Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 19, 2023
Severity High Analysis Summary A new information-stealing malware called Mystic Stealer emerged in April 2023, gaining popularity in cybercrime circles. It targets various web browsers, browser […]September 19, 2023Rewterz Threat Alert – BlackCat/ALPHV Ransomware Group Allegedly Encrypted Over 100 MGM ESXi Servers
Severity High Analysis Summary An affiliate of the BlackCat ransomware group, also known as APLHV, recently carried out a significant cyberattack on MGM Resorts, leading to […]September 19, 2023Severity High Analysis Summary APT37, also known as ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 19, 2023Severity High Analysis Summary A new information-stealing malware called Mystic Stealer emerged in April 2023, gaining popularity in cybercrime circles. It targets various web browsers, browser […]September 19, 2023Rewterz Threat Alert – BlackCat/ALPHV Ransomware Group Allegedly Encrypted Over 100 MGM ESXi Servers
Severity High Analysis Summary An affiliate of the BlackCat ransomware group, also known as APLHV, recently carried out a significant cyberattack on MGM Resorts, leading to […]September 19, 2023Severity High Analysis Summary APT37, also known as ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – WordPress Flaw to Leverage Zerologon Vulnerability; Attacks on Domain Controllers
October 8, 2020Rewterz Threat Alert – Emotet Phishing Uses Political Lures
October 8, 2020
Severity
Medium
Analysis Summary
FONIX Raas (Ransomware as a Service) is a new ransomware family that employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle. The actors behind FONIX appeared to be primarily focused on binary crypters/packers prior to the release of the RaaS. Their ‘products’ were advertised on various cybercrime forums. Engagement for this RaaS is handled purely via email, and directly with the author/advertiser. There is no web-based portal to register or manage infections or campaigns. The authors did appear to initially offer a FONIX-specific email service; however, at the time of writing, that service appears to be unavailable. The FONIX samples we have observed come in 64 and 32-bit varieties, and are available for Windows only. By default, FONIX will encrypt all file types, excluding critical Windows OS files. Encrypted files are all marked with the .XINOF extension (FONIX backwards). Depending on the context of the executed payload, numerous other malicious changes are made to the system. In all cases, once encryption is complete, the Desktop background is changed to the FONIX logo, and the .HTA-formatted ransomware note is displayed across the entire screen. The FONIX infection is a long process in which the affiliates have to send sample files to authors for decryption. Once sample decrypted files are sent to victims for satisfaction, and they have paid a ransom amount, the authors charge a 25% of the profit from affiliates, before providing full decryption keys.
As noted, instructions to contact the attacker are provided in the ransom note (How To Decrypt Files.hta). Several additional files are deposited on encrypted hosts. For example, the following can be found in %programdata% post-encryption:
Cpriv.key
Hello Michaele Gllips
Help.txt
How To Decrypt Files.hta
SystemID
When executed with administrator privileges, the following additional system changes occur:
- Task Manager is disabled
- Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
- System file permissions are modified
- Persistent copies of the payload have their attributed set to hidden
- A hidden service is created for persistence (Windows 10)
- Drive / Volume labels are changed (to “XINOF”)
- Volume Shadow Copies are deleted (vssadmin, wmic)
- System recovery options are manipulated/disabled (bcdedit)
- Safeboot options are manipulated.
Impact
- Files Encryption
- Loss of Data
Indicators of Compromise
MD5
- 5c87f80824d6e3483a4b2a5c71463e69
- 71b664b09dd6463b23899855eb62681e
- 117a02e1513777085a5aafb07cbdb93b
SHA-256
- 5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899
- e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a
- 658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4
SHA1
- 1f551246c5ed70e12371891f0fc6c2149d5fac6b
- a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e
- 63cae6a594535e8821c160da4b9a58fc71e46eb2
Remediation
- Block the threat indicators at their respective controls.
- Do not download any untrusted files from unexpected emails or from any random sources on the internet