November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Advisory – CVE-2019-1938 – Cisco UCS Director and Cisco UCS Director Express for Big Data API Authentication Bypass Vulnerability
August 23, 2019Rewterz Threat Alert – Emotet Botnet Is Back, Resumes Activity Across Servers around the World
August 26, 2019Rewterz Threat Advisory – CVE-2019-1938 – Cisco UCS Director and Cisco UCS Director Express for Big Data API Authentication Bypass Vulnerability
August 23, 2019Rewterz Threat Alert – Emotet Botnet Is Back, Resumes Activity Across Servers around the World
August 26, 2019
Severity
Medium
Analysis Summary
A campaign spreading a new ransomware, dubbed “Syrk”, to victims via fake Fortnite hack tools. The malware masqueraded as a cheat for Fortnite, promising an aimbot to improve aim accuracy and ESP for knowing the location of other players. The researchers hypothesize that the download was likely hosted on a sharing site and sent to victims via Fortnite forums. The analyzed sample being distributed appears to have been built using publicly available code. Specifically, it is based on the source code for the Hidden-Cry ransomware, but with a different extension in use. Upon execution, the ransomware disables Windows Defender and UAC, launches an executable that drops several PowerShell scripts used for the encryption, establishes persistency, and monitors process management tools. Additionally, it creates scheduled routines to begin deleting encrypted files every two hours if the ransom has not been paid. This ransomware propagates via USB drives. It uses Lime USB to identify attached USBs and copy the ransomware executable to any identified drives. An additional application is dropped on the system that allows the victim to enter the decryption key. The researchers discovered that the decryption tool is embedded as a resource in the main malware and the key is contained in both PowerShell scripts and text files dropped on the system.
Impact
File encryption
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 077eee74b8f1227707b389a953234756d3bf8b78108a24f132bd5feb209dd8f6
- 08baaf7c861748b227a93e41e28f99a258eb4ce149fa31b7ffe93bc23e385709
- 31c3e1c03b15347bf8184854e65261a81ba12db0dcf3aeb5344ced6d8321ddf1
- 36f88efe39d8cf16ae5ea6fb970f779ea4f80c2045a9a1b8da5657d495ddfe35
- 4197a4146bbf406f21577569290a2772b22af80f4043f670240319fb807cf3d4
- 54b62ed00e7cc8c39b09f53bec692dc7418c654f269f3392d95fba418cc8af20
- 6b156d23e8e85af8635a101b2c1a8c227cfb01a4092a076f0d00ea82b6f6bb19
- 794020d4ad5733907bf28e278644351965b38f155637203710550ae77f6c0e15
- 8fef3e33ad10eace4c472942510ce66525daf0282a6bf8d42c9c66bb844ec6ce
- a3368e8a66a87b01cab209816de2648dc36059cb4ae6e3cf41c9d2aff79f9e0c
- c239d501439b776e93085925eb132ff164b1f3ba4fdc356a00045e8674dc1387
- eda75fece8a02eb169b90a02322cd4ff2b1485ad5cdc0da7ddaa2c851a7a2614
- fb8bac3a3d04aff294be9ede1d5742ebcab59c3bc14143e328e33cf71bb59b97
Remediation
- Block threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.