Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/5/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Used in Multimillion-Dollar Attacks Gets More Automated

The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

The authors of MegaCortex, a ransomware tool that was used recently in costly attacks against organizations in North America and Europe, have tweaked the malware to make it even more dangerous.

Researchers from Accenture iDefense this week said they have spotted a new version of the ransomware with features that make it harder to detect and easier for attackers to deploy on compromised networks.

Like the first version of MegaCortex that surfaced earlier this year, the new one is designed for use in manual, post-exploitation, targeted attacks. However, the authors have made some changes to the malware that suggest they have traded security for automation and ease of use, according to a report from Accenture iDefense.

For instance, the original MegaCortex malware required a password in order to decrypt and load the final payload. Attackers needed to install the ransomware on a compromised network via a series of manual steps and use a custom password that would become available only during a live infection.

This made it very hard for security researchers to analyze and reverse engineer the malware. "The password was heavily encoded and encrypted. Thus, brute-forcing the password to run the malware was not a feasible approach," says Leo Fernandes, senior manager of the Accenture iDefense Malware Analysis and Countermeasures (MAC) team.

At the same time, the password requirement also limited the ability for attackers to deploy MegaCortex widely, Fernandes says. With the second version, the malware authors have removed the need for a password for installation and have instead hard-coded a password in the binary. "The new version executes directly with one single command. No additional password or interaction is necessary," he says.

Additionally, the malware authors have incorporated a range of anti-analysis features within the main malware module itself. Some examples of these features include crypters, packers, and other obfuscation capabilities; use of anti-disassembly and debugging features; sandbox and virtual machine detection capabilities; and system-specific requirements for loading the malware, Fernandes says.

With the first version, attackers had to manually execute such capabilities as batch script files on each host. "The lack of a password requirement for installation and the embedded functionality to kill/stop security software and services can allow attackers to deploy the malware faster through automation once access to a network has been established," Fernandes says.

Security researchers first spotted MegaCortex earlier this year targeting enterprise organizations in the US, Canada, and Europe. During one stretch in May, researchers at Sophos counted 47 targeted attack attempts to install MegaCortex in a 48-hour period. Organizations that have been hit by the malware have faced ransom demands ranging from a relatively modest $20,000 to a stunning $5.8 million.

The changes in the new version do not make MegaCortex any easier or harder to detect because the attack still happens only after a network has already been compromised via other means, Fernandes. Even so, the hard-coded passwords allow those doing the reverse engineering to retrieve the final DLL file from memory for further analysis, which was not readily feasible before, he says. "However, deeper analysis still takes lots of experience and time," Fernandes says.

Targeted Attacks
For enterprise organizations, MegaCortex is another reminder — if one were needed — of the major threat that ransomware continues to pose. The steady declines in ransomware attack volumes that several security vendors have reported in recent months have all been on the consumer side.

Attacks on private, public, city, and local government organizations of all sizes have only increased over the past year. In many instances, attackers have first gained access to targeted networks, conducted reconnaissance and identified high-value systems before installing ransomware on them to maximize disruption.

Many security researchers fear that recent reports of multiple city governments and other organizations making substantial payments to attackers to get their data back after a ransomware attack are likely only going to fuel more attacks.

Ransomware like MegaCortex continues to pose a high threat to enterprises and government organizations worldwide, Fernandes says. "The criminal organization behind MegaCortex appears to be experienced professionals capable of targeting and infiltrating corporate networks, cause havoc, and huge financial losses," he warns.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/6/2019 | 2:17:24 PM
Sophos Intercept X caught it, I wonder who else cause this

We're still trying to develop a clearer picture of the infection process, but for now, it appears that there's a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims' networks with both Emotet and Qbot. Keeping regular backups of your most important and current data on an offline storage device is the best way to avoid having to pay a ransom altogether.

It seems one of the things that we need to pay attention to the following command and control items:

  • IP: 89.105.198.28
  • File Hashes:
    • 37b4496e650b3994312c838435013560b3ca8571 (Batch file)
    • 478dc5a5f934c62a9246f7d1fc275868f568bc07 (PE.exe)
    • 2f40abbb4f78e77745f0e657a19903fc953cc664 (DLL Memory Injection)
    • 53dddbb304c79ae293f98e0b151c6b28
    • 65939a4515a59da3697e4a454d6e8378
    • 470a8189915b01bc4012d7e0bdccba8e97a6a2d6
    • 2632529b0fb7ed46461c406f733c047a6cd4c591
    • 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2
    • 873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466

 

Since this is primarily a windows variant, I think we could do the following:

  1. Add the ip address to the firewalls and servers
    • InBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Inbound -RemoteAddress 89.105.198.28 -Name MegaCortex-In -Profile Any -Protocol Any -DisplayName "Block MegaCortex In")
    • OutBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Outbound -RemoteAddress 89.105.198.28 -Name MegaCortex-Out -Profile Any -Protocol Any -DisplayName "Block MegaCortex Out")
  2. Ensure you have installed a HIDS application to filter applications from starting or being written to
    • c:\nxahoft_G9.log
    • c:\!!!_READ-ME_!!!.txt
    • C:\x5gj5_gmG8.log
  3. Also, the user could run this powershell script to look for the additional hashes (wrote code below to identify the hashes on the system using Powershell)
$1 = @("53dddbb304c79ae293f98e0b151c6b28", 
"65939a4515a59da3697e4a454d6e8378",
"470a8189915b01bc4012d7e0bdccba8e97a6a2d6",
"2632529b0fb7ed46461c406f733c047a6cd4c591",
"86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2",
"873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466")
$hash = (get-childitem -path c:\*.* | get-filehash).path
# Add -recurse c:\*.* -recurse to look for all directories foreach ($i in $hash) { foreach ($j in $1) { if ( (Get-filehash -path $i).hash -eq $j) { Write-Host $i "MegaCortext file found"
Remove-item $i -force
Write-Host $i "MegaCortext file removed" } } Write-Host "MegaCortext files not found" }

I have not taken into consideration MD5 lengths, I will be looking into SHA256 hashes for verification purposes.


T
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4483
PUBLISHED: 2019-08-20
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X...
CVE-2019-4484
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164068.
CVE-2019-4485
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.
CVE-2019-7593
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7594
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).