DOPPELPAYMER – A Use Case of Kia Motors

Double Extortion Attack on Kia Motors

In February 2021, Kia motors publicly acknowledged facing an outage in their system. DoppelPaymer cybercriminals team claimed to have locked down their files and demanded a 20 Million USD ransom to give a decryptor to them and also not to publish sensitive data that they claimed to have already stolen. The attack was on Hyundai Motor America which is the parent company of Kia Motors. Kia mobile apps which support services like UVO link, UVO eservices, and KIA connect were affected, and also, the customer self-help portal and customer support. Customers could not access features like remote start using their UVO mobile app, all remote services were completely unavailable. On top of halting Kia’s critical operations, the attackers exerted much pressure on the company by threatening to expose stolen data if they failed to pay the ransom fast, hence the name double extortion.

How DoppelPaymer Compromises Target

1. File Dropping Once DoppelPaymer’s code executes, it starts by downloading Emotet. Emotet then downloads Dridex Malware Family through the Command and Control(C&C) Server. Dridex Malware Family in turn downloads either DoppelPaymer directly or tools such as PowerShell Empire, Cobalt Strike, PsExec, and Mimikatz. These tools are used for various activities such as stealing user credentials and disabling security software before DoppelPaymer is executed.
2. Doppelpaymer The previous step gathers wide variety of information about the target’s environment enabling the malware to create highly targeted attacks that are able to bypass EDR systems. A fully custom loader is compiled 2-3 hours before DoppelPaymer is deployed, making it extremely hard for EDRs to detect. During execution, malware configures settings like decryption type and process integrity level. At the same time, ransom note, public key, file extensions, and all other strings are decrypted.
3. Alternate Data Stream (ADS) After initialization, DoppelPaymer checks for ADS streams, sometimes from files ending with :. If it does not find : it copies itself to APPDATA in this directory %APPDATA%\:BIN, and makes the created file hidden. It then sets autorun in the registry making it launch even when computer is rebooted. The malware also creates copies of itself called :exe to a random empty file, which is used to run Net View command to get list of all network shares. Then another copy of the APPDATA and a copy of this empty file (:exe) is created, this time use to jumble the disk and network shares. Making the copies then copies makes the malware sophisticated and hardly detectable.
4. Privilege Escalation DoppelPaymer uses a Fileless UAC bypass in order to elevate privileges between the network. The malware first tries changing the default open for .msc files using user credentials. It uses KCR\mscfile\shell\open\command command to point to .cmd file allowing it to execute with high privileges using Fileless UAC bypass. To delete shadow copies from infected machine, the malware runs vssadmin.exe Delete Shadows /All /Quiet and diskshadow.exe /s %TEMP%\.tmp’ (.tmp = “delete shadows all\r\nexit\r\n”). It also runs takeown.exe /F and icacls.exe /reset to take control of a random service allowing it to replace the service with its own copy and therefore deploying DoppelPaymer as a service. The encryption process which uses multithreading technique for efficiency can begin this time, after DoppelPaymer is deployed as a service.

X-PHY Protection Method

Detection of Malicious Activity

Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to detect malicious characteristics of the DoppelPaymer’s code. The module monitors the instructions sent to the C2 server and retrieves the content of the first Logical Block Address (LBA 0) targeted by the stager. Using the content retrieved from the LBA 0, the trained neural network in the module identifies all the target LBAs of the server and gets ready to monitor them. The module mirrors the instructions sent to the target addresses as well as the content of all the LBAs. The trained neural network uses the mirrored instructions and contents to determine whether the activity is malicious or not. This is achieved by comparing read/write/overwrite access requested by the stager against the average read/write/overwrite access indicated in the master boot records, master file tables, boot sectors, parameter blocks of file systems. In this case, the first instruction is intended to download DRITEX and other malicious tools. The Security Scout features will classify these activities as malicious thus locking triggering lockdown to prevent malicious access to data.

Prevention of Malicious Takeover

When the Security Scout features within the X-Guard Threat Lock determine the attempt to access the C2 server is malicious, they trigger the X-Factor Encryption lock feature to initiate lockdown and prevent the attacker from accessing data. The X-Factor Encryption lock feature also activates the Keycode2-factor immediately. X-PHY enters safe mode and asks for a password to complete the 2-factor authentication. At this point, multiple unique keys must be provided to gain access to data. Otherwise, data remains locked preventing malicious takeover of the system.  

Share This On Your Favorite Social Media!