Archive for May, 2019

Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

CVE-2019-0215
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

CVE-2019-0199
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

CVE-2017-16541
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.

CVE-2019-6975
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.

CVE-2019-9813
Incorrect handling of proto mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.

CVE-2018-18494
A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.

CVE-2018-1000876
binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.

CVE-2018-12392
When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

CVE-2018-12377
A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.

CVE-2019-6234
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-12390
Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

CVE-2019-6233
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-10534
The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.

CVE-2018-18505
An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels. This could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

CVE-2019-6216
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-5187
Memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.

CVE-2018-18499
A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv=”refresh” on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.

CVE-2018-12367
In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.

CVE-2019-0215
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

CVE-2016-5824
libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.

CVE-2018-12391
During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

CVE-2019-3498
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

CVE-2018-12376
Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.

CVE-2018-18500
A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

CVE-2018-12393
A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. Note: 64-bit builds are not vulnerable to this issue.. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

CVE-2019-6212
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-18493
A buffer overflow can occur in the Skia library during buffer offset calculations with hardware accelerated canvas 2D actions due to the use of 32-bit calculations instead of 64-bit. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.

CVE-2018-17466
Incorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2018-1116
A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.

CVE-2018-12361
An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.

CVE-2013-4288
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the –process (unix-process) option for authorization to pkcheck.

CVE-2019-6116
In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution.

CVE-2018-18501
Mozilla developers and community members reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

CVE-2019-9810
Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.

CVE-2018-12378
A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.

CVE-2019-6226
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2019-6229
A logic issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to universal cross site scripting.

CVE-2018-18509
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren’t covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.

CVE-2019-6227
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-18356
An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2018-12405
Mozilla developers and community members reported memory safety bugs present in Firefox 63 and Firefox ESR 60.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.

CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CVE-2018-12389
Mozilla developers and community members reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.3 and Thunderbird < 60.3.

CVE-2019-6215
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2018-5156
A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

CVE-2019-0217
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

CVE-2019-6217
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2019-0199
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

CVE-2018-18492
A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.

Following CVEs have also been reported with the same description as above.

CVE-2019-0197

CVE-2019-0196

CVE-2019-0220

CVE-2018-12371

CVE-2019-5785

CVE-2019-0196

CVE-2019-0196

CVE-2019-0220

Impact

  • Denial of Service
  • Privilege escalation
  • Security Bypass
  • System access
  • Spoofing
  • Cross Site Scripting

Affected Vendors

Oracle

Affected Products

  • Oracle Solaris 10.x
  • Oracle Solarisversions prior to 11.4 SRU 9

Remediation

Apply update.
https://support.oracle.com/rs?type=doc&id=1448883.1

For Oracle Solaris versions prior to 11.4 SRU 9:

Update to version 11.4 SRU 9.


Rewterz Threat Alert – JasperLoader Malware Targeting Italian Financial Sector

Severity

Medium

Analysis Summary

Over the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. The Jasperloader malware is under continued development and newer updates show signs of antivirus and sandbox evasion techniques. Initial infection vector sources from phishing emails in Italian. These emails contain .zip files with .vbs (Visual Basic Scripting) files inside them. The .vbs file contains highly obfuscated code that utilizes PowerShell to retrieve and execute additional stages of malware for the campaign. The final stage includes installing persistence mechanisms such as .lnk files in the windows startup folder and scheduling of tasks to reinstall/re-infect the target machine. Additional features of the malware include “Geofencing” to limit the infections to a specific geographical area.

Impact

Loss of sensitive information

Indicators of Compromise

URLs

  • breed.wanttobea.com zzi.aircargox.com
  • nono[.]littlebodiesbigsouls[.]com
  • tribunaledinapoli[.]recsinc[.]com
  • tribunaledinapoli[.]prepperpillbox[.]com
  • tribunaledinapoli[.]lowellunderwood[.]com
  • tribunaledinapoli[.]rntman[.]com

Malware Hash (MD5/SHA1/SH256)

  • 54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent from unknown senders.
  • Never click on the link/ attachments sent by unknown senders.

Rewterz Threat Alert – MySQL Servers Subjected to GandCrab Attack

Severity

Medium

Analysis Summary

A US-based system used SQL commands on a Linux server running MySQL to upload a DLL file to the server which was then invoked as a database function to download a GandCrab payload from a system based in Quebec, Canada.

SQL attack explained

The first stage of the attack involved the attacker connecting to the database server and establishing that it was running MySQL. The honeypot emulates MySQL, so the rest of the attack went relatively smoothly.

2.png?w=640&h=39

Next, the attacker used the “set” command to upload all the bytes that make up the helper DLL, in the form of a long string of hexadecimal characters, into memory in a variable.

dll-in-database.png?w=640

Then the attacker wrote out the contents of that variable to a database table it created, named yongger2.

The attacker then issued a command to the server to concatenate those bytes into one file, and drop them into the server’s plugin directory. We also observed several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features.

3.png?w=439&h=157

The DLL appears to add three functions to the database, named xpdl3, xpdl3_deinit, and xpdl3_init and has been observed to be a component file in a lot of malicious toolkits.

dll-in-lots-of-archives.png?w=467&h=479

The attacker issues SQL commands to drop the yongger2 table, deleting the record of the file’s trajectory through the server, and also to drop the function named xpdl3, if one already exists. Finally, it uses uses the following SQL command to create a new database function (also called xpdl3) that invokes the DLL.

Having delivered the helper DLL into the database server’s plugin directory and initialized it, the attacker issues this SQL command to the server, invoking the newly-added xpdl3 function.

4.png?w=640&h=255

If everything works, the database server downloads the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

Impact

Files encryption

Indicators of Compromise

IP(s) / Hostname(s)

  • 148[.]72[.]171[.]83
  • http[:]//172[.]96[.]14[.]134[:]5471/3306-1[.]exe

Malware Hash (MD5/SHA1/SH256)

  • c83bf900eb759e5de5c8b0697a101ce81573874a440ac07ae4ecbc56c4f69331
  • 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6
  • 1f86561ca8ff302df2a64e6d12ff530bb461f9a93cf9b7c074699e834f59ef44

Affected Vendors

Oracle

Affected Products

MySQL

Remediation

Block all threat indicators at your respective controls.


Rewterz Threat Alert – Email Campaign Distributing the Lokibot

Severity

Medium

Analysis Summary

A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.

Fake BBVA email

Indicators of Compromise

IP(s) / Hostname(s)

  • 3[.]19[.]114[.]185
  • 185[.]55[.]225[.]242

URLs

  • http[:]//vbtz[.]cf/BOSCO/five/fre[.]php
  • http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
  • http[:]//treatascholars[.]com/wp-includes/danc/fre[.]php
  • http[:]//8d2aef60[.]ngrok[.]io/boom/Banco%20Sabadell%20Prueba%20De%20Pago[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/taco[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/mine/gutty[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
  • http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
  • 8d2aef60[.]ngrok[.]io
  • khialimiab[.]ir

Email Address

pago1@expomaquinaria.es

Email Subject

BBVA-Confirming transferencia de pago

Malware Hash (MD5/SHA1/SH256)

  • 28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
  • 38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
  • ef9e761e57bb2cec574b3d4e8804eeb878f55f42
  • ca02a3030dd507a0e29527f84448aed6

Remediation

  • Block all threat indicators at your respective controls
  • Always be suspicious about emails sent by unknown senders
  • Never click on link/attachments sent by unknown senders


Rewterz Threat Alert – New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices

Severity

Medium

Analysis Summary

A new variant of Mirai exploiting a large number of vulnerabilities. This variant leveraged 13 different vulnerabilities targeting routers, surveillance products, and other IoT devices. Though all of these vulnerabilities have been seen in various Mirai variants, this is the first variant containing exploits for all 13. Once exploited, a victim device connects to both its C2 and a few downloader/dropper URLs. It then spreads to other devices on the network by scanning for and exploiting detected vulnerabilities or performing brute force attacks.

Indicators of Compromise

URLs

  • http[:]//32[.]235[.]102[.]123
  • http[:]//ililililililililil[.]hopto[.]org/love[.]sh
  • http[:]//ililililililililil[.]hopto[.]org/shiina/tmp[.]arm7
  • http[:]//ililililililililil[.]hopto[.]org/shiina/tmp[.]mips

Malware Hash (MD5/SHA1/SH256)

  • c15382bc81e1bff4cf03d769275b7c4d2d586a21e81ad4138464d808e3bb464c

Remediation

  • Block all threat indicators at your respective controls.

Rewterz Threat Alert – Indicators of Compromise – GetCrypt Ransomware

Severity

High

Analysis Summary

A new ransomware family called GetCrypt being distributed through malvertising campaigns. The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer. Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host’s language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms. A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication.

GetCrypt Ransom Note

GetCrypt will also change your desktop background to the following image.

GetCrypt Wallpaper

Impact

  • File encryption
  • Loss of sensitive information

Indicator of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169

Remediation

Block threat indicator at your respective controls.


Copyright © Rewterz. All rights reserved.