Thursday, 25 May 2023 10:52

Leaked LockBit and Babuk Ransomware repurposed by Buhti in new Payloads

Written by
Rate this item
(0 votes)

Reading time is around minutes.

The leak of tools used by threat groups, and spying agencies are events of inestimable importance in both the threat group and security worlds. To threat groups this is like free money. They now have access to someone else’s development efforts meaning they can spend less money developing the next payload for their own interests. On the security side it means that there is a high potential to see new variants of these tools hitting the wild which they now must defend against. It also increases the attack pool which they must defend against since now even unsophisticated groups have access to all the fun tools.

Today we will discuss how two specific leaks, LockBit and Babuk, have been utilized by the Buhti group to update their toolset. Buhti is a fairly new group in the ransomware family and while they have not gotten around to developing their own ransomware payload, they have their own information stealer which was first spotted back in February of 2023. According to a report by Symantec, Buhti is a very agile group and has been seen to quickly move to exploit new vulnerabilities as they show up on the scene. At this time, they also do not appear to be linked to any other larger threat groups.

While Buhti does not make their own ransomware, they are not opposed to using someone else's in their attacks. Symantec noted that they have attempted to use a slightly modified version of LockBit. The new strain appeared to be taken directly from the leaked version and did not have many customizations to it. It did append the files with .buhti just do you know who is responsible for the attack. Other modifications include disabling the LockBit wallpaper (although the image file was left) and disabling a function to send system information back to a C2 server. The reuse of Babuk has been identified in the groups targeting Linux devices. Buhti seems to have adapted each of the leaks based on their strengths, or perhaps at random. We can point to the fact that the Golang Babuk leak was chosen to target Linux devices and was not, at this time, used for its ability to infect Windows systems.

As mentioned before, Buhti does have their own information stealer payload. It is written in Golang and is designed to target multiple file extensions (pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql, .svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx, .yaml.), These are then put into a zip file using an open source application and exfiltrated later.

Buthi appears to be a sophisticated and dangerous group. While they do not appear to be spending much time and effort on developing ransomware, they are focused on getting into organization using the latest vulnerabilities. They are pivoting to these vulnerabilities very quickly in order to have the most impact before patching cycles kick in. This shows a fair amount of tactical and logistical skill. It would not be a wise move to underestimate them as a ransomware threat or a general environment compromise threat.

Symantec has a list of IOC at the end of their report. It would be a good idea to implement these into existing protections as a proactive measure.

Read 592 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.