Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/5/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Used in Multimillion-Dollar Attacks Gets More Automated

The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

The authors of MegaCortex, a ransomware tool that was used recently in costly attacks against organizations in North America and Europe, have tweaked the malware to make it even more dangerous.

Researchers from Accenture iDefense this week said they have spotted a new version of the ransomware with features that make it harder to detect and easier for attackers to deploy on compromised networks.

Like the first version of MegaCortex that surfaced earlier this year, the new one is designed for use in manual, post-exploitation, targeted attacks. However, the authors have made some changes to the malware that suggest they have traded security for automation and ease of use, according to a report from Accenture iDefense.

For instance, the original MegaCortex malware required a password in order to decrypt and load the final payload. Attackers needed to install the ransomware on a compromised network via a series of manual steps and use a custom password that would become available only during a live infection.

This made it very hard for security researchers to analyze and reverse engineer the malware. "The password was heavily encoded and encrypted. Thus, brute-forcing the password to run the malware was not a feasible approach," says Leo Fernandes, senior manager of the Accenture iDefense Malware Analysis and Countermeasures (MAC) team.

At the same time, the password requirement also limited the ability for attackers to deploy MegaCortex widely, Fernandes says. With the second version, the malware authors have removed the need for a password for installation and have instead hard-coded a password in the binary. "The new version executes directly with one single command. No additional password or interaction is necessary," he says.

Additionally, the malware authors have incorporated a range of anti-analysis features within the main malware module itself. Some examples of these features include crypters, packers, and other obfuscation capabilities; use of anti-disassembly and debugging features; sandbox and virtual machine detection capabilities; and system-specific requirements for loading the malware, Fernandes says.

With the first version, attackers had to manually execute such capabilities as batch script files on each host. "The lack of a password requirement for installation and the embedded functionality to kill/stop security software and services can allow attackers to deploy the malware faster through automation once access to a network has been established," Fernandes says.

Security researchers first spotted MegaCortex earlier this year targeting enterprise organizations in the US, Canada, and Europe. During one stretch in May, researchers at Sophos counted 47 targeted attack attempts to install MegaCortex in a 48-hour period. Organizations that have been hit by the malware have faced ransom demands ranging from a relatively modest $20,000 to a stunning $5.8 million.

The changes in the new version do not make MegaCortex any easier or harder to detect because the attack still happens only after a network has already been compromised via other means, Fernandes. Even so, the hard-coded passwords allow those doing the reverse engineering to retrieve the final DLL file from memory for further analysis, which was not readily feasible before, he says. "However, deeper analysis still takes lots of experience and time," Fernandes says.

Targeted Attacks
For enterprise organizations, MegaCortex is another reminder — if one were needed — of the major threat that ransomware continues to pose. The steady declines in ransomware attack volumes that several security vendors have reported in recent months have all been on the consumer side.

Attacks on private, public, city, and local government organizations of all sizes have only increased over the past year. In many instances, attackers have first gained access to targeted networks, conducted reconnaissance and identified high-value systems before installing ransomware on them to maximize disruption.

Many security researchers fear that recent reports of multiple city governments and other organizations making substantial payments to attackers to get their data back after a ransomware attack are likely only going to fuel more attacks.

Ransomware like MegaCortex continues to pose a high threat to enterprises and government organizations worldwide, Fernandes says. "The criminal organization behind MegaCortex appears to be experienced professionals capable of targeting and infiltrating corporate networks, cause havoc, and huge financial losses," he warns.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/6/2019 | 2:17:24 PM
Sophos Intercept X caught it, I wonder who else cause this

We're still trying to develop a clearer picture of the infection process, but for now, it appears that there's a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims' networks with both Emotet and Qbot. Keeping regular backups of your most important and current data on an offline storage device is the best way to avoid having to pay a ransom altogether.

It seems one of the things that we need to pay attention to the following command and control items:

  • IP: 89.105.198.28
  • File Hashes:
    • 37b4496e650b3994312c838435013560b3ca8571 (Batch file)
    • 478dc5a5f934c62a9246f7d1fc275868f568bc07 (PE.exe)
    • 2f40abbb4f78e77745f0e657a19903fc953cc664 (DLL Memory Injection)
    • 53dddbb304c79ae293f98e0b151c6b28
    • 65939a4515a59da3697e4a454d6e8378
    • 470a8189915b01bc4012d7e0bdccba8e97a6a2d6
    • 2632529b0fb7ed46461c406f733c047a6cd4c591
    • 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2
    • 873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466

 

Since this is primarily a windows variant, I think we could do the following:

  1. Add the ip address to the firewalls and servers
    • InBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Inbound -RemoteAddress 89.105.198.28 -Name MegaCortex-In -Profile Any -Protocol Any -DisplayName "Block MegaCortex In")
    • OutBound Server Rules - (New-Netfirewallrule -Action Block -Enabled True -Direction Outbound -RemoteAddress 89.105.198.28 -Name MegaCortex-Out -Profile Any -Protocol Any -DisplayName "Block MegaCortex Out")
  2. Ensure you have installed a HIDS application to filter applications from starting or being written to
    • c:\nxahoft_G9.log
    • c:\!!!_READ-ME_!!!.txt
    • C:\x5gj5_gmG8.log
  3. Also, the user could run this powershell script to look for the additional hashes (wrote code below to identify the hashes on the system using Powershell)
$1 = @("53dddbb304c79ae293f98e0b151c6b28", 
"65939a4515a59da3697e4a454d6e8378",
"470a8189915b01bc4012d7e0bdccba8e97a6a2d6",
"2632529b0fb7ed46461c406f733c047a6cd4c591",
"86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2",
"873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466")
$hash = (get-childitem -path c:\*.* | get-filehash).path
# Add -recurse c:\*.* -recurse to look for all directories foreach ($i in $hash) { foreach ($j in $1) { if ( (Get-filehash -path $i).hash -eq $j) { Write-Host $i "MegaCortext file found"
Remove-item $i -force
Write-Host $i "MegaCortext file removed" } } Write-Host "MegaCortext files not found" }

I have not taken into consideration MD5 lengths, I will be looking into SHA256 hashes for verification purposes.


T
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.