Security Intelligence
Loading table of contents...
The deployment of reconnaissance tools is a common precursor to ransomware attacks, as they play a crucial role in the early stages of the operation. These tools enable threat actors to gather vital information about the target environment by enumerating software, services, and security measures. Additionally, they help identify open ports, active services, and devices on a network that can serve as potential attack vectors.
Field Effect MDR recently detected and prevented a Play ransomware attack that involved a reconnaissance tool called Grixba. Although the group’s use of that tool is known, the Grixba sample detected by Field Effect MDR contains some characteristics not previously reported publicly.
Grixba deployment
The attack chain began with the threat actor dropping Grixba via Remote Desktop Protocol (RDP) to the directory ‘C:\Users\Public\Music’ on a Windows server, along with a file named ‘data.dat’.
The threat actor connected from IP address 84.239.41[.]12, which is associated with the Private Internet Access (PIA) VPN service.
Grixba analysis
The Grixba file was named ‘GT_NET.exe’ and its details were designed to make it appear as if it was legitimate SentinelOne software called ‘SentinelOne Compatibility Wizard’ with a product version of 1.1.6.0.
Image 1: File details of Grixba, named GT_NET.exe, disguised as SentinelOne software
This impersonation of SentinelOne’s brand was likely an attempt to fool the target into thinking that the file was legitimate, and perhaps even a necessary component of Windows or corporate security controls.
Until now, Play’s use of SentinelOne’s brand to disguise Grixba has not been reported publicly and therefore represents a new tactic, technique, and procedure (TTP) associated with the group.
Analysis of the Grixba sample revealed that it is an obfuscated .NET-based application targeting .NET Framework 4.6.2.
Image 2: File analysis of de-obfuscated GT_NET.exe file (Grixba recon tool)
When first executed, Grixba prompts for a value to be entered. The expected value is a combination of a base64 encoded command line argument and a base64 encoded 64 byte XOR key, separated by the character ‘>’.
For example: ‘LW06c2NhbmFsbCAtaTpk>AkTmFi536D7Hz2spjeQU0Hk9nQjDtDkL5o8nZf03RRKdyMqqSshmkHafOfyE24YWbwso7EW+YlomPhMWs6ZpA==’
The base64 encoded XOR key is used by Grixba to decode the contents of ‘data.dat’ to obtain the file ‘inf_g.dll’’ which contains a ‘inf_g.Core.CoreScanner’ class that parses the encoded command line arguments and implements the scanning logic for reconnaissance.
Grixba scanning parameters
Field Effect MDR used the recovered XOR key to continue the execution of Grixba and perform additional analysis of the ‘inf_g.dll’ file.
Our analysis revealed there are several command line arguments available for customizing the scan parameters and output options.
For example, running ‘GT_NET.exe’ using the command line arguments ‘-m:scanall –i:d‘ (which base64 encodes to ‘LW06c2NhbmFsbCAtaTpk‘) will run all the Grixba scanner options using the user’s current domain as the scan input.
The ‘-i:d’ option is the default, however, it can be changed to narrow the scope of the scan. For example, ‘-i:r’ can be used to scan a specific IP range and ‘-i:f’ can be used to load IPs from a file.
Image 3: Grixba executed with ‘-m:scanall –i:d‘ argument in test environment with administrative rights.
The execution of a command results in the creation of a password and subsequent password-protected zip file named ‘data.zip’. However, the password outputted by the command is not the actual password required to access ‘data.zip’. Rather, it must be combined with the hardcoded value ‘E8B10161-0849-4984-A6BF-3D1B267615CC-‘, found in the ‘inf_g.dll’ file, to generate the actual password as shown below.
Image 4: Sample Python script to generate the password for data.zip file.
The combined password can then be used to view the results of the Grixba scan, which are stored in the data.zip archive as a file called ExportData.db. This file organizes the scan data into 18 different tables as shown below. The tables include details such as active hosts, web browser history, installed software, process activity, session history and network routes, etc.
Image 5: Contents of ExportData.db
The information found in ExportData.db is then used by the threat actor to enable the next stage of the attack, be it privilege escalation, vulnerability exploitation, disablement of backup services, etc.
While Play’s use of Grixba has been previously reported, the writing of the scan results to a file called ExportData.db has not, and thus represents a new indicator of compromise network defenders can look for to prevent the deployment of Play ransomware.
Conclusion
Reconnaissance tools, such as Grixba, are not only precursors but integral to the effectiveness of ransomware attacks. They enable precision targeting, reduce the risk of detection, and amplify the impact of ransomware by ensuring it is deployed in a way that causes maximum disruption.
Organizations must deploy managed detection and response (MDR) solutions capable of detecting the presence and use of such tools before escalation. By detecting tools like Grixba early, potential victims can disrupt the ransomware attack chain, prevent lateral movement, and mitigate the risk of a full-scale ransomware deployment.
This proactive approach strengthens an organization’s defenses against increasingly sophisticated cyber threats.
Mitigation
While defending against ransomware attacks may seem intimidating, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Backup your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
Indicators of Compromise
GT_NET.exe (Grixba Recon tool) / 3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94
data.dat / 5922b1a7172bd60b1353f2a3c4de2a03efba8d57d0f696d00868d4ef6fcbc218
inf_g.dll / b4505ab44108e27d8a5311fe5ba32e2db88e70f0084b5c0b0b903e5b98f904b7
ExportData.db (Hash varies)
84.239.41[.]12 (PIA VPN IP address)
If you have any questions or comments regarding this analysis, please contact us.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
