1. Home
  2. Software
  3. Maze

Maze

Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[1][2][3]

ID: S0449
Type: MALWARE
Platforms: Windows
Contributors: Center for Threat-Informed Defense (CTID); SarathKumar Rajendran, Trimble Inc
Version: 1.2
Created: 18 May 2020
Last Modified: 24 January 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[2][3]

Enterprise T1036 .004 伪装: Masquerade Task or Service

Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[3]

Enterprise T1568 动态解析

Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[3]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

The Maze encryption process has used batch scripts with various commands.[1][3]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[2] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

Maze has communicated to hard-coded IP addresses via HTTP.[2]
Enterprise T1486 数据加密以实现影响

Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[1]
Enterprise T1489 服务停止

Maze has stopped SQL services to ensure it can encrypt any database.[3]

Enterprise T1106 本机API

Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[2]

Enterprise T1027 混淆文件或信息

Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[2]

.001 Binary Padding

Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[2]
Enterprise T1070 移除指标

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[2]

Enterprise T1218 .007 系统二进制代理执行: Msiexec

Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.[3]
Enterprise T1614 .001 系统位置发现: System Language Discovery

Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.[2]
Enterprise T1082 系统信息发现

Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[2]
Enterprise T1529 系统关机/重启

Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[3]
Enterprise T1490 系统恢复抑制

Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[2][3]
Enterprise T1049 系统网络连接发现

Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[2]
Enterprise T1057 进程发现

Maze has gathered all of the running system processes.[2]

Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Maze has injected the malware DLL into a target process.[2][3]

Enterprise T1564 .006 隐藏伪装: Run Virtual Instance

Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[3]

Enterprise T1053 .005 预定任务/作业: Scheduled Task

Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.[3]

Groups That Use This Software

ID Name References
G0037 FIN6

[1]
G0046 FIN7

[4]

References

  1. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  2. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  1. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.