing on the threat landscape. The ransom note dropped contains three email addresses for victims to contact and threatens to release the stolen data if the ransom demand isn't met.
Our Threat Research team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by SentinelOne and Cyble and shared publicly here and here.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.karma." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fb3c8 8906 81ff00010000 7ce3 52 } // n = 5, score = 100 // 0fb3c8 | btr eax, ecx // 8906 | mov dword ptr [esi], eax // 81ff00010000 | cmp edi, 0x100 // 7ce3 | jl 0xffffffe5 // 52 | push edx $sequence_1 = { 8b5320 8d040a c1c00d 33c6 8b7304 894330 } // n = 6, score = 100 // 8b5320 | mov edx, dword ptr [ebx + 0x20] // 8d040a | lea eax, dword ptr [edx + ecx] // c1c00d | rol eax, 0xd // 33c6 | xor eax, esi // 8b7304 | mov esi, dword ptr [ebx + 4] // 894330 | mov dword ptr [ebx + 0x30], eax $sequence_2 = { 83f820 7ce5 33c0 0f1f00 0f104405d8 0f108c0578ffffff } // n = 6, score = 100 // 83f820 | cmp eax, 0x20 // 7ce5 | jl 0xffffffe7 // 33c0 | xor eax, eax // 0f1f00 | nop dword ptr [eax] // 0f104405d8 | movups xmm0, xmmword ptr [ebp + eax - 0x28] // 0f108c0578ffffff | movups xmm1, xmmword ptr [ebp + eax - 0x88] $sequence_3 = { 0fb6480f 884aff 0fb64c06ff 884aeb 83ef01 } // n = 5, score = 100 // 0fb6480f | movzx ecx, byte ptr [eax + 0xf] // 884aff | mov byte ptr [edx - 1], cl // 0fb64c06ff | movzx ecx, byte ptr [esi + eax - 1] // 884aeb | mov byte ptr [edx - 0x15], cl // 83ef01 | sub edi, 1 $sequence_4 = { 41 66833c4d4844400000 75f4 6a00 6a00 8d55fc } // n = 6, score = 100 // 41 | inc ecx // 66833c4d4844400000 | cmp word ptr [ecx*2 + 0x404448], 0 // 75f4 | jne 0xfffffff6 // 6a00 | push 0 // 6a00 | push 0 // 8d55fc | lea edx, dword ptr [ebp - 4] $sequence_5 = { 668908 6685c9 75f1 c3 } // n = 4, score = 100 // 668908 | mov word ptr [eax], cx // 6685c9 | test cx, cx // 75f1 | jne 0xfffffff3 // c3 | ret $sequence_6 = { 8d4704 0f1f8000000000 0fb708 83f95c 740a 83c002 6685c9 } // n = 7, score = 100 // 8d4704 | lea eax, dword ptr [edi + 4] // 0f1f8000000000 | nop dword ptr [eax] // 0fb708 | movzx ecx, word ptr [eax] // 83f95c | cmp ecx, 0x5c // 740a | je 0xc // 83c002 | add eax, 2 // 6685c9 | test cx, cx $sequence_7 = { 6a04 6a00 8bf8 ff15???????? 50 ff15???????? 83ef02 } // n = 7, score = 100 // 6a04 | push 4 // 6a00 | push 0 // 8bf8 | mov edi, eax // ff15???????? | // 50 | push eax // ff15???????? | // 83ef02 | sub edi, 2 $sequence_8 = { 0fb74dfe 6a00 6a00 66894806 ff15???????? 68f4010000 } // n = 6, score = 100 // 0fb74dfe | movzx ecx, word ptr [ebp - 2] // 6a00 | push 0 // 6a00 | push 0 // 66894806 | mov word ptr [eax + 6], cx // ff15???????? | // 68f4010000 | push 0x1f4 $sequence_9 = { 42 83fa08 7cf2 8b4508 83e01f 894508 } // n = 6, score = 100 // 42 | inc edx // 83fa08 | cmp edx, 8 // 7cf2 | jl 0xfffffff4 // 8b4508 | mov eax, dword ptr [ebp + 8] // 83e01f | and eax, 0x1f // 894508 | mov dword ptr [ebp + 8], eax condition: 7 of them and filesize < 49208 } |
This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.
Campaign IOC
Type | Value |
Minimum Content Versions
Content Type | Version |
Detection Summary
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
Minimum set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Aggressive set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
VirusScan Enterprise - Access Protection Rules:
Host Intrusion Prevention:
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 2806 Attempt to create a hardlink to a file