Rewterz Threat Alert – Maze Ransomware – Active IOCs

Severity

High

Analysis Summary

Maze ransomware is found active in the wild again. The initial infection vector is again a phishing email with an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits. In other campaigns, Maze was found being spread in post initial access phase. The loader this time was a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks. Maze has also hit the Bank of Costa Rica, and the State-owned oil Company of Algeria, earlier this year.

Impact

• Expose of sensitive data
• Information Theft
• Files Encryption

Indicators of Compromise

MD5

• 61b32a82577a7ea823ff7303ab6b4283

SHA-256

• 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

SHA1

• 9107c719795fa5768498abb4fed11d907e44d55e

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.