3AM - A new malware family written in Rust

A ransomware variant known as "3AM", was recently identified. It has surfaced in an incident where it was employed after an unsuccessful attempt to infect a target with LockBit ransomware, was thwarted as per researchers from the Symantec Threat Hunting team.

Note that 3AM has been developed using the Rust programming language and is presumed to be an entirely novel strain of malware. This main features of ransomware is to disable several services on the compromised computer prior to commencing the file encryption process. After successfully encrypting the files, it then endeavors to erase Volume Shadow copies.

Interestingly, the attack was detected using a gpresult command to dump the policy settings enforced on the computer for a specified user. The attacker also used Cobalt Strike, a command and control framework and attempted to escalate privileges on the targeted computer using PsExec, that allows users to run programs on remote systems. Various other reconnaissance commands were used and the attacker also added a new user for persistence.

Attack flow

• Attackers first attempted to install LockBit ransomware, but they were blocked.

• Having been blocked, the attacker then attempted to deploy 3AM instead.

• The ransomware is a 64-bit executable that supports multiple commands to stop applications from performing backups and security software.

• The malware only encrypts files matching predefined criteria. An example of how 3AM modifies filenames: it changes "1.jpg" to "1.jpg.threeamtime", "2.png" to "2.png.threeamtime", and so forth.

Impact

As per Symantec, the attack is described as only partially successful, with the attackers only managing to deploy it on three machines on the targeted organization’s network and it was blocked on two of those three computers. They also added a new user for persistence (maintaining access to the target) and used the Wput tool to exfiltrate the victims’ files to their own FTP server.

Recommendation

1. Update Software: Keep all software up to date.

2. Use Security Software: Install antivirus and anti-malware tools.

3. Backup Data: Regularly back up data offline or in the cloud.

4. Strong Passwords: Use strong, unique passwords and enable 2FA.

5. Education: Train users to recognize threats and avoid suspicious links.

6. Network Segmentation: Isolate critical systems from others.

7. Patch Quickly: Apply security patches promptly.

8. Incident Response: Have an incident response plan in place.

9. You can read more about different types of attack here - https://www.instagram.com/p/CckN6txLFDp/