ARCrypt Ransomware Adapts TOR Communication Channels to Avoid detection

ARCrypt Ransomware Adapts TOR Communication Channels to Avoid detection

A newly evolved linux variant of AR crypt malware developed with GO language started targeting worldwide.

The emergence of AR Crypt malware was seen in the year of  Aug 2022, able to target both Linux and Windows machines.

Read moreBuilding cyber skills and roles from CyBOK foundations

According to Cyble Research and Intelligence lab, the new variant updated its tactics and techniques to interact with victims to evade detections.

Analysis of New Variant

Read moreAccessibility as a cyber security priority

Unlike the old variant, the new variant communicates with victims through mirror sites, and threat actors create unique chat sites for each victim.

Also, it instructs victims to create a user profile on the TOX messaging page for communication and offers a discount if the ransom was paid in Monero.

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Since the attack vector of the ransomware is unknown, once executed the payload the ransomware copies to the %TEMP% directory and assigns a random six-digit upper alphanumeric value.

Later, it deletes the original ransomware binary using the command “cmd /c DEL “%SAMPLEPATH%” &EXIT,” where A batch script was used to remove the initial executable file in old versions

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

In addition to that, it terminates processes related to anti-malware, backup, and recovery to accelerate encryption to evade detection from EDR.

Finally, this ransomware delivers a ransom note before encrypting the files; it encrypts the files with the extension “.crYpt”, whereas the older variant uses the “.crypt” extension.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

The binaries in the ransom note direct the victims to different Tor sites for communication, which share the same user interface but have different URLs. 

Typically, ransomware TAs include all the mirror sites in the ransom note to ensure accessibility for victims. This approach allows victims to access an alternative site if one becomes inaccessible.

Indicators of Compromise  

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Indicators  9b80a70be01700866a667085aad93b5a0408d6208440ef3caf7078361897f47c911de543a933ebeb8bec26881b2d191f5034b7d6cacbb8d2cc06eeb7327f752fd0fab24d7df9c7e23c2a1f8d3d87cd2460bb275cb589fccc88bd05df102b7584c356fce21be1de5894e227ad918034ae9b569a380a5e6c8928428862236395e3357a085b03f25fef 90aeedae5648c65ca3c3fb2ac038033744069c654987abb00ce9068dd856bd2065a20aa9e56eba93a0f3fab5e26c992a18cb6754c4b1a688e26a73c424d272babeab503ca84957660902eb17fd021f3d187fb787cb3700cb561a449e6ff88978fb4ce1495982fe95b38807e5d6c4c4ae6811058fd868256abd6ed95f440e7f27ea81408bb9ee27fba0aad92f585dfc6ac762b5fc829e6fba9ad2ae2c7fda526131ad6d535b21fe55d027d3aa4f2e40e6353a2430a80824d113268b5cdb28a0ddb079418be05ba79dea608410

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

The post ARCrypt Ransomware Adapts TOR Communication Channels to Avoid detection appeared first on Cyber Security News.

   Read More 

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

Cyber Security News 

Related Posts

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users
Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware.
"Zanubis’s main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device," Kaspersky said in an   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site