Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
March 14, 2022Rewterz Threat Alert – RedLine Stealer – Active IOCs
March 14, 2022Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
March 14, 2022Rewterz Threat Alert – RedLine Stealer – Active IOCs
March 14, 2022Severity
High
Analysis Summary
RU Ransom appears to be targeting Russian assets in retribution for Russia’s invasion of Ukraine. This malware is developed in .Net and uses AES-CBC with hard-coded salt. It replicates itself on all portable devices, spreading like a worm and mapped network shares under the file name “Россия-Украина_Война-Обновление.doc. exe” which is translated as”Russia-Ukraine_War-Update.doc.exe. in English. After propagating effectively, the malware begins encrypting data. If the designated disc letter is “C:\,”, the files in the folder “C:\Users\” are encrypted. For other detachable and mapped network devices, all files that recursively branch from the root directory are encrypted. The keys are unique for each encrypted file and are not saved, making the encryption irreversible and distinguishing the malware from ransomware variants.
Impact
- File Encryption
Indicators of Compromise
Filename
- RURansom[.]exe
- dnWIPE[.]exe
MD5
- 8fe6f25fc7e8c0caab2fdca8b9a3be89
- 01ae141dd0fb97e69e6ea7d6bf22ab32
- 191e51cd0ca14edb8f06c32dcba242f0
- 9c3316a9ff084ed4d0d072df5935f52d
- fe43de9ab92ac5f6f7016ba105c1cb4e
- 6cb4e946c2271d28a4dee167f274bb80
SHA-256
- 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f
- 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0
- 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008
- 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473
- 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae
- 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9
SHA-1
- a30bf5d046b6255fa2c4b029abbcf734824a7f15
- c35ab665f631c483e6ec315fda0c01ba4558c8f2
- fbeb9eb14a68943551b0bf95f20de207d2c761f6
- c6ef59aa3f0cd1bb727e2464bb728ab79342ad32
- 27a16e1367fd3e943a56d564add967ad4da879d8
- 0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment