Rewterz Threat Alert – Maze Ransomware – IoCs

Severity

High

Analysis Summary

Maze ransomware is found active in the wild again. The initial infection vector is again a phishing email with an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits.

In other campaigns, Maze was found being spread in post initial access phase. The loader this time was a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks. Maze has also hit Bank of Costa Rica, and State-owned oil Company of Algeria,  earlier this year. 

Impact

• Theft of sensitive information
• Credential theft
• Unauthorized code execution
• Files encryption

Indicators of Compromise

From Email

• abusereceive@hitler[.]rocks

MD5

• 910aa49813ee4cc7e4fa0074db5e454a
• 064058cf092063a5b69ed8fd2a1a04fe
• d2dda72ff2fbbb89bd871c5fc21ee96a
• b6786f141148925010122819047d1882
• f5ef96251f183f7fc63205d8ebf30cbf
• deebbea18401e8b5e83c410c6d3a8b4e
• 21a563f958b73d453ad91e251b11855c

SHA-256

• 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
• 24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063
• f97bda917e52379ae9fe06605e4f120f9c88aebea38d3b4aeb3c21d476ea4d39
• ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
• c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9
• 92125cc9aec53e2e7d0a67e8a53f0d6cb4a33f9ca73243d66b0397d7ddec907e
• 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
• 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b

SHA1

• 45831987fabeb7b32c70f662be8cb24e2efef1dc
• 92b44e52f13bcb097f412a6a61bdc46ac19584c6
• 95c648211372d2a989749c2f78f3a57e300b8cd8
• 7c928fdd5954ba9da5788453ce43a0ff440bf281
• 9e6e19c145cbf359c0a151b38d17e30ccbad6f4b
• 1d696a8231835370c76e199394fe9b05c188bce0
• 96d81e77b6af8f54a5ac07b2c613a5655dd05353
• 64ed4f6b315448d518ed003a1d0c7e56790ef50d

Source IP

• 104[.]168[.]174[.]32
• 149[.]56[.]245[.]196
• 92[.]63[.]32[.]55
• 92[.]63[.]17[.]245
• 92[.]63[.]194[.]20
• 37[.]1[.]210[.]52
• 91[.]218[.]114[.]11
• 91[.]218[.]114[.]38
• 92[.]63[.]29[.]137
• 92[.]63[.]194[.]3
• 92[.]63[.]32[.]2
• 91[.]218[.]114[.]79
• 92[.]63[.]15[.]8
• 91[.]218[.]114[.]4
• 91[.]218[.]114[.]26
• 91[.]218[.]114[.]25
• 104[.]168[.]201[.]35
• 92[.]63[.]8[.]47
• 92[.]63[.]37[.]100
• 192[.]119[.]106[.]235
• 92[.]63[.]15[.]6
• 91[.]218[.]114[.]37
• 92[.]63[.]11[.]151
• 91[.]218[.]114[.]31
• 91[.]218[.]114[.]32
• 91[.]218[.]114[.]77

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems and software updated to latest patched versions against all known security vulnerabilities.
• Maintain a strong password policy.
• Enable multi-factor authentication where possible.