Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe
January 2, 2020Rewterz Threat Advisory – Cisco NX-OS and Switches – Critical Vulnerabilities
January 6, 2020Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe
January 2, 2020Rewterz Threat Advisory – Cisco NX-OS and Switches – Critical Vulnerabilities
January 6, 2020Severity
High
Analysis Summary
DeathRansom has finally succeeded at encrypting files. At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives. To enumerate network resources, the malware uses standard Windows APIs (WNetOpenEnumW, WNetEnumResourceW etc.) It recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (processDir).
Following alterations have been made:
- Excluding important Windows folders (Program Files, Windows, etc) to avoid rendering the system unusable
- When it comes to files, similar checks also occur.
- DeathRansom also avoids “encrypting” the systems files (ntuser.dat, etc)
The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.
Impact
Files Encryption
Indicators of Compromise
Domain name
- scat01[.]mcdir[.]ru
- gameshack[.]ru
- scat01[.]tk
MD5
- a35596ed0bfb34de4e512a3225f8300a
- 8ea78e5a123c13c3bda144d0fcf430c0
- c50ab1df254c185506ab892dc5c8e24b
- 6bf9bfc6253a598608a1ca7d0210689e
- bde63acffd021580fe7c7f25243c9330
- b7e323ac9390f0d81d18557fddaef4cf
- c4964c9c2418d0a134130dab8f4cd1b8
- 48f1200a88db21ca4a16dc908024f0f9
- fdcdfc8eecff8eebd671cf934423710e
- f9363e88fde74b43bd7da4528369d7e5
- 886ee5834ae019a5c8bce4326b88cfb7
- 38f52fac57482d77b960faff79f44474
- 262fdac1291740ba9408d06da265dd9f
- 4ba2e1d4cf7a86753f9f8174b3bc74c8
- 74a30661098e0950ec845a54ad7059c6
SHA-256
- 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1
- 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1
- ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4
- dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4
- 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251
- 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c
- 05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029
- a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284
- 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762
- 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8
- fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8
- 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915
- f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b
- 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
- e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06
URL
- hxxp://iplogger[.]org/1Zqq77
- hxxps://iplogger[.]org/1Zqq77
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not download software from random sources on the internet.