November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Advisory – McAfee ePolicy Orchestrator Multiple Vulnerabilities
July 9, 2019Rewterz Threat Advisory – Multiple Vulnerabilities in Mozilla Firefox Could Allow Arbitrary Code Execution
July 10, 2019Rewterz Threat Advisory – McAfee ePolicy Orchestrator Multiple Vulnerabilities
July 9, 2019Rewterz Threat Advisory – Multiple Vulnerabilities in Mozilla Firefox Could Allow Arbitrary Code Execution
July 10, 2019
Severity
High
Analysis Summary
A new family of ransomware named LooCipher has emerged. The researchers note that LooCipher’s functionality is not significantly different than other ransomware families. Infection of the victim is achieved through emails with attached Word documents (.DOCM) that contain macros that download the ransomware. The documents contain a single line of text which states “ENABLE MACROS TO VIEW THIS DOCUMENT”. When executed, the ransomware scans files on the system and then encrypts all files except those in the Windows system and programs folders. When the encryption process is completed, the ransomware provides information to the victim, including instructions on how to make payment for the decryption key. The instructions note that the victim has only five days to pay or the decryption key will be destroyed, making the files unrecoverable. The ransomware sends the victim’s details to a C&C server on the TOR network. From there it also provides the Bitcoin address to make payments to. Communication with the TOR network is conducted through proxy services which avoids the ransomware having to install TOR libraries on the victim system. A new Bitcoin address is created each time the ransomware contacts the C&C server. However, there are also hard coded wallet addresses in case the C&C server cannot be contacted. Unusually, the ransomware is also the decryptor, but it requires that the C&C server confirms payment has been received before it can function in the decryption mode.
Impact
File encryption
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd
- e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486
- 43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49
- 924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.