Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – New ‘Brrr’ Variant of Dharma Ransomware released
September 17, 2018Rewterz Threat Advisory – Oracle VM Server for x86 update for kernel-uek
September 17, 2018
A recent version Kraken Cryptor 1.5 poses as SuperAntiSpyware program, to manipulate users into installing it.
IMPACT: CRITICAL
PUBLISH DATE: 17-09-2018
OVERVIEW:
August 2018 saw the advent of a newer ransomware called Kraken Crypto, whose latest version Kraken Crypto 1.5 masquerades as the legitimate SuperAntiSpyware anti-malware program so users may be tricked into installing it. Once your files are encrypted, there’s no free way of getting them decrypted.
ANALYSIS:
All this fiasco started when someone with a malicious intent got access to the superantispyware.com site and distributed the ransomware from there.
The Kraken Cryptor installer spotted by VirusTotal was called SUPERAntiSpywares.exe which is an imitation of the original super anti-spyware filename with an additional s. However, this malicious executable has now been removed from the website. Not only the filename, but the ransomware also uses the icon of the SuperAntiSpyware.
People who were redirected to SUPERAntiSpywares.exe executable and installed it, found their computer files encrypted due to an easily exportable embedded configuration file containing a list. It contained a detail of modules and if they are enabled, processes to stop, the public encryption key, emails, ransom prices, extensions to encrypt, files and folders to be skipped, countries and languages that won’t be encrypted, and more.
A portion of this configuration is given below.
- The ransomware will create a file called C:\ProgramData\Safe.exe and execute it.
- This program will then enumerate a list of all the Event Viewer logs and redirect the output to the C:\ProgramData\EventLog.txt file.
- The program will then remove all the logs listed in the Eventlog.txt.
- Kraken Cryptor will also check the language and location of the victim, and if in the following countries, will not encrypt computers running on languages from Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Brazil.
- Any processes that disable file encryption by keeping databases open will then be stopped.
These include:
agntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, ocomm, ocssd, oracle, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, sqlwb, synctime, tbirdconfig, and xfssvccon
- After terminating these processes, the ransomware will scan and encrypt files with the following extensions.
- The ransomware will also download SDelete from the Sysinternals site and execute a batch file called release.bat which will clear up the SDelete and overwrite all free space of drive with zeros so that file recovery gets harder.
- It will also cause the computer to shut down, disable Windows startup recovery, delete Windows backups, and delete shadow volume copies. In rare cases, the shadow volume copies can still be recovered to gain backup.
INDICATORS OF COMPROMISE
Hash:
- SHA256: 9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14
Files:
- C:\ProgramData\Safe.exe
- C:\ProgramData\EventLog.txt
- # How to Decrypt Files.html (the ransom note which is found in every folder)
The ransom note contains a unique victim key and instructions on how to make a 0.125 bitcoin ransom payment.
Associated emails:
- shortmangnet@420blaze.it
- BM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage.ch
MITIGATION
- Most ransomware and malicious codes can be avoided through vigilant online behavior.
- Never trust an email attachment if it’s not from a verified source.
- Always keep a reliable and tested backup of your data elsewhere.
- Install good quality security software or consult a known information security firm for your security needs.
- Avoid downloading or installing unverified software from elsewhere.
- Enforce strict policies for account lock out to save it from brute force.
- Make sure all software are updated to avoid all security vulnerabilities coming from outdated software.