The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.
“While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types,” Symantec said in a Read More
Related Posts
DJvu Ransomware Mimic as Cracked Software to Compromise Computers
DJvu Ransomware Mimic as Cracked Software to Compromise Computers
A recent campaign has been observed to be delivering DJvu ransomware through a loader that pretends to be freeware or cracked software. This ransomware has been previously reported to provide a .xaro extension to infected files, and threat actors demand a ransom for decrypting those files.
The main goals of this ransomware are data exfiltration, stealing information, and ransom demand. This malware uses a Shotgun approach and is found to be deployed with a variety of other malicious files.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
DJvu Ransomware Infection
The threat actors distributed malicious .7z archive files for the initial access vector with an untrusted website masquerading as a legitimate freeware distribution site. When the victims download the malicious install.7z archive file and extract it, it consists of an install.exe file.
This file is a large binary-packed file with a size of about ~0.7 GB. Further analysis of this file revealed that this was a PrivateLoader first observed in 2021.
If victims execute the install.exe file, it downloads several additional malware like Redline Stealer (infostealer), Vidar (infostealer), Amadey (botnet), Nymaim (downloader), GCleaner(loader), XmRig(Crytominer), Fabookie (Facebook infostealer) and LummaC Stealer (MaaS platform acting as an infostealer).
In addition to this, the Xaro payload was found to be running on the compromised machine within three minutes of the install.exe execution. There were two observed flows of the execution and termination of the Xaro payload.
First Flow & Second Flow
The first flow uses a process name with a four-character long alphanumeric string, such as 5r64.exe, and injects itself a code by creating a child process of itself. This child process creates a registry at the location softwaremicrosoftwindowscurrentversionrunsyshelper.
The second flow was similar to the first but used certain bypass security measures. The child process in this flow connects to a C2 server api.2ip[.]ua. In addition to this, it also encrypts files in the C:UsersUser directory on the compromised machines.
Furthermore, a complete report about this ransomware variant has been published by CyberReason, which provides detailed information about the execution process, payloads used, source code, and other information.
Indicators of Compromise
TypeValueCommentSHA-25610ef30b7c8b32a4c91d6f6fee738e39dc02233d71ecf4857bec6e70520d0f5c1install.exeSHA-25683546201db335f52721ed313b9078de267eaf1c5d58168b99e35b2836bf4f0fcXaro payloadSHA-2563d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4Build2.exeSHA-2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Build3.exeDomainapi.2ip[.]uaXaro C2 ServerDomaincolisumy[.]comXaro C2 ServerDomainzexeq[.]comXaro C2 ServerTask NameAzure-Update-TaskScheduled TaskTask NameTime Trigger TaskScheduled task used to rerun XaroRegistrysoftwaremicrosoftwindowscurrentversionrunsyshelperRegistry entry used by Xaro for persistence
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post DJvu Ransomware Mimic as Cracked Software to Compromise Computers appeared first on Cyber Security News.
Cyber Security News
CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack
CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack
Toyota Financial Services has been hit by a ransomware attack that may have involved exploitation of the CitrixBleed vulnerability.
The post CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack appeared first on SecurityWeek.
SecurityWeek RSS Feed
Tool Overload: Why MSPs Are Still Drowning with Countless Cybersecurity Tools in 2024
Tool Overload: Why MSPs Are Still Drowning with Countless Cybersecurity Tools in 2024
Highlights
Complex Tool Landscape: Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration.Top Cybersecurity Challenges: Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining Read More