In a recent security breach analysis, experts uncovered a unique variant of the Mimic ransomware—dubbed "Elpaco." This advanced threat exploits the Zerologon (CVE-2020-1472) vulnerability for privilege escalation after infiltrating servers via Remote Desktop Protocol (RDP) through a brute-force attack. The intriguing twist with this ransomware is its customizability, leveraging a user-friendly interface and the Everything library.

Entry and Elevation: Attackers gain access through RDP, followed by privilege escalation via Zerologon.

Customization Features: Uses the Everything library to allow attackers an easy-to-use graphical interface, enabling customized ransomware operations.

Functionality and Impact: Disables security measures, executes system commands, and encrypts files using ChaCha20, with the key secured by RSA-4096, leaving encrypted files irrecoverable sans the private key.

File Composition and Execution

Upon initial examination, the Elpaco ransomware sample appeared as a packed file, primarily using the 7-Zip installer mechanism to obscure its true nature.

Key properties

Archive Contents: Abuses the Everything search engine (Everything32.dll & Everything.exe). Encapsulates the payload within a protected ZIP file—Everything64.dll. Utilizes legitimate 7-Zip utilities for extracting deceptive content.

Directory and Session Management

After execution, the ransomware installs files into a directory under `%AppData%\Local\`, often camouflaged using a UUID. Deliberately named assemblies such as `svhostss.exe` mimic legitimate Windows processes to evade detection and facilitate the encryption routine.

Session Control: Drops a `session.tmp` file to maintain encryption progress.

Defender Control: Includes `DC.exe` to disrupt active security settings.

Malicious Console: The core of Elpaco, `svhostss.exe`, administers encryption activities and enables the threat actor to configure extensions, ransom notes, and file target exclusions. An adjunct GUI (gui40.exe) simplifies these operations further.

Registry Manipulations: Alters the registry to sustain execution, including setting up Autorun entries and associating encrypted files with ransom negotiation prompts.

Post-Execution Cleanup The malware meticulously erases its tracks post-execution, leveraging the Command Prompt to remove all executable footprints and secure deletion of its artifacts using fsutil.

Geographical Spread and Impact Elpaco has affected victims worldwide since its emergence in August 2023, with concentrated incidents reported across the United States, Russia, and European nations.

Elpaco exemplifies the evolving nature of ransomware, incorporating flexibility and integration of legitimate tools for malicious purposes. As organizations worldwide continue to face threats from this and other Mimic variants, vigilance and tailored defenses are paramount.

Indicators of Compromise (IOC)

Dropper Hash:

61f73e692e9549ad8bc9b965e25d2da683d56dc1

Console Hash:

8af05099986d0b105d8e38f305efe9098a9fbda6

The link has been copied!