Rewterz Threat Alert – B0r0nt0K Ransomware Infects Linux Servers via Unknown Attack Vector
February 25, 2019Rewterz Threat Alert – Russian Language Malspam Pushing Shade Ransomware
February 26, 2019Severity
High
Analysis Summary
If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed” as shown below.
On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.
Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched.
Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.
Launching %Temp%\wbssrv.exe
Once launched, the malware will connect to http://138.204.171.108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer.
Downloading Cobalt Strike Beacon DLL
Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.
Impact
Command execution
System access.
Indicators of Compromise
IP(s) / Hostname(s)
138.204.171.108
URLs
http://138.204.171.108/BxjL5iKld8.zip
Malware Hash (MD5/SHA1/SH256)
2a09056cb4615a53b27aed19793f2d91f5fb497fdf4f6be6cce6c6abac48f707
Remediation
- Update to the latest version of WinRAR 5.70 beta 32/64bit.
- If you are unable to upgrade for some reason, then you can use 0Patch’s WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.