Rewterz Threat Alert – Maze Ransomware – Active IOCs

Severity

High

Analysis Summary

Maze ransomware is found active in the wild again. The initial infection vector is again a phishing email with an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits. In other campaigns, Maze was found being spread in post initial access phase. The loader this time was a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks. Maze has also hit Bank of Costa Rica, and State-owned oil Company of Algeria, earlier this year.

Impact

• Expose of sensitive data
• Information Theft
• Files Encryption

Indicators of Compromise

MD5

• 79ea80113e6e5f5b2c000db1e4c835b2

SHA-256

• 3008d377a3e6464b6023bcddf33ef7498d46ad806b0c667ee6933ef71f167adf

SHA1

• c23095c01599c417abe53d7fac3f6b6b7b09efcb

Remediation

• Block all threat indicators at their respective controls.
• Search for IOCs in your environment.