technical analysis of the malware | #ransomware | #cybercrime

Following the detection by our partners of recent ransomware activity in Asia, Stormshield’s Cyber Threat Intelligence team conducted an in-depth analysis of this sample. This malware is part of a family already identified by other cybersecurity players as “Crypt888”, “Strictor”, “Nymeria” and others. The return of this malware is an opportunity for Stormshield Customer Security Lab to provide the technical background to this ransomware attack.

We’ll see in this article that “888” echoes a technical feature of the malware.


Initial vector of the ransomware attack Crypt888

We obtained two samples and analyzed them:

  • 2e0f1385a0eb72f189c3d3cffa38020d71370ab621139c5688647c5bab6bc7f2
  • ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813

We have observed two forms of the initial phase of the attack: in the first, the file poses as an installer for the Google Chrome web browser, in the other it poses as a PDF document.

In the case of the Google Chrome browser installer, the malware takes the form of an executable with the Google Chrome icon.

In the case of the PDF document, the file is also an executable, but with a double extension. It is entitled "Academics.pdf.exe", but if the default settings are set to Windows session, the file explorer hides known file extensions (in this case, .exe). Visually, without notion of extension and a very suggestive icon, the user doesn’t realize that he’s dealing with an executable and not a PDF document.

Source link


National Cyber Security