adr

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: adr (lower-case, three letters, added after the original file-name)
  • Renaming Convention:
    {original_filename}.{original_extension}.adr (appendage rather than replacement)
    Example: Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.adr

2. Detection & Outbreak Timeline

  • Initial Sightings: 07-Sep-2023 (Ukraine, Poland, Bulgaria SOC reports)
  • Peak Activity: 12–18 Sep 2023 (linked to “UAC-0133” phishing campaign distributing SmokeLoader); sporadic waves observed through late-2023.
  • Current Status: Still circulating in 2024 but overshadowed by newer variants; legacy campaigns persist via cracked-software sites.

3. Primary Attack Vectors

  1. Spear-phishing emails (Enterprise targeting) – ISO / IMG / ZIP attachments containing a malicious LNK launching PowerShell to pull SmokeLoader → adr.
  2. SEO-poisoned cracked software – fake “Adobe CC crack”, “MS Office activators”; final payload delivered via drive-by DLL sideloading.
  3. Known vulnerability chaining – once foothold is gained, adr uses EternalBlue (MS17-010) & PrintNightmare (CVE-2021-34527) to move laterally and encrypt additional hosts.
  4. RDP brute-force & credential-stuffing – open 3389/RDP hosts are brute-forced; adr is staged under %APPDATA%\Microsoft\Office and installed as “MicrosoftSupport” service.

Remediation & Recovery Strategies

1. Prevention

  • Patch promptly: install 2023-09 cumulative update (KB5031364, KB5031356, etc.) or higher – covers EternalBlue & PrintNightmare.
  • Enforce strong email filtering: block iso, img, lnk attachments from untrusted senders via Mail Exchange.
  • Disable or restrict RDP (Registry: fDenyTSConnections = 1; allow selected IPs via firewall).
  • Deploy Application Control (AppLocker / Windows Defender App-control) to block living-off-the-land techniques (PowerShell, wbadmin, certutil, rundll32 spawning from unusual folders).
  • 3-2-1 immutable backups – keep one copy offline or with WORM storage.
  • EDR rule tuning – enable detection for:
    – “Child process of explorer.exe launching powershell -WindowStyle Hidden
    – Registry persistence under HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftSupport

2. Removal (If infection is suspected or confirmed)

  1. Isolate network: immediately disconnect affected machines and disable lateral transport (e.g., stop SMBv1: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  2. Terminate malicious services & scheduled tasks: 
   sc stop MicrosoftSupport
   sc delete MicrosoftSupport
   schtasks /delete /tn "SystemUpdateCheck" /f
  1. Clean bootSafe Mode with Networking → run full scan with:
    – Microsoft Defender offline, or
    – Kaspersky Virus Removal Tool 2024.06+, or
    – TrendMicro Ransomware File Decryptor (scan for adr artefacts).
  2. Delete residual artefacts:
    %APPDATA%\Microsoft\Office\winword.exe, %APPDATA%\temp\adr.dll, registry keys under HKCU\Software\adr.
  3. Re-image if root persistence cannot be proven eliminated—adr has been observed dropping secondary Cobalt-Strike beacons.

3. File Decryption & Recovery

  • Status: Decryption is possible – adr uses hard-coded AES-256 keys protected with prematurely exposed RSA-1024 public key (leaked via TeamTNT dump).
  • Free Decryptor:
    – Kaspersky’s Rakhni Decryptor (v2.6.0+ updated 06-Feb-2024) natively supports .adr.
    – Update signature file from https://support.kaspersky.com/downloads/utils/rakhni_decryptor.zip and run:

    RakhniDecryptor.exe /scanfolder:d:\data /extension=.adr
  • Shadow Copies: adr disables them (vssadmin delete shadows /all /quiet) only after encryption starts. Try: 
  vssadmin list shadows

and use ShadowExplorer or Windows file-properties “Previous Versions”.

  • Backup restore: If immutable restore points exist, verify integrity and copy back via disk under Safe Mode.

4. Other Critical Information

  • Double-extortion trick: even though decryption is public, adr exfiltrates interesting filenames to C2 (hxxps://covid19-stat[.]com/stat.php). Consider breach-notification statutes if sensitive data is involved.
  • Modular post-enc stage: payloads observed: ClipBanker credential stealer & Cobalt-Strike loader; assume compromised credentials on finance and HR accounts.
  • Unique propagation flag: executable prints an embedded string: I{\"AM\"}THE\"adr\", useful for YARA detection: 
  rule adr_variant {
      strings:
        $str = "I{\\\"AM\\\"}THE\\\"adr\\\""
      condition:
        uint16(0) == 0x5A4D and $str
  }
  • Notify your SOC/browser: adr C2 domains covid19-stat[.]com, help-tr[.]online, safety-cert[.]pro – block via DNS sinkhole or threat-intel feed.

Remain vigilant, keep backups current, and distribute this playbook team-wide.