Categories: Ransomware

A Fileless Ransomware Called “SOREBRECT” Discovered with Code Injection Capability that Encrypts local and Network Share Files

A  Fileless Ransomware “SOREBRECT”  Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.

SOREBRECT developed with more stealthy and self-destruct routine capability make it as  Fileless Malware. Before terminating the main Binary  it executes the encryption routine to inject the code into legitimate process called svchost.exe

It’s Evasion Technique  Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.

These stealthy functions help to  SOREBRECT activities from being tracked.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Attack Chain

Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.

SOREBRECT’s attack chain  {Credit: Trend Micro}

Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.

According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya  Ransomware family already misuses this Function.

“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”

It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.

RDP vs PsExec Performance

The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.

Also Read Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept

Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.

This attack performs more evasive by its code injection capability.

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”

Finally, SOREBRECT encrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR  anonymously communicate with Command & Control server (C&C Server).

According to Trend Micro Investigation, SOREBRECT Distributed across Middle Eastern countries like Kuwait and Lebanon, Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

Also Affected industries include manufacturing, technology, and telecommunications.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

View Comments

Recent Posts

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

21 minutes ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

29 minutes ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

53 minutes ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

1 hour ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

17 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

17 hours ago