Fileless SOREBRECT Discovered with Code Injection Capability

A  Fileless Ransomware “SOREBRECT”  Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.

SOREBRECT developed with more stealthy and self-destruct routine capability make it as  Fileless Malware. Before terminating the main Binary  it executes the encryption routine to inject the code into legitimate process called svchost.exe

It’s Evasion Technique  Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.

These stealthy functions help to  SOREBRECT activities from being tracked.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Attack Chain

Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.

Fileless SOREBRECT Discovered with Code Injection Capability

SOREBRECT’s attack chain  {Credit: Trend Micro}

Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.

According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya  Ransomware family already misuses this Function.

“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”

It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.

RDP vs PsExec Performance

The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.

Also Read Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept

Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.

This attack performs more evasive by its code injection capability.

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”

Finally, SOREBRECT encrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR  anonymously communicate with Command & Control server (C&C Server).

According to Trend Micro Investigation, SOREBRECT Distributed across Middle Eastern countries like Kuwait and Lebanon, Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

Also Affected industries include manufacturing, technology, and telecommunications.