Rewterz Threat Alert – APT 32 Ocean Lotus – Active IOCs
March 12, 2021Rewterz Threat Advisory – ICS: Schneider Electric IGSS SCADA Software
March 12, 2021Rewterz Threat Alert – APT 32 Ocean Lotus – Active IOCs
March 12, 2021Rewterz Threat Advisory – ICS: Schneider Electric IGSS SCADA Software
March 12, 2021Severity
High
Analysis Summary
Threat actors are now installing a new ransomware called ‘DEARCRY’ after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities. Microsoft has confirmed that the DearCry ransomware is installed in human-operated attacks on Microsoft Exchange servers using the ProxyLogon vulnerabilities.
ATTACK ANALYSIS
At launch, the DearCry ransomware will attempt to shut down a Windows service named ‘msupdate.’ It is not known what this service is, but it does not appear to be a legitimate Windows service.
The ransomware will now begin to encrypt the files on the computer. When encrypting files, it will append the .CRYPT extension the file’s name.
After the encryption is done, the ransomware will create a simple ransom note named ‘readme.txt’ on the Windows desktop.
Impact
File encryption
Indicators of Compromise
MD5
- 0e55ead3b8fd305d9a54f78c7b56741a
- cdda3913408c4c46a6c575421485fa5b
- c6eeb14485d93f4e30fb79f3a57518fc
SHA-256
- 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
- e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
- feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
SHA1
- f7b084e581a8dcea450c2652f8058d93797413c3
- 56eec7392297e7301159094d7e461a696fe5b90f
- b7d99521348d319f57d2b2ba7045295fc99cf6a7
Affected Vendors
Microsoft
Affected Products
Microsoft Exchange Server
Remediation
- Block all threat indicators at your respective controls.
- Update to the latest patch available for the exchange servers.
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-operation-exchange-marauder-active-exploitation-of-multiple-zero-days