MegaCortex Sends Your Data Down the Rabbit Hole
Bite
The latest in the long line of ransomware variants, MegaCortex is a nod to a particular Keanu Reeves movie from the late 90’s. It offers a new way for bad actors to send your data down the rabbit hole.
Snack
In what is an ever-expanding list of ransomware variants, MegaCortex has burst onto the scene offering a host of new and exciting features to keep your IT security officer awake at night.
MegaCortex uses the more frequent two-stage targeted attack, the first of which is an email which calls a script on the victim’s computer. Once the script has run it then initiates a reverse shell and starts deploying PowerShell and batch scripts to generate executable files which were part of the initial payload.
Once running within the targeted environment, the remote attacker looks to obtain elevated privileges across the enterprise. Reported attacks to date all seem to stem from a compromised domain controller, where a WMI push is initiated to client machines and servers. Contained within this is a renamed version of the PsExec utility, which is then used to start disabling various Windows services and of course start the all-important, revenue-generating encryption process.
Once the system is fully compromised, the ransomware delivers its ransom note. In the process it also generates a file with the .TSV extension and custom DLL files.
Meal
Read more in this Sophos News article, “MegaCortex” ransomware wants to be The One.
Xwo: Malware with Vulnerability Scanning Included
Bite
How better to automate attacks? Write malware which actively seeks out vulnerabilities across websites and online services of course.
Snack
Xwo is a newly discovered malware variant which brings another step of automation in the goal of attackers looking to compromise websites. The malware works by scanning online services with an arsenal of features, borrowed from other botnets, worms and malware variants.
Once a security issue has been discovered, the Xwo malware seeks out credentials, data, and of course backups in order to orchestrate an attack in a series of HTTP post requests. The target of the attacks is high value databases. It can extract data, and issue a ransom note for the safe return of data..
Meal
Fore more on this, see the ZDNet article, This new malware is scanning the internet for systems info on valuable targets.
