Full Report
Analysis of payloads suggest affiliates may be using a shared codebase or common builder to deploy attacks under different RaaS brand names.
Analysis Summary
# Tool/Technique: HellCat and Morpheus Ransomware Similarity
## Overview
This analysis focuses on the similarities between the HellCat and Morpheus ransomware operations, specifically noting that their payloads contain almost identical code. The context mentions the associated operational activities of several actors associated with these or related groups.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Undetermined from the context, but typically Windows for this class of malware.
- Capabilities: Data encryption (implied by classification as ransomware).
- First Seen: Not explicitly stated, but analysis is current as of January 23, 2025.
## MITRE ATT&CK Mapping
*Note: Specific MITRE mappings are not provided in the article content, but based on known ransomware behavior, the following general categories apply:*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Code Similarity:** Payloads share almost identical underlying code structures, indicating derivation from a common source or toolkit.
- **File Exclusion:** Explicitly excludes certain file types from encryption: `.dll`, `.sys`, `.exe`, `.drv`, `.com`, `.cat`.
- **Execution Trigger:** Appears to utilize a specific command-line switch for execution: `--ww`.
- **Ransom Note Creation:** Drops a file named `_README_.txt` (implied to be the ransom note).
- **Encryption Techniques:** The report suggests the use of standard C/C++ header inclusions (`#include`) related to the encryption implementation (actual algorithms not detailed).
### Advanced Features
- The core similarity between the two ransomware strains is the most significant advanced feature noted—suggesting a shared development environment or reliance on a specific known ransomware builder/framework.
## Indicators of Compromise
- File Hashes:
- SHA1: `f86324f889d078c00c2d071d6035072a0abb1f73` (100M.exe)
- SHA1: `b834d9dbe2aed69e0b1545890f0be6f89b2a53c7` (100M_redacted.exe)
- File Names: `100M.exe`, `100M_redacted.exe`, `_README_.txt`
- Registry Keys: Not mentioned.
- Network Indicators:
- HellCat DLS: `[.]onion hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad`
- Morpheus DLS: `[.]onion izsp6ipui4ctgxfugbgtu65kzefrucltyfpbxplmfybl5swiadpljmyd`
- Behavioral Indicators: Execution requiring the `--ww` argument; dropping `_README_.txt`.
## Associated Threat Actors
- FunkSec
- Nitrogen
- Termite
- Cl0p
- Morpheus (Group)
## Detection Methods
- **Signature-based detection:** Matching file hashes (SHA1s listed above).
- **Behavioral detection:** Monitoring for process execution utilizing the `--ww` argument.
- **YARA rules:** No specific YARA rules provided in the context.
## Mitigation Strategies
- **Prevention:** Strict control over execution parameters; only allow whitelisted application execution.
- **Hardening recommendations:** Implement strong egress filtering to block access to known Tor exit nodes or dark web services, if possible, though the DLS indicators are Onion addresses.
## Related Tools/Techniques
- Morpheus (Ransomware)
- HellCat (Ransomware)
- Cl0p (Known association with ransomware operations)