It has been just over a week since the public disclosure of Exchange SSRF (CVE-2021-26855) and malware authors have already declared hunting season on OWA installations worldwide. On March 11th, Microsoft announced that the MS Exchange-related attacks have now evolved to not just stealing email data but also deploying ransomware. However, these DearCry payloads had been circulating a few days before already and are highly evasive.
The biggest concern at this point in time remains the ease with which the vulnerability can be exploited. A perfect example of this is the DearCry malware family.
A closer look reveals that this sample lacks the sophistication that is associated with other ransomware families and is most likely the work of a new gang/individual. The combination of the vulnerability and the malware is a potent one especially considering how evasive the malware was when it first appeared in public threat feeds.
During file encryption, the data starts with the header “DEARCRY!”
Blue Hexagon Deep Learning Ransomware Detection
Blue Hexagon proactively detected this threat family and its various components with deep learning threat detection models that were created months ago before the threat was named in the wild as DearCry. Based on our telemetry data, the bulk of the attacks piggybacking on top of the Exchange exploit hit their peak in the past 72 hours. The biggest concern apart from the fact that the coverage on the vulnerability is still lacking as far as major AV vendors go is the fact that coverage on the DearCry Ransomware that is being delivered is even worse.
With each sample release of DearCry, the detection coverage on Virustotal showed that only 3-4% of vendor solutions detected the threat. What was more striking was that even as each sample came out, the detection coverage did not improve. Even as the original sample was getting publicity, that knowledge did not improve the initial detection of the samples discovered later in the day.
While the timeline and initial detection is interesting, another dimension of the threat dynamics is how the detections change over time and whether the trends are the same for different samples. This is shown in Figure 2.
Figure 2 plots the Threat Detection Profile (TDP) of the first and fourth sample of DearCry that were introduced several hours apart. The graph plots the detection rates from March 12-15th, 2021. Several interesting observations can be made from this graph:
- Though the samples are introduced several hours apart they both start with the same low TDP of ~50% or less, and it even drops coverage at one point as signature-based detections adjust to FP rates.
- As time progresses, the fourth sample continues to have a low detection rate even as the threat detection rate of the first sample is increasing over time as more signatures are added to vendor solutions. Clearly, one DearCry sample has proven more successful at evading detection.
- TDP only reaches some sort of majority consensus after multiple days have elapsed from the onset of the original threat.
Why Deep Learning Matters
Blue Hexagon proactively detected these samples even with models that were created months before the threat was named in the wild as DearCry. This is because Deep Learning models uncover patterns of malintent expressed in malicious code and are an order of magnitude better at detecting new malware than relying on signatures, YARA rules, ssdeep, or other pattern matching techniques.
Indicators of Compromise:
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65 e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da 6834d9f4a9e1888d82c70b72f30ced8aa68c009b55d03efffc94c466fbb3d047
You may like to also read related threat advisories and research on this subject:
Comments are closed.