Analysis of Elpaco: a Mimic variant


In a recent incident response case, Kaspersky dealt with a variant of the Mimic ransomware with some interesting customization features.

The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon). The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands. This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, Kaspersky researchers provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • Patch Tuesday – January 2025

    January 14, 2025

    Microsoft is addressing 161 vulnerabilities this January 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for eight of the vulnerabilities published today, with three listed on CISA KEV. This is now the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity ...

  • One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

    January 13, 2025

    When launching and persisting attacks at scale, threat actors can inadvertently leave behind traces of information. They often reuse, rotate and share portions of their infrastructure when automating their campaign’s setup before launching an attack. Defenders can leverage this behavior by pivoting on a few known indicators to uncover newer infrastructure. This article describes the benefits ...

  • Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions

    January 13, 2025

    Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple’s System Integrity Protection (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing ...

  • Deep Dive Into a Linux Rootkit Malware

    January 13, 2025

    This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. At the end of that blog, Fortinet researchers revealed that the remote attacker had deployed a rootkit (a ...

  • Nominet confirms cybersecurity incident linked to Ivanti VPN hacks

    January 13, 2025

    Nominet, the U.K. domain registry that maintains .co.uk domains, has experienced a cybersecurity incident that it confirmed is linked to the recent exploitation of a new Ivanti VPN vulnerability. In an email to customers, seen by TechCrunch, Nominet warned of an “ongoing security incident” under investigation. Nominet said hackers accessed its systems via “third-party VPN software ...

  • UK: Hackney Council still addressing 2020 cyber attack

    January 13, 2025

    Hackney Council has bought a new housing management system – technology that supports local authorities manage housing – as it tries to address the damage from a cyber attack four years ago. The October 2020 cyber attack left a lasting impact on services during a housing crisis which, according to the Local Democracy Report, has seen ...