MAZE ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, MAZE operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[1][2]

ID: S0449
Platforms: Windows
Version: 1.0
Created: 18 May 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MAZE has communicated to hard-coded IP addresses via HTTP.[2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

The MAZE encryption process has used batch scripts with various commands.[1]

Enterprise T1486 Data Encrypted for Impact

MAZE has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. MAZE has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[1]

Enterprise T1568 Dynamic Resolution

MAZE has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

MAZE has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[2]

Enterprise T1070 Indicator Removal on Host

MAZE has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[2]

Enterprise T1490 Inhibit System Recovery

MAZE has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[2]

Enterprise T1106 Native API

MAZE has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[2]

Enterprise T1027 Obfuscated Files or Information

MAZE has decrypted strings and other important information during the encryption process. MAZE also calls certain functions dynamically to hinder analysis.[2]

.001 Binary Padding

MAZE has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[2]

Enterprise T1057 Process Discovery

MAZE has gathered all of the running system processes.[2]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

MAZE has injected the malware DLL into a target process.[2]

Enterprise T1082 System Information Discovery

MAZE has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[2]

Enterprise T1049 System Network Connections Discovery

MAZE has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[2]

Enterprise T1047 Windows Management Instrumentation

MAZE has used "wmic.exe" attempting to delete the shadow volumes on the machine.[2]