Sunday, November 17, 2024
HomeCyber AttackAlpha Ransomware Uses Living-Off-The-Land Tools To Attack Windows Computers

Alpha Ransomware Uses Living-Off-The-Land Tools To Attack Windows Computers

Published on

Ransomware utilizes living-off-the-land tools in Windows attacks for stealth and evasion. They can blend in with normal system activities by leveraging legitimate, built-in tools like PowerShell or Windows Management Instrumentation (WMI).

This stealthy move makes it harder for security measures to detect and block their malicious actions. This process improves the effectiveness of ransomware campaigns by exploiting trusted tools already present in the targeted systems.

Cybersecurity researchers at Symantec recently discovered that Alpha ransomware uses living-off-the-land tools to attack Windows computers.

- Advertisement - SIEM as a Service

You can analyze such malware files, networks, modules, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Alpha Ransomware Living-Off-The-Land Tools

New ransomware Alpha that emerged in Feb 2023 resembles old NetWalker, which vanished in Jan 2021 post-law enforcement action. However, Alpha has intensified attacks lately.

Alpha mirrors the NetWalker code, and both employ a PowerShell loader for payload delivery by featuring actual code that overlaps in their payloads.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

  • Outline the main functionality execution flow for both payloads.
  • Single thread handles process and service termination.
  • Resolved APIs with differing hashes but a similar list.
  • Similar configurations include their lists of skipped items, processes, and services.
  • Self-deletion via temporary batch file post-encryption.
  • Matching payment portals with the “For enter, please use user code” message.
Payment portals for NetWalker (left) and Alpha (right) (Source – Symantec)

Here below, we have mentioned all the identical list of processes of NetWalker and Alpha to kill:-

NetWalker and Alpha have virtually identical lists of processes to kill (Source – Symantec)

Living-Off-The-Land Tools

According to the report, Alpha surfaced quietly in February 2023 but now amps up operations by unveiling a data leak site. Recent Alpha attacks showcase heavy use of living-off-the-land tools.

Here below, we have mentioned all the living-off-the-land tools:-

  • Taskkill: Windows command-line tool that can end one or more tasks or processes. 
  • PsExec: Microsoft Sysinternals tool for executing processes on other systems. Attackers primarily use the tool to move laterally on victim networks.
  • Net.exe: Microsoft tool that can stop and start the IPv6 protocol. 
  • Reg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.

NetWalker led the early ransomware wave, which raked in $27.6 million. After a law enforcement break, it seemed gone. 

But Alpha’s similarity hints at a revival – either by original developers or new attackers modifying NetWalker’s payload for their ransomware venture.

Also, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

IoCs

  • 46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520 – PowerShell loader
  • 6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff777e3e8fe71d57b7d9934e7 – PowerShell loader
  • 6e204e39121109dafcb618b33191f8e977a433470a0c43af7f39724395f1343e – PowerShell loader
  • 89bfcbf74607ad6d532495de081a1353fc3cf4cd4a00df7b1ba06c10c2de3972 – PowerShell loader
  • e43b1e06304f39dfcc5e59cf42f7a17f3818439f435ceba9445c56fe607d59ea – PowerShell loader
  • e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499 – Alpha ransomware loader
  • e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b – Alpha ransomware loader
  • ab317c082c910cfe89214b31a0933eaab6c766158984f7aafb9943aef7ec6cbb – Alpha ransomware loader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...