Ransomware
We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.
We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload. This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.
In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.
Bundling a legitimate tool with ransomware
Although the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites. Once downloaded, RANSOM_BLACKHEART drops and executes two files:
Anydesk allows users to access to remote desktop computers over the internet. I have a problem with Anydesk Anydesk outages reported in the last 24 hours Thanks for submitting a report! Your report was successfully submitted. X How do you rate Anydesk over the past 3 months? AnyDesk ensures secure and reliable remote desktop connections for IT professionals and on-the-go individuals alike. Start your 14 day trial today. Work from Home Learn more. 300+ million downloads worldwide. 400+ million sessions per month.
- %User Temp%ANYDESK.exe
- %User Temp%BLACKROUTER.exe
Figure 1. The files dropped by RANSOM_BLACKHEART
As noted earlier, the first file contains AnyDesk, a powerful application capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS. In addition, it can perform file transfers, provide client to client chat and can also log sessions. Note that the version used by the attackers is an older version of AnyDesk, and not the current one.
Figure 2. The AnyDesk user interface on the sample we analyzed
It will also delete shadow copies via the following process:
- 'cmd.exe' /c vssadmin.exe delete shadows /all /quiet
The second file is the actual ransomware. Based on our analysis, we can determine that it's a fairly common ransomware, with a routine that encrypts a variety of files that use different extensions as part of its routine. The complete list can be seen below:
|
|
|
|
|
It will search out and encrypts all files with these extensions in the following folders:
- %Desktop%
- %Application Data%
- %AppDataLocal%
- %Program Data%
- %User Profile%
- %System Root%UsersAll Users
- %System Root%UsersDefault
- %System Root%UsersPublic
- All Drives except for %System Root%
Once it has found and encrypted a file, it will append the .BlackRouter extension to the affected file. When it has accomplished its encryption routine, RANSOM_BLACKHEART will then drop a ransom note, in which the attackers demand $50 or 0.006164 BTC for decryption, in the following locations:
- {All Drives}:ReadME-BlackRouter.txt
- %Desktop%ReadME-BlackRouter.txt
Figure 3. Screenshot of the ransom note
We believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.
Note that we found another malicious sample that is very similar, but it's bundled with a keylogger (Detected as TSPY_KEYLOGGER.THDBEAH) instead of ransomware. AnyDesk has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take.
Trend Micro Solutions
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway, endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Related Hash detected as RANSOM_BLACKHEART.THDBCAH:
- 85173ef5572f316df839e63b4e1526e97e5f123ae73f898b872baa6a5a9711f
Learn how to troubleshoot bad gateway (502) errors received when using Azure Application Gateway.
Note
This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module isthe recommended PowerShell module for interacting with Azure. To get started with the AzPowerShell module, see Install Azure PowerShell. To learn howto migrate to the Az PowerShell module, seeMigrate Azure PowerShell from AzureRM to Az.
Overview
After configuring an application gateway, one of the errors that you may see is 'Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server'. This error may happen for the following main reasons:
- NSG, UDR, or Custom DNS is blocking access to backend pool members.
- Back-end VMs or instances of virtual machine scale set aren't responding to the default health probe.
- Invalid or improper configuration of custom health probes.
- Azure Application Gateway's back-end pool isn't configured or empty.
- None of the VMs or instances in virtual machine scale set are healthy.
- Request time-out or connectivity issues with user requests.
Network Security Group, User Defined Route, or Custom DNS issue
Cause
If access to the backend is blocked because of an NSG, UDR, or custom DNS, application gateway instances can't reach the backend pool. This causes probe failures, resulting in 502 errors.
The NSG/UDR could be present either in the application gateway subnet or the subnet where the application VMs are deployed.
Similarly, the presence of a custom DNS in the VNet could also cause issues. A FQDN used for backend pool members might not resolve correctly by the user configured DNS server for the VNet.
Solution
Validate NSG, UDR, and DNS configuration by going through the following steps:
- Check NSGs associated with the application gateway subnet. Ensure that communication to backend isn't blocked.
- Check UDR associated with the application gateway subnet. Ensure that the UDR isn't directing traffic away from the backend subnet. For example, check for routing to network virtual appliances or default routes being advertised to the application gateway subnet via ExpressRoute/VPN.
- Check effective NSG and route with the backend VM
- Check presence of custom DNS in the VNet. DNS can be checked by looking at details of the VNet properties in the output.
If present, ensure that the DNS server can resolve the backend pool member's FQDN correctly.
Problems with default health probe
Cause
502 errors can also be frequent indicators that the default health probe can't reach back-end VMs.
When an application gateway instance is provisioned, it automatically configures a default health probe to each BackendAddressPool using properties of the BackendHttpSetting. No user input is required to set this probe. Specifically, when a load-balancing rule is configured, an association is made between a BackendHttpSetting and a BackendAddressPool. A default probe is configured for each of these associations and the application gateway starts a periodic health check connection to each instance in the BackendAddressPool at the port specified in the BackendHttpSetting element.
The following table lists the values associated with the default health probe:
Probe property | Value | Description |
---|---|---|
Probe URL | http://127.0.0.1/ | URL path |
Interval | 30 | Probe interval in seconds |
Time-out | 30 | Probe time-out in seconds |
Unhealthy threshold | 3 | Probe retry count. The back-end server is marked down after the consecutive probe failure count reaches the unhealthy threshold. |
Solution
- Ensure that a default site is configured and is listening at 127.0.0.1.
- If BackendHttpSetting specifies a port other than 80, the default site should be configured to listen at that port.
- The call to
http://127.0.0.1:port
should return an HTTP result code of 200. This should be returned within the 30-second timeout period. - Ensure that the port configured is open and that there are no firewall rules or Azure Network Security Groups, which block incoming or outgoing traffic on the port configured.
- If Azure classic VMs or Cloud Service is used with a FQDN or a public IP, ensure that the corresponding endpoint is opened.
- If the VM is configured via Azure Resource Manager and is outside the VNet where the application gateway is deployed, a Network Security Group must be configured to allow access on the desired port.
Problems with custom health probe
Cause
Custom health probes allow additional flexibility to the default probing behavior. When you use custom probes, you can configure the probe interval, the URL, the path to test, and how many failed responses to accept before marking the back-end pool instance as unhealthy.
The following additional properties are added:
Probe property | Description |
---|---|
Name | Name of the probe. This name is used to refer to the probe in back-end HTTP settings. |
Protocol | Protocol used to send the probe. The probe uses the protocol defined in the back-end HTTP settings |
Host | Host name to send the probe. Applicable only when multi-site is configured on the application gateway. This is different from VM host name. |
Path | Relative path of the probe. The valid path starts from '/'. The probe is sent to <protocol>://<host>:<port><path> |
Interval | Probe interval in seconds. This is the time interval between two consecutive probes. |
Time-out | Probe time-out in seconds. If a valid response isn't received within this time-out period, the probe is marked as failed. |
Unhealthy threshold | Probe retry count. The back-end server is marked down after the consecutive probe failure count reaches the unhealthy threshold. |
Solution
Validate that the Custom Health Probe is configured correctly as the preceding table. In addition to the preceding troubleshooting steps, also ensure the following:
- Ensure that the probe is correctly specified as per the guide.
- If the application gateway is configured for a single site, by default the Host name should be specified as
127.0.0.1
, unless otherwise configured in custom probe. - Ensure that a call to http://<host>:<port><path> returns an HTTP result code of 200.
- Ensure that Interval, Timeout, and UnhealtyThreshold are within the acceptable ranges.
- If using an HTTPS probe, make sure that the backend server doesn't require SNI by configuring a fallback certificate on the backend server itself.
Request time-out
Cause
When a user request is received, the application gateway applies the configured rules to the request and routes it to a back-end pool instance. It waits for a configurable interval of time for a response from the back-end instance. By default, this interval is 20 seconds. If the application gateway does not receive a response from back-end application in this interval, the user request gets a 502 error.
Solution
Application Gateway allows you to configure this setting via the BackendHttpSetting, which can be then applied to different pools. Different back-end pools can have different BackendHttpSetting, and a different request time-out configured.
Empty BackendAddressPool
Cause
If the application gateway has no VMs or virtual machine scale set configured in the back-end address pool, it can't route any customer request and sends a bad gateway error.
Solution
Ensure that the back-end address pool isn't empty. This can be done either via PowerShell, CLI, or portal.
Anydesk 502 Bad Gateway Error
The output from the preceding cmdlet should contain non-empty back-end address pool. The following example shows two pools returned which are configured with a FQDN or an IP addresses for the backend VMs. The provisioning state of the BackendAddressPool must be 'Succeeded'.
BackendAddressPoolsText:
Unhealthy instances in BackendAddressPool
Cause
If all the instances of BackendAddressPool are unhealthy, then the application gateway doesn't have any back-end to route user request to. This can also be the case when back-end instances are healthy but don't have the required application deployed.
Solution
Anydesk 502 Bad Gateway Free
Ensure that the instances are healthy and the application is properly configured. Check if the back-end instances can respond to a ping from another VM in the same VNet. If configured with a public end point, ensure a browser request to the web application is serviceable.
Next steps
Error 502 Bad Gateway Anydesk
If the preceding steps don't resolve the issue, open a support ticket.