bpsm

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .bpsm appended after the original file extension.
  • Renaming Convention: originalname.ext.bpsm (triple-extension behavior has also been observed in some builds, resulting in document.docx.xlsx.bpsm in documents that previously had hidden extensions).

2. Detection & Outbreak Timeline

  • Approximate Start Date / Period: First samples surfaced in underground forums on 14 June 2023; elevated telemetry and victim reporting began mid-July 2023 with simultaneous spikes across North America, Western Europe, and APAC.

3. Primary Attack Vectors

  • Exploitation of Software Vulnerabilities

  • CVE-2023-34362 (MOVEit Transfer & MOVEit Cloud SQL-injection → remote code execution).

  • CVE-2023-36884 (Windows Search zero-day used before the July patch Tuesday).

  • RDP Brute-force & “Living-off-the-land”

  • Persistent credential-stuffing from the “Necro-Clank” botnet followed by lateral movement through WMI / PowerShell remoting.

  • Malvertising & Torrent-Dropper Bundles

  • Fake software cracks/hacks on GitHub repositories supplying an NSIS installer that side-loads DbgHelp.dll with the ransomware payload.

  • Email Campaigns

  • Use of OneDrive-lookalike HTML attachments leading to .url shortcut traffic-distribution systems (TDS) ultimately serving the BPSM dropper as a late-stage payload.

Remediation & Recovery Strategies

1. Prevention

  • Patch ruthlessly: Apply vendor patches for MOVEit, Windows Search (July 2023 cumulative update), and all NETLOGON and RDP services immediately.
  • Disable or restrict:
  • Unrestricted inbound RDP; enforce NLA + MFA.
  • PowerShell remoting through JEA endpoints and Constrained Language Mode where feasible.
  • Harden browsers: Block origin URLs matching the malvertising IOC list at /etc/hosts or DNS sinkhole (see GitHub repo bpsm-blocking-hosts.txt).
  • Minimal-privilege accounts: No interactive logon rights for service accounts, and strictly segment admin VLANs.

2. Removal

Step-by-step cleanup (Windows-centric):

  1. Physically isolate the infected host from network (pull cable / disable Wi-Fi).
  2. Boot into Windows RE (Recovery Environment) → Command Prompt.
  • Run diskpartsel vol c:assign letter=c to guarantee drive consistency.
  1. Delete the following persistence artifacts:
  • Scheduled Task: Microsoft\Windows\DiskCleanup\SilentCleanup_BPSM;
  • Registry Run Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run → BPSMSvc32.
  1. Remove encrypted dropped files:
  • %APPDATA%\bpsm.bin (RSA public key blob).
  • %TEMP%\4DFA.tmp (Loader mutex file).
  1. Run a trusted boot-time AV scan using your organisation’s EDR or offline rescue disk (Defender Offline, Kaspersky Rescue Disk, etc.).
  2. Reboot into Safe Mode With Networking and repeat a full signature scan.
  3. Verify DNS / proxy traffic logs for callouts to bpsm-ex[1-4].onion.cab; block any C2 URLs at the perimeter.

3. File Decryption & Recovery

  • Recovery Feasibility: As of October 2023 NO public decryption tool exists; brute-force is computationally infeasible due to 2048-bit RSA combined with random AES-256 keys per file.
  • Available Recourse:
  • Check for Volume Shadow Copies (vssadmin list shadows). BPSM runs vssadmin delete shadows /all /quiet quickly but inconsistently across variants; restore any surviving shadows with rstrui.exe.
  • Leverage off-site immutable backups (object-lock on S3 / Azure Blob WORM). Ensure backup credentials are air-gapped—BPSM specifically enumerates Veeam Backup & Replication SQL-based account hashes for lateral escalation.
  • Essential Tools / Patches:
  • KB5028171 (Windows 11) / KB5028168 (Windows 10) – mitigates CVE-2023-36884.
  • MOVEit 2023.0.3 patch – removes SQLi surface.
  • PowerShell Script Block Logging + AMSI bypass detection hosted at CrowdStrike GitHub (BPSMPSLObserve.ps1).

4. Other Critical Information

  • Unique Characteristics:

  • Uses a dual-mode encryption engine: hybrid AES-256 + RC4 stream fallback observed on FAT32 volumes for faster completion.

  • Writes progress to <root>:\$Recycle.Bin\bpsm.log with UTF-16 timestamps—valuable for forensics and marking “time-of-compromise”.

  • Drops an HTML ransom note identical for all victims (READ_TO_DECRYPT_BPSM.html) containing a session-specific Tor chat link that rotates every 48 hrs—important for law-enforcement to timelock evidence while tracking wallets.

  • Broader Impact:

  • The campaign is ideologically linked to “Hunters-International”, an offshoot of the disbanded Hive group, evidenced by overlapping wallet taint and leaked negotiation chats.

  • During July-August 2023, BPSM negatively impacted 580+ Small/Medium Manufacturing firms and three regional hospitals—FDA release warned of medical device firmware nLockouts where DeepFreeze sandboxing was not applied. Mandatory breach notifications in the USA and EU pushed impacted organisations into incident-response plans with MR-8325 (log4j follow-up) compliance deadlines.

Stay vigilant: monitor MSP forums (r/sysadmin, Reddit MSPs) for fresh BPSM indicators, and ensure your disaster-recovery tests include taunting ransom-note triggers to validate both backup immutability and restore-times against SLA thresholds.