One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 397413 |
| Date de publication | 2017-08-16 13:00:00 (vue: 2017-08-16 13:00:00) |
| Titre | GlobeImposter Ransomware on the Rise |
| Texte |
Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time.
If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0.
Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection.
GlobeImposter Ransomware at a Glace
Distribution Method: Malicious email attachment (MalSpam)
Type: Trojan
Target: Windows systems
Variants: many (see below)
How GlobeImposter Works
The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file.
Sample email subject lines include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950
Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised.
Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time.
You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here.
GlobeImposter Variants on the Rise
What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file e |
| Notes | |
| Envoyé | Oui |
| Condensat | “beginner’s “dancing “i “last “stop 000 03950 1958 1964 1984 1999 2016 2017 21426 222 351 421 490 492 725 726 8812 able about abrams across actionable activity actors after against alienvault all always analysis analyzes anthem anywhere apart appear appliance appropriately are around around” assessment asset attachment attachments attack attacks automatic available baby backed barbeques beach because been behavioral being below best billboard bleepingcomputer blog boys’ brings campaigns campaigns—emails can capabilities carrying case catchy charts—globeimposter coded collaborative coming community complete compromise compromised contain contains continue continuous contribute correlation crooned crying crypt daily dark” data decryptor defend defense defined defines delivered delivering delivers desktop detailed detect detected detection directly discovery distributed distribution domains dominate download downloaded downloader drake dropped effort email emblematic emerge enables encrypted encrypting encryption ends essential evade evades even evolve exactly exchange existing extensions favorite feeling file files find first folders formats: fortinet forums free from get gets glace global globeimposter globeimposter: granny guidance guide had happens harry has have hearing help helps here his hits hot how html human ids important incident include include: including indicators information infosec infrastructure initiates instructions intelligence intrusion it’s its jam’s join kiss” known labs largely latest lawrence learn learning legitimate legitimized lego leverages like likely limited lines list log lookout looks machine made malicious malspam malware management many march medium messages method: methods might million monitoring more move mtk188 much near needed new nice nights nostalgic not note notpetya novice now ocean once one open opened operationalizing organizations originally other otx out over participate payment pearl perfectly pieces place platform posted power powered pscrypt pulse purchasing quickly quintessential ransom ransomware read ready reality receipt receipt#83396 receipt#97481 recent recently related release remediation remix research researching resource respond response right rise rose rules rundown runs sample saving sea season security see seen service shared siem sign signatures singing sized small some song sourced sources spent spreads springsteen’s stay striking styles subject subscribe summary summer summertime surge swift systems target: targeted targets taylor team teams that’s there’s those though threat threats through thus time times today together tools top topping traced traffic transcendent trojan truly trump twitter type: understand unified unlis update updated updates uptick use user users usm vacations validation variants variants: vbs victim vulnerability wannacry we’ve websites weeks what’s when whether which who will windows works world’s would wouldn’t year yet you’re your zip zuzya |
| Tags | |
| Stories | NotPetya Wannacry APT 32 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.