Saturday, September 7, 2024
HomeCyber AttackAlpha Ransomware Uses Living-Off-The-Land Tools To Attack Windows Computers

Alpha Ransomware Uses Living-Off-The-Land Tools To Attack Windows Computers

Published on

Ransomware utilizes living-off-the-land tools in Windows attacks for stealth and evasion. They can blend in with normal system activities by leveraging legitimate, built-in tools like PowerShell or Windows Management Instrumentation (WMI).

This stealthy move makes it harder for security measures to detect and block their malicious actions. This process improves the effectiveness of ransomware campaigns by exploiting trusted tools already present in the targeted systems.

Cybersecurity researchers at Symantec recently discovered that Alpha ransomware uses living-off-the-land tools to attack Windows computers.

- Advertisement - EHA

You can analyze such malware files, networks, modules, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Alpha Ransomware Living-Off-The-Land Tools

New ransomware Alpha that emerged in Feb 2023 resembles old NetWalker, which vanished in Jan 2021 post-law enforcement action. However, Alpha has intensified attacks lately.

Alpha mirrors the NetWalker code, and both employ a PowerShell loader for payload delivery by featuring actual code that overlaps in their payloads.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

  • Outline the main functionality execution flow for both payloads.
  • Single thread handles process and service termination.
  • Resolved APIs with differing hashes but a similar list.
  • Similar configurations include their lists of skipped items, processes, and services.
  • Self-deletion via temporary batch file post-encryption.
  • Matching payment portals with the “For enter, please use user code” message.
Payment portals for NetWalker (left) and Alpha (right) (Source – Symantec)

Here below, we have mentioned all the identical list of processes of NetWalker and Alpha to kill:-

NetWalker and Alpha have virtually identical lists of processes to kill (Source – Symantec)

Living-Off-The-Land Tools

According to the report, Alpha surfaced quietly in February 2023 but now amps up operations by unveiling a data leak site. Recent Alpha attacks showcase heavy use of living-off-the-land tools.

Here below, we have mentioned all the living-off-the-land tools:-

  • Taskkill: Windows command-line tool that can end one or more tasks or processes. 
  • PsExec: Microsoft Sysinternals tool for executing processes on other systems. Attackers primarily use the tool to move laterally on victim networks.
  • Net.exe: Microsoft tool that can stop and start the IPv6 protocol. 
  • Reg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.

NetWalker led the early ransomware wave, which raked in $27.6 million. After a law enforcement break, it seemed gone. 

But Alpha’s similarity hints at a revival – either by original developers or new attackers modifying NetWalker’s payload for their ransomware venture.

Also, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

IoCs

  • 46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520 – PowerShell loader
  • 6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff777e3e8fe71d57b7d9934e7 – PowerShell loader
  • 6e204e39121109dafcb618b33191f8e977a433470a0c43af7f39724395f1343e – PowerShell loader
  • 89bfcbf74607ad6d532495de081a1353fc3cf4cd4a00df7b1ba06c10c2de3972 – PowerShell loader
  • e43b1e06304f39dfcc5e59cf42f7a17f3818439f435ceba9445c56fe607d59ea – PowerShell loader
  • e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499 – Alpha ransomware loader
  • e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b – Alpha ransomware loader
  • ab317c082c910cfe89214b31a0933eaab6c766158984f7aafb9943aef7ec6cbb – Alpha ransomware loader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...