One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8590307 |
| Date de publication | 2024-10-02 07:46:25 (vue: 2024-10-02 09:17:24) |
| Titre | Mémoire de sécurité: Royal Mail Lures livrer le prince open source Ransomware Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware |
| Texte | What happened Proofpoint researchers identified a campaign impersonating the British postal carrier Royal Mail delivering Prince ransomware. Prince is a ransomware variant freely available on GitHub with a “disclaimer” that it is only designed for educational purposes. The campaign occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations\' websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Additionally, it appears there are no decryption mechanisms once files are encrypted, and there is no capability for data exfiltration, thus the ultimate outcome of the attack would be destructive rather than typical ransomware. Campaign details The emails all contained a sender or reply-to Proton Mail email address, using different email addresses for each message and contact form submission. Email lure impersonating Royal Mail. Royal Mail is a brand regularly impersonated by malicious actors. The company provides a helpful list of common scams to watch out for that abuse their brand. Messages contained a unique PDF attachment that also impersonated Royal Mail. The PDF included a link that led to the download of a ZIP file hosted on Dropbox (ex. PACKAGE-0074752.zip). PDF containing a Dropbox URL. The ZIP contained another password-protected ZIP file (ex: invoice.zip) and a text file (ex: privacy notice.txt) that contained the password needed to open the password-protected ZIP file. Content of downloaded ZIP file which contains second ZIP and “privacy notice” text file. The second ZIP file contained a shortcut (LNK) file which, if executed, extracted and ran JavaScript extracted from the shortcut itself by performing the following functions: It tried to locate the shortcut file in either the %temp% or the current directory and assigned the path to a variable via a “for loop” It used the “findstr” command to find the JavaScript code embedded in the shortcut, wrote it to a file (for clarity we will call it JS1.js) in %temp%, and executed it using WScript Example of “for loop” used in the shortcut. Shortcut opened in Hex editor. The JavaScript, which is heavily obfuscated, performed the following actions: It wrote four files to %temp% directory with seemingly random names. For readability we will call them: PS1.ps1, PS2.ps1, PS3.ps1, and JS2.js. It used PowerShell to run PS1.ps1 and PS2.ps1 Example PowerShell command initiated by the JavaScript code: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -nop -c "\PS1.ps1" PS1.ps1 was a highly obfuscated version of a well-known AMSI Bypass. In the sample analyzed, it was de-obfuscated to: [Ref].Assembly.GetType(\'System.Management.Automation.Utils.Amsi\').GetField(\'amsiInitFailed\', \'NonPublic,Static\').SetValue($null, $true) PS2.ps1 was a highly obfuscated version of a well-documented Windows Connection Manager UAC bypass. This essentially wrote an INF file and opened it with Windows Connection Manager (CMSTP) to invoke WScript to run the previously created JS2.js. JS2.js again ran the PS1.ps1 AMSI Bypass, and then ran PS3.ps1. PS3.ps1, which was again heavily obfuscated, did the following: Deleted all previously dropped files Wrote three Base64 strings to the registry (keys varied between the scripts) Used PowerShell to create a Scheduled Task that ran every 20 minutes, but only if the computer was connected to power and had been idle for 15 minutes, meaning the first run was, at the earliest, after 20 minutes The Scheduled Task ran an encoded PowerShell command that: Created an AES decrypt function that used the AES key and |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $400 $null $true 007 0074752 07 0762219 10 2024 226b653e57484de58148b455b714dcb551a52eda5a3a6d8210095aab96d782df abuse accept access according account accounts actions: activity actor actors ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e added additionally address address addresses advertise advertising aes after again alias all also although amsi amsiinitfailed analyzed another any appear appears are assembly assigned attachment attack attacker attribute attribution automatically automation available background background base64 based bc1qszvk94jc7tmlac6we7ktkz09p924h6ahaq4qnz because been belongs between binary bitcoins brand branded brief: british builder builders building built but bypass bypassing bytes call called campaign campaigns can capability capable carrier cases chain changes characteristics chitra circumstances claimed claims clarity cmstp code code: com/scl/fi/km75dn4jxaa43o8jhfcrj/package com/scl/fi/mu7msnqo874aordmf8fde/delivery command common communication company complaint compressed compromise computer configuration confuserex connected connection consistently construct contact contained containing contains content could create created creator creators current custom customizing data decoded decrypt decrypted decryption decryptor defender deleted deliver delivering delivery description designed desktop despite destructive details determine detonation developer did differ different direct directly directory displayed distributed documented does download downloaded downloading dropbox dropped due e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149 each earliest editor educational either email emails embedded employer encoded encrypted encrypting encryptions especially essentially even every ex: exactly example exclusively exe executed execution exfiltrated exfiltrating exfiltration exists extension extracted file filenames files files final find first following following: form forms forwarded four freely from function functions: getfield gettype github github: given globally gzip hacking had happened has have heavily helpful hex highly host hosted however hxxps://www identified identifiers identify idle imgur immediately impacted impersonated impersonating include included indicated indicating indicator indicators indiracasciato@proton inf infected information initial initialization initially initiated instructions intention internal invoice invoke its itself javascript job js1 js2 key keys keys known lack leaked led like likely link list listed lnk loaded locate loop” loop” low lure lures mail makes malicious malware management manager matters may mcintire@proton me meaning means measures mechanisms message messages mid minutes minutes mistake modifications modified most multiple names need needed net network new nonpublic nop not notably note notice notice” number obfuscated obfuscator observed observed occasionally occurred offer offers often once only open opened openly operations organizations originate originates other out outcome package paid paired password path payload payment pdf pdf people perform performed performing plausible png postal posted power powershell previously prince priority privacy proofpoint protected proton provides ps1 ps1 ps2 ps3 public purposes ran random ransom ransomware ransomware” rather readability reason receive received recipient recognize ref regardless registry regularly related reply report repositories request require researchers resulting rlkey=lvn0m26gns2vyrqq7ywmvbzui&st=1ztiqago&dl=1 rlkey=rbehnzefvtuo179mi2y9j2gic&st=i2ahwky6&dl=1 roughly royal run same sample scams scheduled screen screenshot scripts secdbg second security seemingly seems sender september service services setting setvalue sha256 shortcut shortcuts should since small some source specified splash states static stealer string string |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.