Wednesday, July 24, 2024
EHA

A Fileless Ransomware Called “SOREBRECT” Discovered with Code Injection Capability that Encrypts local and Network Share Files

A  Fileless Ransomware “SOREBRECT”  Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.

SOREBRECT developed with more stealthy and self-destruct routine capability make it as  Fileless Malware. Before terminating the main Binary  it executes the encryption routine to inject the code into legitimate process called svchost.exe

It’s Evasion Technique  Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.

These stealthy functions help to  SOREBRECT activities from being tracked.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Attack Chain

Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.

Fileless SOREBRECT Discovered with Code Injection Capability

SOREBRECT’s attack chain  {Credit: Trend Micro}

Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.

According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya  Ransomware family already misuses this Function.

“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”

It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.

RDP vs PsExec Performance

The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.

Also Read Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept

Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.

This attack performs more evasive by its code injection capability.

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”

Finally, SOREBRECT encrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR  anonymously communicate with Command & Control server (C&C Server).

According to Trend Micro Investigation, SOREBRECT Distributed across Middle Eastern countries like Kuwait and Lebanon, Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

Also Affected industries include manufacturing, technology, and telecommunications.

Website

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles