{"id":88705,"date":"2023-04-05T09:32:00","date_gmt":"2023-04-05T09:32:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88705"},"modified":"2023-04-05T09:32:00","modified_gmt":"2023-04-05T09:32:00","slug":"quick-acting-rorschach-ransomware-appears-out-of-nowhere","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88705","title":{"rendered":"Quick-acting Rorschach ransomware appears out of nowhere"},"content":{"rendered":"
<\/div>\n

A newly detected ransomware dubbed Rorschach \u2013 so named because everybody who examined it \u201csaw something different\u201d \u2013 is being flagged by researchers at Check Point<\/a> as an emergent and highly dangerous threat to organisations.<\/p>\n

The research team, which first spotted it while responding to an incident at a US-based customer, said Rorschach \u201cappears to be unique\u201d, sharing characteristics of many other types of ransomware, including Babuk, DarkSide, LockBit and Yanluowang, but no overlaps that can link it with any degree of confidence to any other ransomware strain.<\/p>\n

Nor is it branded, which is in and of itself quite unusual for ransomware operators, who tend not to be publicity-shy.<\/p>\n

\u201cJust as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels of technically distinct features taken from different ransomware families \u2013 making it special and different from other ransomware families,\u201d said Sergey Shykevich, threat intelligence group manager at Check Point.<\/p>\n

\u201cThis is the fastest and one of the most sophisticated ransomware we\u2019ve seen so far. It speaks to the rapidly changing nature of cyber attacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data.\u201d<\/p>\n

Among other things, the locker malware itself is highly advanced and partly autonomous, being able to carry out tasks \u2013 such as creating a domain group policy (GPO) \u2013 that are more usually done manually, on its own. It is highly customisable and contains some technically distinct features, such as the use of direct syscalls as an obfuscation technique, which are rarely observed.<\/p>\n

Rorschach is also extremely fast-acting. In a controlled head-to-head test against LockBit 3.0<\/a> \u2013 also known as a speed demon \u2013 it took just four minutes and 30 seconds to fully encrypt 220,000 files. LockBit 3.0 took seven minutes.<\/p>\n

\n

<\/i>DLL-side loading exploited legitimate security product<\/h3>\n

In the incident reported by Check Point, Rorschach was deployed by exploiting an issue in Palo Alto Networks\u2019 Cortex XDR<\/a> (extended detection and response) product.<\/p>\n

The success of this technique depends on the Cortex XDR Dump Service Tool having been removed from its installation directory, in which case it can be used to load untrusted dynamic link libraries<\/a> (DLLs). This is known as DLL side-loading.<\/p>\n

Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon<\/a>, said: \u201cIt is… interesting to learn that the DLL side-loading delivery is abusing the Cortex XDR Dump Service Tool because this is a legitimate, digitally signed security product. This technique leverages vulnerable software to load malicious DLLs that provide persistence and evasion capabilities.<\/p>\n

\u201cDLL-sideloading is not new, but it is somewhat rare. It was similarly deployed by the threat actors REvil in the infamous 2021 Kaseya ransomware attack<\/a>\u2026. Downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate.<\/p>\n

\u201cAll the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key,\u201d he added.<\/p>\n

Miller said detecting DLL side-loading attacks could be tricky, but defenders can get out in front of them by looking for any unsigned DLLs in executable files, or suspicious loading paths and timestamps showing gaps between the compilation time for the executable and DLL loading time. A significant difference here could indicate a malicious payload is in play. <\/p>\n

Palo Alto said that when the Cortex XDR agent is installed on Windows and the Dump Service Tool is running from the correct installation path, the technique cannot be used because the Cortex XDR agent\u2019s security permissions and protections stop it in its tracks.<\/p>\n

Cortex XDR Agent 7.7 and later versions with CU-240, which was released over two years ago, can detect and block Rorschach without issue.<\/p>\n

\u201cThis issue does not represent a product vulnerability risk to customers using Cortex XDR agent,\u201d said Palo Alto in an update<\/a>.<\/p>\n

However, Palo Alto said it plans to release new versions of Cortex XDR agent to prevent future possible misuse, and a new content update will be released later this month to detect and prevent the specific DLL side-loading technique used by Rorschach.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

A newly detected ransomware dubbed Rorschach \u2013 so named because everybody who examined it \u201csaw something different\u201d \u2013 is being flagged by researchers at Check Point as an emergent and highly dangerous threat to organisations. The research team, which first spotted it while responding to an incident at a US-based customer, said Rorschach \u201cappears to […]<\/p>\n","protected":false},"author":1,"featured_media":88706,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88705","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88705"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88705\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88706"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}