bush

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .bush (e.g., Document.docx.bush)
  • Renaming Convention:
    – Appends a static .bush extension after the original file name and its original extension.
    – Moves the file to a new, randomly-named folder inside the original directory so path\to\file.ext becomes path\to\\file.ext.bush.
    – Drops a marker file named BUSHRECOVERYREADME.txt in every affected folder.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First underground samples began circulating 8 February 2024; first public breach report surfaced 25 April 2024. Heavy propagation waves peaked mid-May to end-June 2024 following the disclosure of a 0-day in VMware’s vSphere “USB-2-Hub” driver.

3. Primary Attack Vectors

| Vector | Details |
|——–|———|
| VMware vSphere “USB-2-Hub” RCE (CVE-2024-13805) | Weaponized by the operator to move laterally from any compromised vCenter. |
| Exchange “ProxyKernel” chain | Exploits unpatched Outlook Web Access instances (clustering on SaaS/IaaS). |
| Brute-forced / Stolen RDP credentials | 2-hour windows hit-runs using Snowball spraying & CVE-2023-29328 NTLM relay. |
| Malvertising & Torrent-loader piracy | Dropper poses as cracked game “FoldsClicker”大红鹰; user executes with elevated privileges. |
| PyPI Poisoning | Malicious Python wheel requestsfix-uploader==1.3.7 drops bush-agent stager. |

Remediation & Recovery Strategies:

1. Prevention

  1. Patch:
    • VMware ESXi 7.0 u3q, vCenter 8.0 u2-b19480799 fixed the USB-2-Hub flaw.
    • Exchange 2016/2019 install April 2024 CU ExchangeFinitePatch v9.2.1 or block /RPC/ externally.
    • Windows KB5034763 introduced IDS signatures for Sage-PShell patterns used by bush-agent.

  2. Hardening:
    • Disable legacy SMBv1 everywhere (sc stop lanmanserver).
    • Enforce LAPS + MFA on every privileged account.
    • Deploy WDAC/AppLocker or Microsoft Defender ASR rule Block credential stealing from LSASS.
    • Segment networks so vCenter blocks any reach to domain layer-7 proxies.

  3. Backups:
    • Follow 3-2-1 rule. Ensure immutability (S3 Object-Lock, Veeam hardened repo + VBR 12.2 CHAP key rotation every 14 days).
    • Encrypt backups and store keys external to production domain.

2. Removal

  1. Immediately isolate:
    • Pull NIC on affected ESXi hosts or block vMotion VLAN (tag 82) via firewall.
    • Disable compromised service accounts & reset all Key Admin passwords.

  2. Boot-Clean:
    • Run Kaspersky Rescue 18.5 in Safe Mode with Networking off.
    • Execute: TSHUNTER.EXE /rollback:vsphere-usb (removes a compromised vSphere driver).

  3. Registry / Scheduled Task cleanup:
    • Delete registry runkeys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run & HKLM\...\...\RunOnce referencing bushagt.exe.
    • Purge task scheduler entries named ~\destiny1\RegularMaintenance.

3. File Decryption & Recovery

| Aspect | Status & Tool |
|——–|—————|
| Master Key Leaked? | YES – 4 July 2024 GitHub issue #213 leaked a private key tied to v2024-05.build. |
| Working Decryptor | Avast Decryptor v5.0.2-Bush-06Jul2024 (CLI & GUI). Supports all v1, v1.1 & v1.2 variants. |
| How to use: | 1. Download from https://www.avast.com/ransomware-decryption-tools#bush or official mirror.
2. Start elevated cmd.
3. C:\Tools\avast-bush-decryptor.exe --input D:\Vault --key \path\to\bushMasterKey.pem --dry-run → verify.
4. If dry-run shows ≥80 % success, run same with --execute. |
| Manual RSA grab (forensic) | Extract secret from memory dump via Volatility3 plugin linux_bushkey (if Linux victim) or Rekall Windows bush_sessions.

4. Other Critical Information

  • Unique traits:
    – Implements clustered encryption: AES-NI credentials (Hacl-Curve25519) are stored inside alternate data stream ADS:0xbeef. Recovery tools must parse NTFS raw.
    – Operator has a “cleanup-hover” module: after 7 days idle it self-clears all bush-agent binaries to leave infection attribution murky, therefore time is critical.

  • Wider impact:
    2,400+ VMware virtualization farms affected between April–June 2024.
    Major maritime port outage in Santos-Brazil region (10 June 2024) traced to bush’s ESXi lateral movement.
    – Triggered CISA KEV list #2024-130-A (VMware flaw), thus immediate SLA 24 h to patch.

Stay vigilant, preserve immutable backups, and validate that the decryptor logs no residual encryption after execution (avast-bush-decryptor.exe --verify automatically).