Rewterz Threat Alert – Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign
September 2, 2020Rewterz Threat Alert – New Web Skimmer Exfiltrates Data via Telegram
September 2, 2020Rewterz Threat Alert – Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign
September 2, 2020Rewterz Threat Alert – New Web Skimmer Exfiltrates Data via Telegram
September 2, 2020Severity
High
Analysis Summary
Since March 2020, unknown cyber actors using ProLock ransomware have exfiltrated data from victim organizations and threatened to publicly release the data unless the victim pays the ransom. ProLock ransomware has infected victims in the healthcare, financial, construction, and legal sectors, as well as the industrial base and government agencies. ProLock actors have employed several initial attack vectors to compromise systems, including phishing emails containing an attached variant of the Qakbot Trojan, leveraging improper system configurations and/or stolen credentials, and usingCobalt Strike1 to facilitate the installation of the malicious files onto a victim’s computer system. ProLock actors first exfiltrated data from victim organizations to a cloud-based file sharing platform using a command line file syncing program called rclone.exe, which is disguised on the victim’s system as svchost.exe. ProLock actors encrypt data on workstations and servers and leave a ransom note instructing the victims to visit a Tor page and log in using a unique ID included in the ransom note. The Tor page displays the ransom price and digital currency wallet address for the ransom payment. The ransom note indicates that the decryption keys will be stored for one month and provides a contact email address.
Impact
- Data Exfiltration
- Files Encryption
- Possible confidentiality breach
Indicators of Compromise
Extension
- [.]proLock
- [.]pr0Lock
- [.]key
- [.]pwnd
- [.]proL0ck
Filename
- [HOW TO RECOVER FILES][.]TXT
- WinMgr[.]xml
- WinMgr[.]bmp
- clean[.]bat
- run[.]bat
- svchost[.]exe
MD5
- c579341f86f7e962719c7113943bb6e4
- 7f5e4679edcfae6068ffa2051c4010fa
SHA-256
- a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0
- 8ef5c9aed65c4561a0e30f9b579cd96c6b97b385b9f1d57d6dab5a9f2bcf9e6f
SHA1
- e2a961c9a78d4c8bf118a0387dc15c564efc8fe9
- dd7af4dfd19a62982a0d5de8b35e331a481a6aad
Remediation
- Scan for IoCs and block at their respective controls, if found.
- Backup data regularly, keep offline backups, and test them frequently.
- Keep all systems and software updated and patched against all known vulnerabilities.
- Audit logs for all remote connection protocols.
- Consider disabling Remote Desktop protocol (RDP) if it is not being used.
- Do not download unexpected email attachments coming from untrusted sources.