When one malware copies another for more efficiency
Maze is a famous ransomware that has been involved in many computer attacks over the past year and this year, especially the one that affected the French giant Bouygues.
But the editors of this program have decided to take it to the next level. Indeed this famous ransomware copies the camouflage system used by another famous of its kind, Ragnar Locker. This camouflage allows the ransomware to be difficult to detect knowing that it hides behind a virtual machine. This prevents standard detection systems from noticing its presence.
This article will also interest you: Bouygues construction attack: 3 things to know
This new technique used by maze publishers was discovered by the British cybersecurity company Sophos during the month of July. This was followed by an attempted intrusion that was quickly intercepted. The group of cybercriminals behind this attempt has not yet been detected.
It should then be noted that cybercriminals now have more means to disseminate their ransomware more easily. At least, that's what seems obvious with the discovery of se Sophos. A discovery that occurred 4 months after the use of this technique by Ragnar Locker. The technique allows ransomware publishers to hide their malware behind virtual machines. This prevents security programs that target from detecting them more easily. The case then becomes complicated when we know how much the ransomware Maze was involved in the cyberattack of several large companies around the world namely the Korean giant LG, Bouygues construction, Leon Grosse, Canon, Xerox, Cognizant, SK Hynix…
"During the Maze incident, the threat players distributed the ransomware file encryption payload on the virtual hard drive of the virtual machine (a Virtual Box .vdi virtual disk image file), which was delivered in a Windows installation file .msi more than 700MB in size," security specialist Sophos explains in a blog post. "The attackers also grouped a sleek 11-year-old copy of the Virtual Box hypervisor into the .msi file, which runs the VM as an undetermined terminal with no user interface. She adds. However, this is different from the tactics that were used in the attack of the Portuguese energy giant EDP, with the ragnar Locker software. Here, the malware had been deployed in a virtual machine on Windows 10.
British computer security company Sophos said it discovered the new technique as Maze ransomware simulations during a mini investigation in June after an organization was targeted by a computer attack. The ransom demanded by cyber criminals was $15 million. So, one can imagine that it is a large organization that has been attacked even though Sophos is careful not to give its name. Cyber criminals tend to adjust the price according to their target. "The investigation also revealed several installation scripts that revealed the attackers' tactics and revealed that they had spent days preparing to launch the ransomware by creating ip address lists inside the target's network, using one of the target's domain controller servers and exfiltrate data to the cloud storage provider Mega.nz Sophos notes.
According to the latter, the hacker succeeded after having succeeded more than 3 times. Because the first two attempts failed. They had tried to launch executable files from their malware using the planned tasks of Windows Update Security Patches and Google Chrome Security Update or Windows Update Security. According to Sophos' explanation: "The virtual machine was apparently configured in advance by someone who knew something about the victim's network, because his configuration file ("micro.xml") maps two reader letters that are used as shared network readers in this particular organization, presumably so that can encrypt the files on those shares as well as on the local machine. It also creates a folder in C: 'SDRSMLINK' and shares this folder with the rest of the network." The computer security company explains: "At some point (we don't know when and how, exactly, this was accomplished), the malware also wrote a file named startup_vrun.bat. We found this file in c: 'users' ' Administrator' 'AppData', 'Roaming', 'Microsoft', 'Windows' 'Start Menu' startup, which means it's a persistence mechanism that relies on restarting the computer before the attackers launch the malware. ». The script allowed cybercriminals to place a command to stop the computer immediately after copying the same file 3 times, which was in the root of the disk. The hackers waited for the machine to be turned on for the script to run and produce the consequences that followed.
Now access an unlimited number of passwords:
