In a recent incident response case, Kaspersky dealt with a variant of the Mimic ransomware with some interesting customization features.
The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon). The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands. This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, Kaspersky researchers provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.
Read more…
Source: Kaspersky
Related:
- 80,000 printers are exposing their IPP port online
June 23, 2020
For years, security researchers have warned that every device left exposed online without being protected by a firewall is an attack surface. Hackers can deploy exploits to forcibly take control over the device, or they can just connect to the exposed port if no authentication is required. Devices hacked this way are often enslaved in malware botnets, ...
- New WastedLocker ransomware demands payments of millions of USD
June 23, 2020
Evil Corp, one of the biggest malware operations on the internet, has slowly returned to life after several of its members were charged by the US Department of Justice in December 2019. In a report shared with ZDNet today, Fox-IT, a division within the NCC Group, has detailed the group’s latest activities following the DOJ charges. The Evil Corp group, also known ...
- Sodinokibi Ransomware Now Scans Networks For PoS Systems
June 23, 2020
Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims’ networks for credit card or point of sale (PoS) software. Researchers believe this is a new tactic designed to allow attackers to get the biggest bang for their buck – ransom payments and credit card data. The compromise of PoS software ...
- Oh, what a boot-iful mornin’
June 23, 2020
In mid-April, Kaspersky threat monitoring systems detected malicious files being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” (in Russian) with the extension EXE or RAR. Inside the files was the well-known Rovnix bootkit. There is nothing new about cybercriminals exploiting the coronavirus topic; the ...
- Ripple20 Vulnerability Mitigation Best Practices
June 22, 2020
On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF. A networking stack is a software component that provides ...
- XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers
June 22, 2020
Researchers at Trend Micro have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as DDoS.Linux.KAIJI.A). Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known ...