Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers

A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S.


Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware via an unusual infection chain technique.

Image: Cicso Talos

Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware. The security researchers discovered the campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique.

Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post. The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Babuk can affect several hardware and software platforms but this version is targeting Windows. The ransomware encrypts the target's machine, interrupts the system backup process and deletes the volume shadow copies. 

SEE: How to combat the most prevalent ransomware threats

According to the researchers, the infection chain works like this: A DLL or .NET executable starts the attack on the victim's system. The DLL is a mixed mode assembly. The .NET executable version of the initial downloader is a modified variant of the EfsPotato exploit with code to download and trigger the next stage

The initial downloader module on a victim's server runs an embedded and obfuscated PowerShell command to download a packed downloader module. This second module has encrypted .NET resources as bitmap images. The PowerShell command also executes an AMSI bypass to avoid endpoint detection. 

The packed downloader module connects to a URL on (a PasteBin clone site) that contains an intermediate unpacker module. The unpacker concatenates the bitmap images from the resource section of the trojan and then decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and encrypts files on the victim's server and all mounted drives. The Cisco Talos post has details on each phase and tool in the attack.

Cisco Talos' telemetry also suggests that the new variant tries to exploit several other vulnerabilities in other products most commonly triggering these Snort rules:

  • Microsoft Exchange autodiscover server side request forgery attempt (57907)
  • Atlassian Confluence OGNL injection remote code execution attempt (58094)
  • Apache Struts remote code execution attempt (39190, 39191)
  • WordPress wp-config.php access via directory traversal attempt (41420)
  • SolarWinds Orion authentication bypass attempt (56916)
  • Oracle WebLogic Server remote command execution attempt (50020)
  • Liferay arbitrary Java object deserialization attempt (56800)

The researchers note the Babuk builder and its source code were leaked in July and that the Tortilla ransomware actor has been experimenting with different payloads. This group has "low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools," according to the blog post.

Also see

By Veronica Combs

Veronica Combs is a senior writer at TechRepublic. For more than 10 years, she has covered technology, healthcare, and business strategy. In addition to her writing and editing expertise, she has managed small and large teams at startups and establis...