OVERVIEW
Macaw or Macaw Locker is a ransomware malware that first came to prominence in October 2021 when it was used to attack a Olympus US and Sinclair TV. The cybercrime group responsible often performs attacks in waves and then rebrands their malware due to United States sanctions. Therefore the malware shares some code overlap with previous malware attributed to the Eastern European Evil Corp group.
TARGETING
Macaw has been seen primarily distributed to North American targets thus far.
DELIVERY
Currently there is insufficient data to determine method of delivery, however, the ransomware variant has been observed to begin with the execution of a .bat file dispatched to the system(s).
MACAW INSTALLATION
Macaw has been observed to begin with a .bat file being executed with attrib.exe process commands contained within – utilized to discover file attribute information on drives and subfolders. This acts as a pre-cursor to the actual deployment, in addition to acquiring administrative privileges.
Upon execution, the variant encrypts files and appends the ‘.macaw’ extension to the file names of the victimized files. Ransom notes are then dropped in each folder, typically named “macaw_recover.txt” and obtained within the note is a link – specifically crafted for the victim (as well as decryption ID). The link is hosted on a Macaw Locker TOR site, which contains the typical negotiation information – including what has occurred, how to decrypt, a tool to decrypt a few samples out of good faith, and a chat that can be used for negotiation purposes.
It should be noted that, notably added from its other variants, EvilCorp has utilized VMProtect for anti-VM and anti-analysis purposes. The variant uses it as a method of obfuscation and “protection” to ensure it is running on an actual endpoint system, rather than a VM.
MACAW PERSISTENCE
Persistence is established via potential user accounts being created for network persistence. Other persistence methods will be updated with more information as Cyborg Researchers continue to test and verify.
COMMUNICATION
Macaw has been observed to abuse MSBuild.exe as a LOLBin to communicate with the C2.