• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – McAfee ePolicy Orchestrator Multiple Vulnerabilities
July 9, 2019
Rewterz Threat Advisory – Multiple Vulnerabilities in Mozilla Firefox Could Allow Arbitrary Code Execution
July 10, 2019

Rewterz Threat Alert – LooCipher Ransomware Deployed Through Malicious Word Documents

July 9, 2019

Severity

High

Analysis Summary

A new family of ransomware named LooCipher has emerged. The researchers note that LooCipher’s functionality is not significantly different than other ransomware families. Infection of the victim is achieved through emails with attached Word documents (.DOCM) that contain macros that download the ransomware. The documents contain a single line of text which states “ENABLE MACROS TO VIEW THIS DOCUMENT”. When executed, the ransomware scans files on the system and then encrypts all files except those in the Windows system and programs folders. When the encryption process is completed, the ransomware provides information to the victim, including instructions on how to make payment for the decryption key. The instructions note that the victim has only five days to pay or the decryption key will be destroyed, making the files unrecoverable. The ransomware sends the victim’s details to a C&C server on the TOR network. From there it also provides the Bitcoin address to make payments to. Communication with the TOR network is conducted through proxy services which avoids the ransomware having to install TOR libraries on the victim system. A new Bitcoin address is created each time the ransomware contacts the C&C server. However, there are also hard coded wallet addresses in case the C&C server cannot be contacted. Unusually, the ransomware is also the decryptor, but it requires that the C&C server confirms payment has been received before it can function in the decryption mode.

Impact

File encryption

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd
  • e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486
  • 43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49
  • 924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.