14 DAY TRIAL // Cybercriminals are running more and more malicious payloads via Virtual Machines, according to Symantec Threat Hunter Team.
Help Net Security investigated an attempted ransomware attack that was executed via a VirtualBox Virtual Machine created on some compromised computers. Unlike the documented RagnarLocker attacks using Virtual Machines with Windows XP, the new threat seems to be running Windows 7.
Moreover, according to Dick O'Brien of the Symantec Threat Hunter Team, the VM was deployed via a malicious executable that was pre-installed during the reconnaissance and lateral movement phases of operations.
So far, the researchers were unable to determine whether the payload in the VM was Mount Locker or Conti ransomware. The later was detected on the endpoint and needs a username and password combination, both specific to previous Conti activity.
It is assumed that the malware resided on the VM's hard drive and can be automatically launched once the operating system is fully booted. The installer executable checked if the host was an Active Directory controller, whereas in other cases it employed a Russian keyboard layout to identify and terminate the operation if it did.
Symantec Threat Hunter team explained “One possible explanation is that the attacker is an affiliate operator with access to both Conti and Mount Locker. They may have attempted to run a payload (either Conti or Mount Locker) on a virtual machine and, when that didn’t work, opted to run Mount Locker on the host computer instead”.
Preventing unauthorized Virtual Machines
You should know that most attackers and ransomware operators like to use legal, off-purpose tools to enhance their activities while remaining undetected for as long as possible.
Organizations can prevent unauthorized VMs from being deployed by using software inventory and apply restrictions to licensed software so that they can be checked before rolling out. Another way to secure the virtual environment would be to implement security technologies specialized in this niche or opt for enterprise versions that prevent the creation of new unauthorized VM sessions altogether.