S0554 Egregor
Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.123
| Item | Value |
|---|---|
| ID | S0554 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 December 2020 |
| Last Modified | 14 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Egregor has communicated with its C2 servers via HTTPS protocol.4 |
| enterprise | T1197 | BITS Jobs | Egregor has used BITSadmin to download and execute malicious DLLs.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.4 |
| enterprise | T1059.003 | Windows Command Shell | Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.65 |
| enterprise | T1486 | Data Encrypted for Impact | Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.15 |
| enterprise | T1039 | Data from Network Shared Drive | Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Egregor has been decrypted before execution.15 |
| enterprise | T1484 | Domain Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | Egregor can modify the GPO to evade detection.5 4 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Egregor has used DLL side-loading to execute its payload.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Egregor has disabled Windows Defender to evade protections.4 |
| enterprise | T1105 | Ingress Tool Transfer | Egregor has the ability to download files from its C2 server.54 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Egregor has masqueraded the svchost.exe process to exfiltrate data.4 |
| enterprise | T1106 | Native API | Egregor has used the Windows API to make detection more difficult.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Egregor‘s payloads are custom-packed, archived and encrypted to prevent analysis.12 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.4 |
| enterprise | T1055 | Process Injection | Egregor can inject its payload into iexplore.exe process.2 |
| enterprise | T1219 | Remote Access Software | Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Egregor has used regsvr32.exe to execute malicious DLLs.6 |
| enterprise | T1218.011 | Rundll32 | Egregor has used rundll32 during execution.5 |
| enterprise | T1082 | System Information Discovery | Egregor can perform a language check of the infected system and can query the CPU information (cupid).61 |
| enterprise | T1049 | System Network Connections Discovery | Egregor can enumerate all connected drives.1 |
| enterprise | T1033 | System Owner/User Discovery | Egregor has used tools to gather information about users.4 |
| enterprise | T1124 | System Time Discovery | Egregor contains functionality to query the local/system time.6 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.21 |
| enterprise | T1497.003 | Time Based Evasion | Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.6 |
References
-
NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. ↩↩↩↩↩↩↩↩
-
Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. ↩↩↩↩↩↩↩
-
Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021. ↩
-
Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. ↩↩↩↩↩↩↩↩↩
-
Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. ↩↩↩↩↩↩
-
Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. ↩↩↩↩↩