• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – ICS: Advantech WebAccess BwFLApp Stack-based Buffer Overflow Remote Code Execution
September 6, 2021
Rewterz Threat Alert – NetWire RAT Malware – Active IOCs
September 6, 2021

Rewterz Threat Alert – Maze Ransomware – Active IOCs

September 6, 2021

Severity

High

Analysis Summary

Maze ransomware is found active in the wild again. The initial infection vector is again a phishing email with an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits. In other campaigns, Maze was found being spread in post initial access phase. The loader this time was a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks. Maze has also hit the Bank of Costa Rica, and the State-owned oil Company of Algeria, earlier this year.

Impact

  • Expose of sensitive data
  • Information Theft
  • Files Encryption

Indicators of Compromise

MD5

  • 61b32a82577a7ea823ff7303ab6b4283

SHA-256

  • 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

SHA1

  • 9107c719795fa5768498abb4fed11d907e44d55e

Remediation

  • Block the threat indicators at their respective controls.
  • Search for IOCs in your environment.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.