Full Report
Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines. [...]
Analysis Summary
# Tool/Technique: Akira Ransomware
## Overview
Akira is a ransomware variant that has been observed conducting attacks, including exploiting vulnerabilities in third-party software (like SonicWall VPNs) or using multi-stage infection chains involving malware loaders to achieve system encryption. A recent observed chain involves using the Bumblebee malware loader delivered via trojanized IT software installers.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred from techniques like disabling Microsoft Defender and deploying `locker.exe`)
- Capabilities: File encryption, environment manipulation (disabling security tools), establishing persistence and C2 communication, data exfiltration.
- First Seen: Information on the exact first sighting is not provided, but recent activity is highlighted.
## MITRE ATT&CK Mapping
* Note: Specific ATT&CK IDs are not explicitly listed in the context for Akira's direct actions, but based on the description of its chain, relevant tactics include:
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (C2 communication by Bumblebee/AdaptixC2)
- T1021 - Remote Services (Use of SSH tunnels)
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encryption of systems across domains using the main payload (`locker.exe`).
- Establishing initial access often through compromised VPN endpoints or malware loaders like Bumblebee.
### Advanced Features
- Utilizes a sequence involving initial access (potentially via SonicWall VPN exploitation or SEO poisoning leading to trojanized installers).
- Employs **Bumblebee** as a loader, delivered via DLL sideloading.
- Deploys **AdaptixC2** for persistent remote access after initial C2 connection.
- Conducts internal reconnaissance, creates privileged accounts, and exfiltrates data via tools like FileZilla.
- Maintains access using **RustDesk** and **SSH tunnels**.
- *Observed specific tactic*: Abusing a CPU tuning tool to disable Microsoft Defender (Specific tool name not provided in the summary, but mentioned as a capability in the headline).
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `locker.exe` (Akira payload), MSI installers (trojanized)
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 servers contacted by Bumblebee/AdaptixC2 (specific IPs/domains defanged)
- Behavioral Indicators: DLL sideloading by Bumblebee, execution of reconnaissance activities, system hardening compromises (e.g., disabling Defender).
## Associated Threat Actors
- Akira Ransomware Operators
## Detection Methods
- Signature-based detection: Detection for the main payload (`locker.exe`).
- Behavioral detection: Monitoring for the use of Bumblebee (e.g., DLL sideloading patterns), the subsequent use of reconnaissance tools, and the disabling of security products like Microsoft Defender.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Apply filters and blocks based on emerging indicators (C2/file hashes).
- Strongly advised to only download software from official sites and mirrors (to counteract SEO poisoning/trojanized installers).
- Regarding SonicWall VPNs: Disable or restrict SSLVPN access, enforce MFA, enable Botnet/Geo-IP protection, and remove unused accounts (SonicWall advisory).
## Related Tools/Techniques
- Bumblebee (Malware Loader)
- AdaptixC2 (C2 Framework/Backdoor)
- FileZilla, RustDesk, SSH (Tools used for post-exploitation/exfiltration/persistence)
***
# Tool/Technique: Bumblebee Malware Loader
## Overview
Bumblebee is a malware loader used in the initial stages of the Akira infection chain. It is responsible for achieving initial persistence and downloading subsequent stages of the attack.
## Technical Details
- Type: Malware Loader
- Platform: Windows (Inferred)
- Capabilities: Initial access, DLL sideloading, establishing C2 communication, dropping AdaptixC2.
- First Seen: Related to recent Akira attacks analyzed by The DFIR Report.
## MITRE ATT&CK Mapping
- T1574 - Hijack Execution Flow
- T1574.001 - DLL Search Order Hijacking (DLL Sideloading)
- T1071 - Application Layer Protocol (C2)
## Functionality
### Core Capabilities
- Infection vector: Delivered via trojanized MSI installers (e.g., appearing after SEO poisoning for IT software like ManageEngine OpManager).
- Execution method: Launched via DLL sideloading.
- Initial C2 connection established.
### Advanced Features
- Drops the AdaptixC2 implant for persistent command and control.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Trojanized MSI installers
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 communication channels (defanged)
- Behavioral Indicators: DLL sideloading execution patterns.
## Associated Threat Actors
- Threat actors using Akira Ransomware
## Detection Methods
- Detection: Focus on identifying the DLL sideloading mechanism used by Bumblebee and communication patterns to its C2 infrastructure.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Restrict software downloads exclusively to official sources.
- Monitor for suspicious DLL loading activities or unsigned binaries.
## Related Tools/Techniques
- Akira Ransomware
- AdaptixC2
***
# Tool/Technique: AdaptixC2
## Overview
AdaptixC2 is a tool deployed by the Bumblebee loader during the Akira infection sequence to establish persistent access to the compromised system.
## Technical Details
- Type: Command and Control (C2) implant/Framework
- Platform: Windows (Inferred)
- Capabilities: Maintaining persistent access post-loader execution.
- First Seen: Used in the recent Akira infection chain analyzed by The DFIR Report.
## MITRE ATT&CK Mapping
- T1105 - Ingress Tool Transfer (Implied, as it follows C2 setup)
- T1021 - Remote Services (Used later in the chain: SSH Tunnels)
## Functionality
### Core Capabilities
- Provides persistent remote access after the initial infection stage.
### Advanced Features
- The overall subsequent chain shows use of FileZilla (exfiltration), RustDesk, and SSH tunnels, suggesting AdaptixC2 facilitates these post-exploitation measures.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 channels utilized by AdaptixC2 (defanged).
- Behavioral Indicators: Establishing long-term persistent remote sessions.
## Associated Threat Actors
- Threat actors using Akira Ransomware
## Detection Methods
- Monitoring for anomalous C2 beaconing associated with post-exploitation frameworks.
## Mitigation Strategies
- Network segmentation and egress filtering to limit outbound connections to known or suspicious C2 addresses.
## Related Tools/Techniques
- Bumblebee
- SSH Tunnels
- RustDesk