Blue Hexagon Blog

Threat Advisory: Hard to detect DearCry Ransomware exploits MS Exchange SSRF CVE-2021-26855

It has been just over a week since the public disclosure of Exchange SSRF (CVE-2021-26855) and malware authors have already declared hunting season on  OWA installations worldwide. On March 11th, Microsoft announced that the MS Exchange-related attacks have now evolved to not just stealing email data but also deploying ransomware. However, these DearCry payloads had been circulating a few days before already and are highly evasive. 

Threat Dynamics 

The biggest concern at this point in time remains the ease with which the vulnerability can be exploited. A perfect example of this is the DearCry malware family. 

A closer look reveals that this sample lacks the sophistication that is associated with other ransomware families and is most likely the work of a new gang/individual. The combination of the vulnerability and the malware is a potent one especially considering how evasive the malware was when it first appeared in public threat feeds.

Creation of msupdate windows service
File extensions of interest
Encryption of files ending with select file extensions

During file encryption, the data starts with the header “DEARCRY!” 

File Encryption Header
RSA Public Key used for encryption
Ransom Note: readme.txt

Blue Hexagon Deep Learning Ransomware Detection

Blue Hexagon proactively detected this threat family and its various components with deep learning threat detection models that were created months ago before the threat was named in the wild as DearCry. Based on our telemetry data, the bulk of the attacks piggybacking on top of the Exchange exploit hit their peak in the past 72 hours. The biggest concern apart from the fact that the coverage on the vulnerability is still lacking as far as major AV vendors go is the fact that coverage on the DearCry Ransomware that is being delivered is even worse. 

Figure 1: Timeline of the outbreak for DearCry “sample” (x-axis) and number of detections on the first analysis (y-axis)

With each sample release of DearCry, the detection coverage on Virustotal showed that only 3-4% of vendor solutions detected the threat. What was more striking was that even as each sample came out, the detection coverage did not improve. Even as the original sample was getting publicity, that knowledge did not improve the initial detection of the samples discovered later in the day. 

While the timeline and initial detection is interesting, another dimension of the threat dynamics is how the detections change over time and whether the trends are the same for different samples. This is shown in Figure 2.

Figure 2:  Threat Detection Profile of first and fourth DearCry samples

Figure 2 plots the Threat Detection Profile (TDP) of the first and fourth sample of DearCry that were introduced several hours apart. The graph plots the detection rates from March 12-15th, 2021. Several interesting observations can be made from this graph:

  • Though the samples are introduced several hours apart they both start with the same low TDP of ~50% or less, and it even drops coverage at one point as signature-based detections adjust to FP rates.
  • As time progresses, the fourth sample continues to have a low detection rate even as the threat detection rate of the first sample is increasing over time as more signatures are added to vendor solutions. Clearly, one DearCry sample has proven more successful at evading detection. 
  • TDP only reaches some sort of majority consensus after multiple days have elapsed from the onset of the original threat.

Why Deep Learning Matters

Blue Hexagon proactively detected these samples even with models that were created months before the threat was named in the wild as DearCry. This is because Deep Learning models uncover patterns of malintent expressed in malicious code and are an order of magnitude better at detecting new malware than relying on signatures, YARA rules, ssdeep, or other pattern matching techniques. 

Indicators of Compromise:

SHA-256

feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
6834d9f4a9e1888d82c70b72f30ced8aa68c009b55d03efffc94c466fbb3d047

Additional Resources:

You may like to also read related threat advisories and research on this subject:

Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065

Threat Advisory: New PoC exploit for Exchange SSRF CVE-2021-26855

Ransomware Families and Variants are in Abundance

Comments are closed.