S0449 Maze
Maze ransomware, previously known as “ChaCha”, was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.123
| Item | Value |
|---|---|
| ID | S0449 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 18 May 2020 |
| Last Modified | 24 January 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Maze has communicated to hard-coded IP addresses via HTTP.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Maze has created a file named “startup_vrun.bat” in the Startup folder of a virtual machine to establish persistence.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | The Maze encryption process has used batch scripts with various commands.13 |
| enterprise | T1486 | Data Encrypted for Impact | Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.1 |
| enterprise | T1568 | Dynamic Resolution | Maze has forged POST strings with a random choice from a list of possibilities including “forum”, “php”, “view”, etc. while making connection with the C2, hindering detection efforts.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.006 | Run Virtual Instance | Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine’s configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.2 It has also disabled Windows Defender’s Real-Time Monitoring feature and attempted to disable endpoint protection services.3 |
| enterprise | T1070 | Indicator Removal | Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.2 |
| enterprise | T1490 | Inhibit System Recovery | Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.23 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Maze operators have created scheduled tasks masquerading as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update” designed to launch the ransomware.3 |
| enterprise | T1106 | Native API | Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.2 |
| enterprise | T1027 | Obfuscated Files or Information | Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.2 |
| enterprise | T1027.001 | Binary Padding | Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.2 |
| enterprise | T1057 | Process Discovery | Maze has gathered all of the running system processes.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Maze has injected the malware DLL into a target process.23 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Maze has created scheduled tasks using name variants such as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update”, to launch Maze at a specific time.3 |
| enterprise | T1489 | Service Stop | Maze has stopped SQL services to ensure it can encrypt any database.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.3 |
| enterprise | T1082 | System Information Discovery | Maze has checked the language of the infected system using the “GetUSerDefaultUILanguage” function.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.2 |
| enterprise | T1049 | System Network Connections Discovery | Maze has used the “WNetOpenEnumW”, “WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine.2 |
| enterprise | T1529 | System Shutdown/Reboot | Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.3 |
| enterprise | T1047 | Windows Management Instrumentation | Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization’s network.23 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 | 1 |
References
-
Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. ↩↩↩↩
-
Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩