baal

Technical Breakdown:

1. File Extension & Renaming Patterns

• Confirmation of File Extension: Adds the suffix .baal to every encrypted file.
  Example: Budget 2024.xlsx → Budget 2024.xlsx.baal.
• Renaming Convention: Files retain their original full name and preceding extension; only the new .baal marker is appended. In some variants, the filename itself is NOT scrambled, which can speed up large-scale identification and prioritisation during recovery.

2. Detection & Outbreak Timeline

• Approximate Start Date/Period: First clusters of .baal infections surfaced in the wild in late June 2023; significant uptick recorded in August-October 2023 across mid-size enterprises in North America and APAC.

3. Primary Attack Vectors

• Propagation Mechanisms:

1. Phishing e-mails with ZIP or ISO attachments; lures imitate finance, legal or “fail2ban report” themes that trick users into executing JavaScript droppers (wsc.js, pdf_decision.js).
2. Public-facing RDP brute-force & credential-stuffing (port 3389). Reported cases show adversaries using off-the-shelf automated scripts and HIVE-leaked credentials.
3. Exploitation of CVE-2023-34362 (MOVEit SQLi) to drop Cobalt Strike beacons that later install .baal.
4. DLL sideloading via outdated VPN clients (FortiClient, v5.4–6.x) where the ransomware intel_reporter.dll is side-loaded by a signed launcher.
5. Lateral movement inside networks via SMBv1 “EternalBlue” reuse (disabled by default since 2017, yet still present on legacy Windows 7/Server 2008 machines).