Rewterz Threat Alert – Egregor Ransomware – Continued Malicious Activities

Severity

High

Analysis Summary

Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. It targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents. Allegedly, 52 companies have been breached by the threat actor till today. 

Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key. Attached below is part of the ransom note that tries to convince a victim into paying a ransom amount. 

According to their ransom notes, if the ransom is not paid by the company within 3 days, then aside from leaking part of the stolen data, they will distribute it via mass media where the company’s partners and clients will know that the company was attacked. The analyzed sample has many anti-analysis techniques in place, such as code obfuscation and packed payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided.

Below is the list of companies whose data has been leaked by this Ransomware threat actor.

Impact

• Files Encryption
• Exposure of sensitive information
• Confidentiality breach

Indicators of Compromise

Hostname

• crt[.]sectigo[.]com

MD5

• 72d118b8e7560cc99c894d985d2c2978
• 1cc47a49ac4082cd78244ca46a8eef4d
• 43445fbe21cf3512724646a284d3e5d7
• 6a04bfcc5465b0164eed89b28f61a787
• 49a6fb8ee6a08459a404b27f9e2b868b
• 1cce0c0d67fe7f51f335a12138698403
• 1cca16fe0ccf7e856dba71c8959865ad
• c2b848832283e7b8d8f72909da729bc0
• b9dcee839437a917dde60eff9b6014b1
• b554791b5b161c34b0a7d26e34a88e60
• 1c268458ec2e4b3f93241eb7fa5dba22
• 53c9924df26b5043f91352f59a9ffe9f
• d1bd2fed0f6947dcb23e4c3da98a772e

SHA-256

• f1ba626b8181bd1cd84f47f70838d9fa4d8117fac3bd07cbd73cb6f73b1297f8
• b81d2293b43decd5a401487da952deb32cbb53f118882b97b457a14c67029247
• 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6
• 9fffabede0ef679970666f04184340437cd70bc8fe870ee8174713ececf32398
• 7222c8acc69a7598989c335d528b366f801a41b434cbf928c6aef01f8e54f57a
• c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906
• 561092877e91f2741ed061cbe7a57d1af552b600c6654ccc588cb6bff7939152
• c9d46c319ed01c183598f7b9a60b9bca34b2eea989f4659e9aa27c7a1bf8681c
• 2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946
• 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18
• 072ab57f9db16d9fb92009c8e10b176bd4a2eff01c3bc6e190020cf5a0055505
• b027467332243c8186e59f68ff7c43c9e212d9e5074fedf003febcfedad4381a
• 605c2047be7c4a17823ad1fa5c1f94fd105721fce3621dc9148cd3baf352938e

SHA1

• 3fd4783920dac610052c9e135cd52b81d3876c6b
• 21e64bfccb226adcef4754213e29b0c09551f470
• 07d4bcb5b969a01fb21dc28e5cb1b7ceb05f2912
• 6b32973458045540fd6482bcb2e16dcd718485c9
• 5da8a11917e18dbf81033f973c0a2f0d8854e43b
• 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af
• 38d3658ec45e949623278a8174981d18174ea91a
• 013f1f3f2a306f3f0f94b48f949325a70a997746
• 069ef8443df750e9f72ebe4ed93c3e472a2396e2
• ac634854448eb8fcd3abf49c8f37cd21f4282dde
• 54efafa085ecbe46b09527664944536b99c7c599
• aa2745c2d5ef7dbc239544c69b3e27193fa6049c
• edf4e9b226c9e8935fb38e7c3b864cf93e6d119c

Source IP

• 49[.]12[.]104[.]241
• 91[.]199[.]212[.]52

URL

• http[:]//49[.]12[.]104[.]241[:]81/sm[.]dll
• http[:]//49[.]12[.]104[.]241
• http[:]//49[.]12[.]104[.]241/sm[.]dll

Remediation

• Block the threat indicators at their respective controls.
• Do not download untrusted email attachments coming from unknown email addresses.
• Keep all systems and software updated to latest patched versions.