This post is authored by Matt Suiche (Director, Memory, IR & R&D) and Ivan King (Security Research Engineer).
The Cybersecurity and Infrastructure Security Agency (CISA) & partners recently released a “#StopRansomware Guide” Cybersecurity Information Sheet (CSI), which aims at providing guidance to organizations to reduce the impact of ransomware incidents and a checklist of best practices for responding to these threats.
Among the recommendations, we noted several points regarding memory acquisition and analysis, which we would like to expand on.
Fileless Attacks and Threat Hunting
One of the top recommendations provided by the guide includes: “Use security software to detect instances of RMM software only being loaded in memory.”
Threat actors often leverage memory-focused techniques to evade detection and hide their presence, such as Process Injection (T1055), where memory analysis is a key component for response and detection.
We agree that proactive memory threat hunting is a vital exercise, and in addition to XDR endpoint protections, we recommend our customers leverage AXIOM Cyber for threat hunting as we described in our previous blogpost on hunting Russian intelligence malware “Snake”.
Capturing Memory Before It’s Gone
As part of the “Ransomware and Data Extortion Response Checklist”, the guide informs us:
Powering down devices to prevent the further spread of a ransomware infection will prevent your organization from maintaining artefacts stored in volatile memory which includes RAM images. This is a last resort step that should be conducted only if you cannot shut down the network or disconnect impacted machines from the network.
We do encourage our customers to perform memory image acquisition before, especially for critical assets, as they may contain critical evidence that will be relevant during the investigation phase.
We also recommend our customers use Microsoft crash dump as a file format for Windows as it is an interoperable format. You can read more about how acquisition best practice recommendations in our blog post “Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Analysis for Incident Response ? “
Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, malicious RDP activity, etc.) is also encouraged by the guide, in case your organization can share them with CISA, MSISAC with the relevant local, state, or federal law enforcement authority for extended identification or analysis if needed.
The Rise of Infostealers
Our threat intelligence team also noticed that several ransomware groups pivoted towards info stealing as an alternative strategy. You can read more about it in our previous blogpost about what are infostealers and how to investigate them.
Several info stealers we analyzed came with activity under the following MITRE ATT&CK groups:
TACTIC | TECHNIQUE |
|---|---|
TA00002 Execution | T1059 - Command and Scripting Interpreter T1204 – User Execution |
TA00005 Defense Evasion | T1027 – Obfuscated Files or Information T1055 – Process Injection T1217 – System Binary Proxy Execution |
TA0011 Command and Control | T1071 – Application Layer Protocol |
TA0010 Exfiltration | T1041 – Exfiltration over C2 Channel |
For instance, one of the most popular ones, RedLine drops several further files upon execution which are then executed as child processes that spawn other legitimate operating system programs. This technique of obfuscating or encrypting the main info stealer capability is common among many info stealer families.
In this scenario, memory analysis enables the investigator to quickly:
Identify suspicious processes by introspecting their memory.
Identify C2 infrastructure via network connections from the suspicious process.
YARA rules can then be created that match byte sequences inside the suspicious process that are then used to identify other infected machines.
An example YARA rule for the in-memory .NET assembly that it loads can be found here:
rule RedLine { strings: $string1 = {31352e392e312e3232} $string2 = {274e6972656f4e4f3120436f72706f726174696f6e20436f7079726967687420} $string3 = {4e697274726f20435055} condition: $string1 and $string2 and $string3 } |
A deeper analysis of a memory image can even provide detection of novel threats and techniques.