Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe

January 2, 2020

Rewterz Threat Advisory – Cisco NX-OS and Switches – Critical Vulnerabilities

January 6, 2020

Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs

January 3, 2020

Severity

High

Analysis Summary

DeathRansom has finally succeeded at encrypting files. At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives. To enumerate network resources, the malware uses standard Windows APIs (WNetOpenEnumW, WNetEnumResourceW etc.) It recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (processDir).
Following alterations have been made:

Excluding important Windows folders (Program Files, Windows, etc) to avoid rendering the system unusable
When it comes to files, similar checks also occur.
DeathRansom also avoids “encrypting” the systems files (ntuser.dat, etc)

The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.

Impact

Files Encryption

Indicators of Compromise

Domain name

scat01[.]mcdir[.]ru
gameshack[.]ru
scat01[.]tk

MD5

a35596ed0bfb34de4e512a3225f8300a
8ea78e5a123c13c3bda144d0fcf430c0
c50ab1df254c185506ab892dc5c8e24b
6bf9bfc6253a598608a1ca7d0210689e
bde63acffd021580fe7c7f25243c9330
b7e323ac9390f0d81d18557fddaef4cf
c4964c9c2418d0a134130dab8f4cd1b8
48f1200a88db21ca4a16dc908024f0f9
fdcdfc8eecff8eebd671cf934423710e
f9363e88fde74b43bd7da4528369d7e5
886ee5834ae019a5c8bce4326b88cfb7
38f52fac57482d77b960faff79f44474
262fdac1291740ba9408d06da265dd9f
4ba2e1d4cf7a86753f9f8174b3bc74c8
74a30661098e0950ec845a54ad7059c6

SHA-256

7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1
13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1
ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4
dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4
1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251
4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c
05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029
a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284
6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762
2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8
fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8
0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915
f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b
66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06

URL

hxxp://iplogger[.]org/1Zqq77
hxxps://iplogger[.]org/1Zqq77

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails.
Do not download software from random sources on the internet.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

MeterPreter Malware – Active IOCs

Industrial-Scale Data Theft by ToddyCat Threat Group Using Sophisticated Tools – Active IOCs

APT28 Propagates ‘GooseEgg’ Malware by Leveraging Windows Print Spooler Vulnerability – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us