Rewterz Threat Alert – Maze Ransomware

Severity

High

Analysis Summary

Maze ransomware sample found as the payload of a phishing campaign. The phishing email has an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits.

Impact

File encryption

Indicators of Compromise

MD5

• 49b28f16ba496b57518005c813640eeb
• bd9838d84fd77205011e8b0c2bd711e0

SHA-256

• abdb008fc1eda389a471d18befd90d2f0d26d10f99b946da8165d8d44f6142d0
• b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1

SHA1

• 181cdb33031c3c4fad6fde3dadc327298a38df58
• c5938ec75e5b655be84eb94d73adec0f63fbce16

Remediation

• Block all threat indicatros at your respective controls.
• Search for IOCs in your existing environment.