In recent days, a new strain of ransomware was detected. It encrypts files and appends their file names with the extension, “.SaveTheQueen”. The most interesting part of this malware is it propagates using the SYSVOL share on Active Directory Domain Controllers.
About the Active Directory System Volume
The Active Directory System Volume (SYSVOL) is a shared folder that stores Group Policy information along with optional logon logoff startup and shutdown scripts and their supporting files.
The contents of SYSVOL are public. This means that files stored here can be read by every user and every device, by default. Only members of the Domain Admins and/or Enterprise Admins group have permissions to modify and take ownership, unless permissions have been delegated further.
The System Volume is shared by all Domain Controllers and is replicated between Domain Controllers using Distributed File System Replication (DFSR). In older Active Directory environments NT File Replication Service (NTFRS) may still be used, although it has been deprecated in Windows Server 2019.
SaveTheQueen and the System Volume
Varonis performed an audit trail for this malware and it reveals that:
- The infected user created a file named “hourly” on the SYSVOL share
- Many log files were created on the SYSVOL share, each with the name of a device in the domain
- Many different IP addresses accessed the “hourly” file
They concluded that the log files were used to monitor the infection process on new devices, and that the “hourly” file was a scheduled task that ran malware on new domain-joined devices using a Windows PowerShell script.
The attacker had likely obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created a scheduled task to open, decode and run the malware.
This looks like a combination of Mitre ATT@CK Framework steps
This strongly reminds me of the way admins in the past would keep tabs on who singed into domain-joined devices or what software is installed on domain-joined devices in the past by having usernames or the output of wmic product written into device-specific files in SYSVOL.
To me, it is the latest sign of malware leveraging the infrastructure that admins rely upon to do their jobs, not for good but for evil.