A newly discovered variant dubbed "Rorschach" is one of the fastest observed ransomware by the speed of encryption, according to the Check Point Research and Incident Response Team.
Discovered during a response to a cyberattack against a U.S. company, Rorschach is deployed using a DLL side-loading component of a Cortex XDR Dump Service Tool, a signed commercial security product. Check Point reported the vulnerability to Trend Micro.
The abuse of the legitimate Cortex XDR Dump Service Tool is particularly concerning, as it uses “vulnerable software to load malicious DLLs that provides persistence and evasion capabilities,” Jon Miller, Halcyon CEO and co-founder, told SC Media in an emailed statement. “DLL-sideloading is not new, but it is somewhat rare.”
The tactic was leveraged by REvil threat actors in the massive Kaseya ransomware attack in 2021, which enabled “downstream victims” to be compromised through a legitimate software update signed with a valid digital certificate.
Check Point’s analysis of the cyberattack confirmed Rorschach is unique and shares no overlapping characteristics that prevent easy attribution to any other known ransomware variants.
“The threat actor didn’t hide behind any alias and appears to have no affiliation to any of the known ransomware groups,” researchers wrote. “Those two facts, rarities in the ransomware ecosystem, piqued [our] interest and prompted us to thoroughly analyze the newly discovered malware.”
“While it seems to have taken inspiration from some of the most infamous ransomware families, it also contains unique functionalities, rarely seen among ransomware, such as the use of direct syscalls,” they added.
It’s also highly customizable. In addition to its high speed of encryption, the variant bears a number of characteristics of particular concern.
The strain is partly autonomous, automatically running tasks that ransomware actors would typically perform manually during deployment. For one, it creates domain group policies on the Windows Domain Controller without human interaction. Past interactions of LockBit leveraged similar functionality, but Rorschach’s deployment is different.
For example, it creates multiple group policies: one that copies itself into the public folder of all workstations on the victims network, another that attempts to ”kill a list of predefined” processes, and a third that registers a scheduled task that immediately runs. Once a user logs on, the main executable is deployed with the relevant arguments.
In short, the “extremely flexible” variant can automatically spread when deployed on the domain controller and clears the event logs of impacted devices. It operates a built-in configuration and on “numerous optional arguments” that allow it to modify its tactics based on the operator’s needs.
As observed by Check Point in the wild, Rorschach executes using the Cortex XDR Dump Service Tool version 220.127.116.1140, as well as winutils.dll, a packed loader and injector used to both decrypt and inject the ransomware.
The variant also uses config.ini, which contains all the logic and configuration of the encrypted ransomware. Researchers noted that this is the main payload, “subsequently loaded into memory as well as, decrypted and injected into notepad.exe, where the ransomware logic begins.”
Even its spawning processes are uncommon, as it runs in "suspend mode" and gives out “falsified arguments” that makes it difficult for network defenders to analyze and remediate.
The falsified argument is “a repeating string of the digit one, based on the length of the real argument, rewritten in memory and replaced with the real argument, resulting in a unique execution,” researchers explained.
Also of note: the variant adds its files into the DC scripts folder, then deletes them from the original location to evade detection. And its ransomware note is similarly formatted to Yanluowang and DarkSide ransomware notes, but each “person who examined the ransomware saw something a little bit different.”
For Miller, the most interesting feature of Rorschach is not its speed, but its advanced security evasion capabilities that makes the payload delivery undetectable, which is highly concerning.
“With fast encryption, once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene,” said Miller. “RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch.”
Detection of DLL side-loading attacks can be difficult. As such, analysts should look for unsigned DLLs within executable files or “suspicious loading paths and timestamps that show gaps between the compilation time for the executable and DLL loading time.”
“All the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key,” Miller concluded.