MalasLocker Ransomware Attacks Users of Zimbra Servers

MalasLocker Ransomware Attacks Users of Zimbra Servers

A Notorious MalasLocker Ransomware, which has been active since March 2023, targets Zimbra servers and demands charity donations instead of Ransom.

This group mostly targets corporate companies providing business services, software, and Manufacturing services around Italy, Russia, and the United States.

Read moreBuilding cyber skills and roles from CyBOK foundations

According to the SOC Radar report, they claim to have a distaste for corporate entities and economic inequality, and their deal is simple for decrypting the file to avoid data leakage.

Malas Ransomware Attack:

The threat actor targets the victims through phishing emails, where malicious JSP documents were sent to the users of Zimbra.

Read moreAccessibility as a cyber security priority

Zimbra is an open-source software suite primarily used by organizations for email hosting, event scheduling, task management, and file sharing

These suspicious JSP files heartbeat.jsp, info.jsp, Startup1_3.jsp are uploaded to specific directories such as /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Once the user of Zimbra executes the malicious file, then the attacker will access the uploaded file from the public directory of Zimbra for further operation.

In addition to that, threat actors utilize the vulnerabilities associated with Zimbra servers such as CVE-2022-27924 (Zimbra memcache command injection), CVE-2022-27925 (Zimbra admin directory traversal), CVE-2022-30333 (UnRAR Linux/UNIX directory traversal), and CVE-2022-37042 (Zimbra auth bypass, remote code execution).

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

The group uses the “AGE” encryption tool for encrypting the files and does not append any extensions to the files, reads the report.

They host a TOR website where they posted the list of 160  victims affected by Malas ransomware and censored the image of the company’s name for confidentiality purposes.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

From the welcome greeting on their TOR website, it is clear that they are a Spanish-based threat group with a motto written in Spanish like “we are bad… we can be even worse.”

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

The ransom note in the Readme.txt demands charity donations for sending the decryptor tools and also guides how to reach them by providing their contact details.

Prevention:

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

Unlike other threat groups,malas ransomware is unique in its tactics and techniques. Since their attack on the MalasLocker Ransomware vector is unclear and targets the Zimbra server, the better practice to avoid the attack is to patch the application and update it to the latest version.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

The post MalasLocker Ransomware Attacks Users of Zimbra Servers appeared first on Cyber Security News.

   Read More 

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

Cyber Security News 

Related Posts

New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists
New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists

New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear.
The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report.
The LNK file, upon   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site