Threat Watch

REvil Ransomware Gang Acquires KPOT Stealer

After being announced by researcher Pancak3 and reported by ZDNet, it is now public that the REvil ransomware gang has purchased the source code to the KPOT stealer at the initial asking price of $6,500 USD. KPOT is used to steal passwords saved in web browsers, VPN clients, instant messaging applications and many others. Ransomware threat actors often make use of stolen passwords to expand their access to more systems and escalate privileges to gain more control over corporate networks before launching ransomware to affect as many computers as possible. With this acquisition, REvil now opens itself to incorporating the stealer and improving upon the code base as the original developer desires to move away to other projects. Secureworks® Counter Threat Unit™ (CTU) analysis has suggested that REvil is likely associated with the now disbanded GandCrab ransomware group due to similar code patterns and the emergence of REvil as GandCrab activity declined.

ANALYST NOTES

As ransomware operators grow in profits, it would not be surprising if more acquisitions like this become more common. As it stands right now to monitor for KPOT, it is important to be looking for Microsoft Background Intelligence Transfer Service (BITS) jobs being started by PowerShell using URLs that are unusual for BITS jobs in the corporate network, then investigate the process or chain of processes that were responsible for initiating that PowerShell command and take research from there. For REvil, similar advice stands. Look for connections to URLs using (new-object net.webclient).downloadstring(‘[malicious URL]’) by PowerShell (pastebin.com has been used commonly in the past). Taking advantage of disabling common administrative tools and shells on systems whose users do not use them can be a valuable step in stopping initial footholds such as these. The Binary Defense Threat Hunting team has had success with custom detections for PowerShell launching BITS jobs, as well as PowerShell connecting to pastebin.com and other similar services.
For more information, please read: https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/