Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/5/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Used in Multimillion-Dollar Attacks Gets More Automated

The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

The authors of MegaCortex, a ransomware tool that was used recently in costly attacks against organizations in North America and Europe, have tweaked the malware to make it even more dangerous.

Researchers from Accenture iDefense this week said they have spotted a new version of the ransomware with features that make it harder to detect and easier for attackers to deploy on compromised networks.

Like the first version of MegaCortex that surfaced earlier this year, the new one is designed for use in manual, post-exploitation, targeted attacks. However, the authors have made some changes to the malware that suggest they have traded security for automation and ease of use, according to a report from Accenture iDefense.

For instance, the original MegaCortex malware required a password in order to decrypt and load the final payload. Attackers needed to install the ransomware on a compromised network via a series of manual steps and use a custom password that would become available only during a live infection.

This made it very hard for security researchers to analyze and reverse engineer the malware. "The password was heavily encoded and encrypted. Thus, brute-forcing the password to run the malware was not a feasible approach," says Leo Fernandes, senior manager of the Accenture iDefense Malware Analysis and Countermeasures (MAC) team.

At the same time, the password requirement also limited the ability for attackers to deploy MegaCortex widely, Fernandes says. With the second version, the malware authors have removed the need for a password for installation and have instead hard-coded a password in the binary. "The new version executes directly with one single command. No additional password or interaction is necessary," he says.

Additionally, the malware authors have incorporated a range of anti-analysis features within the main malware module itself. Some examples of these features include crypters, packers, and other obfuscation capabilities; use of anti-disassembly and debugging features; sandbox and virtual machine detection capabilities; and system-specific requirements for loading the malware, Fernandes says.

With the first version, attackers had to manually execute such capabilities as batch script files on each host. "The lack of a password requirement for installation and the embedded functionality to kill/stop security software and services can allow attackers to deploy the malware faster through automation once access to a network has been established," Fernandes says.

Security researchers first spotted MegaCortex earlier this year targeting enterprise organizations in the US, Canada, and Europe. During one stretch in May, researchers at Sophos counted 47 targeted attack attempts to install MegaCortex in a 48-hour period. Organizations that have been hit by the malware have faced ransom demands ranging from a relatively modest $20,000 to a stunning $5.8 million.

The changes in the new version do not make MegaCortex any easier or harder to detect because the attack still happens only after a network has already been compromised via other means, Fernandes. Even so, the hard-coded passwords allow those doing the reverse engineering to retrieve the final DLL file from memory for further analysis, which was not readily feasible before, he says. "However, deeper analysis still takes lots of experience and time," Fernandes says.

Targeted Attacks
For enterprise organizations, MegaCortex is another reminder — if one were needed — of the major threat that ransomware continues to pose. The steady declines in ransomware attack volumes that several security vendors have reported in recent months have all been on the consumer side.

Attacks on private, public, city, and local government organizations of all sizes have only increased over the past year. In many instances, attackers have first gained access to targeted networks, conducted reconnaissance and identified high-value systems before installing ransomware on them to maximize disruption.

Many security researchers fear that recent reports of multiple city governments and other organizations making substantial payments to attackers to get their data back after a ransomware attack are likely only going to fuel more attacks.

Ransomware like MegaCortex continues to pose a high threat to enterprises and government organizations worldwide, Fernandes says. "The criminal organization behind MegaCortex appears to be experienced professionals capable of targeting and infiltrating corporate networks, cause havoc, and huge financial losses," he warns.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/6/2019 | 2:17:24 PM
Sophos Intercept X caught it, I wonder who else cause this

We're still trying to develop a clearer picture of the infection process, but for now, it appears that there's a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims' networks with both Emotet and Qbot. Keeping regular backups of your most important and current data on an offline storage device is the best way to avoid having to pay a ransom altogether.

It seems one of the things that we need to pay attention to the following command and control items:

  • IP: 89.105.198.28
  • File Hashes:
    • 37b4496e650b3994312c838435013560b3ca8571 (Batch file)
    • 478dc5a5f934c62a9246f7d1fc275868f568bc07 (PE.exe)
    • 2f40abbb4f78e77745f0e657a19903fc953cc664 (DLL Memory Injection)
    • 53dddbb304c79ae293f98e0b151c6b28
    • 65939a4515a59da3697e4a454d6e8378
    • 470a8189915b01bc4012d7e0bdccba8e97a6a2d6
    • 2632529b0fb7ed46461c406f733c047a6cd4c591
    • 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2
    • 873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466

 

Since this is primarily a windows variant, I think we could do the following:

  1. Add the ip address to the firewalls and servers
    • InBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Inbound -RemoteAddress 89.105.198.28 -Name MegaCortex-In -Profile Any -Protocol Any -DisplayName "Block MegaCortex In")
    • OutBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Outbound -RemoteAddress 89.105.198.28 -Name MegaCortex-Out -Profile Any -Protocol Any -DisplayName "Block MegaCortex Out")
  2. Ensure you have installed a HIDS application to filter applications from starting or being written to
    • c:\nxahoft_G9.log
    • c:\!!!_READ-ME_!!!.txt
    • C:\x5gj5_gmG8.log
  3. Also, the user could run this powershell script to look for the additional hashes (wrote code below to identify the hashes on the system using Powershell)
$1 = @("53dddbb304c79ae293f98e0b151c6b28", 
"65939a4515a59da3697e4a454d6e8378",
"470a8189915b01bc4012d7e0bdccba8e97a6a2d6",
"2632529b0fb7ed46461c406f733c047a6cd4c591",
"86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2",
"873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466")
$hash = (get-childitem -path c:\*.* | get-filehash).path
# Add -recurse c:\*.* -recurse to look for all directories foreach ($i in $hash) { foreach ($j in $1) { if ( (Get-filehash -path $i).hash -eq $j) { Write-Host $i "MegaCortext file found"
Remove-item $i -force
Write-Host $i "MegaCortext file removed" } } Write-Host "MegaCortext files not found" }

I have not taken into consideration MD5 lengths, I will be looking into SHA256 hashes for verification purposes.


T
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...