Full Report
This blog analyzes Albabat ransomware, exploring its config file, executed ransomware commands, and ransom note.
Analysis Summary
# Tool/Technique: Albabat Ransomware (Version 2.0.0 analysis focus)
## Overview
Albabat, also known as White Bat, is a ransomware family first observed in late 2023. The analyzed sample (version 2.0.0) is written in Rust and relies heavily on a configuration file (config.json) hosted on GitHub to dictate its execution, targeting files, and providing ransom note templates. It aims to encrypt files across multiple operating systems, including Windows, Linux, and macOS.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows, Linux, macOS
- Capabilities: File encryption, system information gathering, C2 communication via GitHub for configuration, and potential data exfiltration (implied by Postgres DB connection details).
- First Seen: Late 2023 (Version 0.1.0 in November 2023)
## MITRE ATT&CK Mapping
Based on observed behaviors:
- **TA0001 - Initial Access** (Implied delivery mechanism not detailed, but execution is the focus)
- **TA0009 - Collection**
- **T1560 - Archive Collected Data** (Implied preparation for exfiltration to DB)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- **T1071.001 - Web Protocols** (Use of HTTPS to communicate with GitHub, ifconfig[.]co, ipify[.]org)
- **TA0020 - Impact**
- **T1486 - Data Encrypted for Impact** (Core ransomware function)
## Functionality
### Core Capabilities
- **Config-Driven Operation:** Retrieves essential operational data, including commands, target file information, and ransom note templates, from a `config.json` file hosted on GitHub.
- **Multi-OS Targeting:** The configuration dictates commands executable across Windows, Linux, and macOS systems.
- **System Profiling:** Contacts `ifconfig[.]co` to gather geolocation data and `ipify[.]org` to retrieve the public IP address.
- **Persistence/Delivery Assets:** Downloads associated assets like a custom wallpaper and an icon file from GitHub.
### Advanced Features
- **GitHub Integration:** Uses GitHub as a dedicated, streamlined command and control/distribution infrastructure, authenticating with a hardcoded authorization token and specific user agent (`Awesome App`) to fetch the configuration.
- **Data Exfiltration Channel:** The configuration file contains connection details for a **Postgres database**, strongly suggesting the intent to store exfiltrated system information.
- **Encryption:** Contains an **RSA Public Key** within its configuration, indicating the use of asymmetric cryptography for file encryption/key exchange.
- **Obfuscation:** The configuration file is retrieved in **Base64 encoding format** and requires a specific decoding sequence (using CyberChef steps) to be read.
## Indicators of Compromise
- File Hashes:
- MD5: `2a78ca5302034ed8efcc52313750b634`
- SHA1: `1cc2d1f2a991c19b7e633a92b1629641c019cdeb`
- SHA256: `13d128038c341e850b55bc900ecee93496521c74bd9f3f8ea63e86042c5b6a9b`
- File Names: `20-03-2025_E337Y98NvS521352.rar` (Container for sample)
- Registry Keys: [Not specified in the context]
- Network Indicators:
- `github[.]com` (Used for configuration download)
- `ifconfig[.]co` (Used for geolocation)
- `ipify[.]org` (Used for public IP retrieval)
- Behavioral Indicators:
- HTTP requests using the User-Agent `Awesome App`.
- Decoding configuration data from Base64 format retrieved over HTTP/S.
- Attempts to connect to a Postgres database endpoint.
## Associated Threat Actors
- Threat actors associated with Albabat/White Bat ransomware. (Specific named groups not provided in the context, but Trend Micro research is cited).
## Detection Methods
- Signature-based detection: Use of provided file hashes.
- Behavioral detection: Monitoring for processes contacting GitHub with the `Awesome App` user agent or making successive requests to IP geolocation services (`ifconfig[.]co`, `ipify[.]org`) immediately before file operation execution.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- **Network Segmentation:** Restrict outbound traffic to known suspicious IP/domain sets, particularly if connectivity to the identified C2 indicators is unexpected.
- **Configuration Control:** Monitor network access to GitHub repositories from endpoints, especially when authentication tokens or specific user agents are involved.
- **Endpoint Hardening:** Implement Application Control to prevent execution of unrecognized binaries written in Rust if development reliance on Rust is not standard.
- **Database Security:** Ensure no unexpected internal services are attempting to connect to external Postgres databases based on configuration download artifacts.
## Related Tools/Techniques
- Ransomware utilizing GitHub for operational storage (e.g., LockBit often uses shared cloud infrastructure).