• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019
Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019

Rewterz Threat Alert – MegaCortex Ransomware V.2

September 25, 2019

Severity

High

Analysis Summary

The file RAND_NAME.exe, is an updated version (V.2) of the ransomware MegaCortex. Similar to version 1 (V.1), this new version (V.2) of MegaCortex is also compiled using Microsoft Visual C++ and uses the mbedcrypto library to carry out its file encryption algorithms. RAND_NAME.exe is observed to be digitally signed with a valid signature from ABADAN PIZZA LTD and acts as a loader to a module named payload.dll which is found encrypted and embedded within its body. The DLL module has two export functions, “start” and “ss2” which the MegaCortex loader uses to carry out its ransomware functionality.

Analysis

RAND_NAME.exe Loader Functionality

Similar to version 1, this new version of MegaCortex (V.2) is also compiled using Microsoft Visual C++ and uses mbedcrypto to carry out its file encryption algorithms. The MegaCortex loader binary RAND_NAME.exe is also observed to be digitally signed with a valid signature from ABADAN PIZZA LTD.

The MegaCortex binary RAND_NAME.exe acts as a loader to an embedded module named payload.dll, whose name is derived from its export table. The module payload.dll is found encrypted and embedded within the body of RAND_NAME.exe.

The code in payload.dll’s “start” function initially verifies if the process is running with “administrator” privilege, if not it will invoke ShellExecuteExA with “runas” to ensure it has the proper privileges. Next, it disables file system redirection of the current thread and adjusts the token privileges of the current process to enable SeDebugPrivilege for DLL injection.

screenshot-2019-08-04-at-20-21-45.png

payload.dll’s “ss2” export is only activated and called when the loader binary (RAND_NAME.exe) is executed with the correct base64 key as stated above in the export function start. The “ss2” export starts by getting the available number of processors. The number of worker threads created to conduct file encryption depends upon the number of available processors.

Impact

File encryption

Indicators of Compromise

Email Address

  • MckinnisKamariyah91@mail.com
  • ThomassenVallen1999@mail.com

Malware Hash (MD5/SHA1/SH256)

  • c12ab67f2835b3a867af6c91aa3d3039
  • 9369e8f849fad6c87d630b08cc91a320ccafd367
  • 77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.