Makop Ransomware’s Advanced Tactics: Exploiting RDP Systems with AV Killers and Privilege Escalation
Makop ransomware, a variant of the Phobos malware family first identified in 2020, has evolved into a formidable threat to organizations worldwide. Recent analyses reveal that attackers are combining brute-force attacks on Remote Desktop Protocol (RDP) systems with sophisticated privilege escalation techniques and security bypass tools to infiltrate and compromise networks.
Global Impact with a Focus on India
A significant portion of Makop attacks—approximately 55%—have targeted companies in India. However, the threat is not confined to this region; organizations in Brazil, Germany, and other countries have also reported incidents. This widespread targeting underscores the global reach and adaptability of Makop operators.
Methodical Attack Progression
Makop’s attack strategy follows a structured sequence:
1. Initial Access via RDP Exploitation: Attackers gain entry by employing brute-force tools like NLBrute to crack weak or reused RDP credentials on exposed systems.
2. Deployment of Malicious Toolkit: Once inside, they deploy a suite of tools, including network scanners, privilege escalation exploits, antivirus removal utilities, and credential-dumping programs.
3. Lateral Movement and Data Extraction: This toolkit enables attackers to navigate through the network, identify high-value targets, and extract sensitive information.
4. Execution of Encryption Payloads: The final phase involves deploying ransomware to encrypt critical data, rendering it inaccessible to the organization.
If security measures detect their activities during any phase, attackers may employ advanced evasion techniques or abandon the target if they cannot circumvent defenses.
Enhanced Capabilities and Evasion Techniques
Security analysts have observed that Makop operators have integrated new capabilities into their arsenal, such as the use of GuLoader malware to deliver secondary payloads. This evolution reflects a broader trend of ransomware groups adopting more sophisticated delivery mechanisms and techniques to evade detection.
To further obscure their presence, attackers use deceptive file naming conventions and execute malicious files from non-standard directories. For instance, executables may be named to mimic legitimate Windows processes, such as taskmgr.exe, bug_hand.exe, or mc_osn.exe. These files are often placed in network-mounted RDP shares, music directories, or desktop folders to blend in with regular user activity, reducing the likelihood of detection by security monitoring solutions.
Comprehensive Network Reconnaissance
Before deploying ransomware, Makop operators prioritize thorough network reconnaissance and lateral movement:
– Network Scanning: Tools like NetScan, Advanced IP Scanner, and Masscan are employed to map out the network infrastructure and identify high-value targets.
– Privilege Escalation: Attackers exploit a range of Windows vulnerabilities, from older, well-documented CVEs to recently patched ones, to escalate their privileges within the network.
Exploitation of Vulnerable Drivers
A notable tactic used by Makop operators is the Bring Your Own Vulnerable Driver (BYOVD) technique. By introducing legitimate drivers with known vulnerabilities, such as hlpdrv.sys and ThrottleStop.sys, attackers can gain kernel-level access. This access allows them to disable endpoint detection and response (EDR) solutions, effectively neutralizing security defenses.
Targeted Antivirus Disabling
In addition to exploiting vulnerable drivers, Makop operators deploy specialized uninstallers aimed at disabling specific antivirus software. For example, they have targeted Quick Heal Antivirus, a security product widely used in India. This indicates a strategic adaptation of their tactics to the regional security landscape, enhancing the effectiveness of their attacks.
The Backbone of Makop’s Success: Privilege Escalation
A critical component of Makop’s success is its extensive collection of local privilege escalation (LPE) exploits. These exploits enable attackers to transition from user-level access to system-level privileges, granting them greater control over compromised systems. By maintaining multiple LPE exploits in their toolkit, Makop operators ensure that if one method fails or is patched, alternative options remain available.
Conclusion
The Makop ransomware group’s methodical approach, combining brute-force RDP attacks with advanced privilege escalation and security bypass techniques, underscores the evolving sophistication of cyber threats. Organizations must adopt comprehensive security measures, including strong password policies, regular patch management, network segmentation, and advanced threat detection systems, to defend against such multifaceted attacks.
