Rewterz Threat Alert – Bank Phishing Use COVID-19 To Trick Victims
May 28, 2020Rewterz Threat Advisory – CVE-2020-8603 – Trend Micro InterScan Web Security Virtual Appliance Vulnerability
May 29, 2020Rewterz Threat Alert – Bank Phishing Use COVID-19 To Trick Victims
May 28, 2020Rewterz Threat Advisory – CVE-2020-8603 – Trend Micro InterScan Web Security Virtual Appliance Vulnerability
May 29, 2020Severity
High
Analysis Summary
A ransomware strain identified in April 2020. The specific sample analyzed by the researchers was seen active in the wild in May 2020. It operates similarly to most ransomware families. Encrypted strings are decrypted upon execution using WinCrypt functions in conjunction with a hard coded AES-256 key. Persistence is then established via a Registry Run key. It is noted that most malware families first copy the executable to a protected folder, but this ransomware leaves it in the original location. After persistence has been established, anonymous pipes are created that will subsequently used to execute sc.exe in order to delete services based on a hard coded list. Processes that may prevent encryption of user files are also killed. Files are then encrypted and volume shadow copies are deleted using vssadmin. Lastly, the ransom note is dropped, which requests the user visit a Tor site for further instructions.
Impact
File encryption
Indicators of Compromise
MD5
- 5a14e0ef81ea15e9afd4defdeaa840ae
- 152810665e8cb6bcc1c61230b6e929d7
SHA-256
- 4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
- f9dc9848892b3c1ca620a7a69cce4ff5bbf03cdfd0ad12f348973ea76d4d125e
SHA1
- a2a477a36236e38ca0140e3f751006a624f142ef
- 484c0eeb4837d306ed80ef0ad2b852a10d27bfcc
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environment.