Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/13/2019
05:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

LockerGoga, MegaCortex Ransomware Share Unlikely Traits

New form of ransomware MegaCortex shares commonalities with LockerGoga, enterprise malware recently seen in major cyberattacks.

MegaCortex, a newly discovered form of ransomware that targets global organizations, was found to share similarities with LockerGoga, a known form of malware seen in enterprise attacks.

Sophos researchers published initial findings related to MegaCortex late last week. The active ransomware variant sends victims a note designed to read as if it's from Morpheus, Laurence Fishburne's character in The Matrix. MegaCortex was spotted hitting several enterprise customers across the US, Europe, and Canada, with 47 attack attempts within a 48-hour period.

A few traits of MegaCortex made the campaign stand out. Victims reported the attacks originated from a compromised domain controller, and adversaries used stolen admin credentials to run a PowerShell script using the compromised controller — both traits that make it unique, says Jessica Bair, senior manager of advanced threat solutions at Cisco Systems.

Researchers note this ransomware is mostly seen among businesses with existing Emotet and Qbot infections, both of which can be used as launching points to distribute other malware. Given this, organizations previously exposed to either threat should prioritize remediation.

In the week since its early findings were disclosed, the Sophos team has become aware of more attacks involving MegaCortex and updated their research to reflect additional data on the tools, techniques, and other specifics that were not known at the time of publication.

"Since last week we have learned a lot more of the small details about the behavior and tooling used by MegaCortex," says Chet Wisniewski, Sophos' principal research scientist. "Many of these details are similar or identical to another ransomware named LockerGoga," however, there isn't much code similarity between them. Still, there are a few interesting similarities:

Links to LockerGoga
LockerGoga is a form of ransomware recently used in a major cyberattack against Norwegian aluminum firm Norsk Hydro, where it disrupted critical operations across North America and Europe. The incident forced Norsk Hydro to transition to manual operations at multiple plants; so far, it has cost the manufacturer $40 million. Once on a system, LockerGoga, which appears to be designed for targeted campaigns, changes passwords and forcibly logs victims out of systems.

The two forms of ransomware appear to behave the same way, Wisniewski explains. In both, operators leverage a compromised domain controller to push malware out to machines on a target network. From there, they open a reverse shell from the internal network to one of their command-and-control (C2) servers to execute the attacks. At least one of the C2 addresses that MegaCortex contacts has also been used by LockerGoga, researchers explain in a blog post.

MegaCortex also renames the files it plans to encrypt before encrypting them, which is unusual for ransomware — except LockerGoga, which does the same. "We suspect this may be used to prevent the malware from unintentionally encrypting files twice on an infected machine," says Wisniewski. The tactic has another effect: it makes those renamed files "un-double-clickable" as it removes the file type association of the document with its parent application.

One of the most obvious similarities is the batch file used in the attack, Wisniewski continues. Many researchers think it's "virtually identical" to batch files used to kill processes during LockerGoga attacks. Still, he says, none of the individual similarities are enough to make any attribution to MegaCortex's origin. At this time, they remain a "large number of interesting coincidences."

Contemplating Cryptographic Certificates
MegaCortex uses signed binaries with the common name (CN) mimicking the same CN used in the signed binaries of completely unrelated malware families. For example, researchers queried a CN on the cryptographic certificate used to sign one of the MegaCortex malware executables. They found malware from Rietspoof, a financial-services credential stealer with no code similarity or link to MegaCortex.

"We're not sure why they would do this," says Wisniewski. "Often things are thrown in to confuse those investigating the attacks, a sort of 'false flag operation.'" The certificates for MegaCortex were issued by different authorities from the certificates they were mimicking; for example, that of Rietspoof. Some certificate authorities are now revoking the certificates used in MegaCortex attacks, Wisniewski says.

Investigation into certificates yielded another interesting finding: researchers noticed the address used by the certificate — a street address located in London suburb Romford — is connected to more than 74,000 registered UK businesses. There is also evidence the same address has been used in signing certificates that were then used to sign unrelated malware binaries. They're still looking into this.

"We do not really understand how an apparent residential address ended up being used as a business address for some 74,000+ companies currently or formerly registered in the UK," says Wisniewski, who adds that site for The Companies House — the United Kingdom's registrar for companies — permits visitors to access only the first 1,000 records of this search.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8003
PUBLISHED: 2020-01-27
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.
CVE-2019-20427
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integ...
CVE-2019-20428
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.
CVE-2019-20429
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2...
CVE-2019-20430
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.