Categories: Ransomware

A Fileless Ransomware Called “SOREBRECT” Discovered with Code Injection Capability that Encrypts local and Network Share Files

A  Fileless Ransomware “SOREBRECT”  Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.

SOREBRECT developed with more stealthy and self-destruct routine capability make it as  Fileless Malware. Before terminating the main Binary  it executes the encryption routine to inject the code into legitimate process called svchost.exe

It’s Evasion Technique  Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.

These stealthy functions help to  SOREBRECT activities from being tracked.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Attack Chain

Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.

SOREBRECT’s attack chain  {Credit: Trend Micro}

Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.

According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya  Ransomware family already misuses this Function.

“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”

It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.

RDP vs PsExec Performance

The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.

Also Read Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept

Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.

This attack performs more evasive by its code injection capability.

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”

Finally, SOREBRECT encrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR  anonymously communicate with Command & Control server (C&C Server).

According to Trend Micro Investigation, SOREBRECT Distributed across Middle Eastern countries like Kuwait and Lebanon, Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

Also Affected industries include manufacturing, technology, and telecommunications.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

View Comments

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago