• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-1458 – New Windows 0-Day Exploited in Active Attack
December 11, 2019
Rewterz Threat Advisory – Adobe Releases Patches for 25 Security Vulnerabilities
December 11, 2019

Rewterz Threat Alert – Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

December 11, 2019

Severity

High

Analysis Summary

A new variant of the Snatch ransomware is found, that first reboots infected Windows computers into Safe Mode and only then encrypts victims’ files to avoid antivirus detection. Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software.

When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.
What makes Snatch different and dangerous from others is that in addition to ransomware, it’s also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions.

Snatch attacks Windows machines with a collection of malware that includes the ransomware executable; a custom-built data stealer; a Cobalt Strike reverse-shell; and several publicly available tools that are typically used by penetration testers, system administrators or technicians. It’s also all obfuscated by an open-source packer called UPX.
The attackers query the list of users authorized to log in on the box, and write the results to a file. Additionally, WMIC system and user data, process lists, and even the memory contents of the Windows LSASS service are dumped to a file then uploaded to their command-and-control (C2) server.

Impact

  • Files Encryption
  • Security Bypass
  • Data Theft

Indicators of Compromise

Domain Name

  • mydatassuperhero[.]com
  • mydatasuperhero[.]com

From Email

  • doctor666[@]cock.li
  • jimmtheworm[@]dicksinmyan.us
  • doctor666[@]mail.fr
  • newrecoveryrobot[@]pm.me
  • imboristheblade[@]protonmail.com

SHA-256

  • 80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4
  • eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56
  • ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a
  • fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb
  • e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d
  • c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6
  • 28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184
  • 63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940
  • 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
  • d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33
  • 329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa
  • d22b46ea682838e0b98bc6a1e36fd04f0672fe889c03d227cdeb5dcc5d76ae7c
  • 5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb
  • ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1
  • 8c9fab558b3e9e21936a91422d9e2666f210c5fd7d9b0fd08d2353adb64a4c00
  • 78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852
  • 0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb

Source IP

  • 91.218.114[.]26
  • 193.188.22[.]25
  • 91.218.114[.]37
  • 91.218.114[.]77
  • 91.218.114[.]4
  • 91.218.114[.]25
  • 91.218.114[.]31
  • 193.188.22[.]26
  • 91.218.114[.]79
  • 37.59.146[.]180
  • 193.188.22[.]29
  • 91.218.114[.]38
  • 67.211.209[.]151
  • 91.218.114[.]11
  • 185.61.149[.]242
  • 91.218.114[.]32
  • 142.11.196[.]65
  • 142.11.195[.]192

URL

  • http[:]//45.147.228.91/
  • http[:]//94.140.125.150/
  • http[:]//snatch24uldhpwrm.onion/
  • https[:]//snatch24uldhpwrm.onion/
  • http[:]//snatch6brk4nfczg.onion
  • https[:]//snatch6brk4nfczg.onion/
  • http[:]//mydatasuperhero.com/
  • http[:]//mydatasuperhero.com/login
  • http[:]//mydatassuperhero.com

Remediation

  • Block the threat indicators at their respective controls.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.