Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019Severity
High
Analysis Summary
The file RAND_NAME.exe, is an updated version (V.2) of the ransomware MegaCortex. Similar to version 1 (V.1), this new version (V.2) of MegaCortex is also compiled using Microsoft Visual C++ and uses the mbedcrypto library to carry out its file encryption algorithms. RAND_NAME.exe is observed to be digitally signed with a valid signature from ABADAN PIZZA LTD and acts as a loader to a module named payload.dll which is found encrypted and embedded within its body. The DLL module has two export functions, “start” and “ss2” which the MegaCortex loader uses to carry out its ransomware functionality.
Analysis
RAND_NAME.exe Loader Functionality
Similar to version 1, this new version of MegaCortex (V.2) is also compiled using Microsoft Visual C++ and uses mbedcrypto to carry out its file encryption algorithms. The MegaCortex loader binary RAND_NAME.exe is also observed to be digitally signed with a valid signature from ABADAN PIZZA LTD.
The MegaCortex binary RAND_NAME.exe acts as a loader to an embedded module named payload.dll, whose name is derived from its export table. The module payload.dll is found encrypted and embedded within the body of RAND_NAME.exe.
The code in payload.dll’s “start” function initially verifies if the process is running with “administrator” privilege, if not it will invoke ShellExecuteExA with “runas” to ensure it has the proper privileges. Next, it disables file system redirection of the current thread and adjusts the token privileges of the current process to enable SeDebugPrivilege for DLL injection.
payload.dll’s “ss2” export is only activated and called when the loader binary (RAND_NAME.exe) is executed with the correct base64 key as stated above in the export function start. The “ss2” export starts by getting the available number of processors. The number of worker threads created to conduct file encryption depends upon the number of available processors.
Impact
File encryption
Indicators of Compromise
Email Address
- MckinnisKamariyah91@mail.com
- ThomassenVallen1999@mail.com
Malware Hash (MD5/SHA1/SH256)
- c12ab67f2835b3a867af6c91aa3d3039
- 9369e8f849fad6c87d630b08cc91a320ccafd367
- 77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.