Wednesday, January 15, 2025
HomeRansomwareNew Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit...

New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

Published on

The new version of GandCrab ransomware discovered that attack the target system using SMB exploit spreader through compromised websites that posed as a download site.

GandCrab Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

This new version of Gandcrab contains the long hard-coded list of compromised websites that used to connect with it.

The attacker using a specific pseudo-random algorithm to choose the predefined word to generate Complete URL for each host and the final URL generated by following format  www.{host}.com/data/tmp/sokakeme.jpg.

Once the malware obtains the data, it connects to the URL  sends encrypted (and base64-encoded) victim data such as  IP Address, User name, Computer name,   Network DOMAIN, List of Installed AVs,  Operating System, Processor Architecture, Network and Local Drives etc.

Later on, GandCrab Ransomware Attack kill the specific listed of the process such as msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe,  oracle.exe,  synctime.exe, etc to ensure the full encryption of targeted files.

This killing process operation would helps to ensure that encryption routine to successfully complete its goal without any interruptions.

GandCrab Ransomware Attack – SMB Exploit

A various reports claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit” which is also used to propagate for  WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year.

The new extent of the changes. The code structure of the GandCrab Ransomware Attack was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

Based on the investigation report, a module called “network f**ker” is supposed to be responsible for performing the SMB exploit.

According to Fortinet, in spite of this string, we could not find any actual function that resembles the reported exploit capability.  Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

“We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative. Fortinet said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...

New Great Morpheus Hacker Group Claims Hacking Into Arrotex Pharmaceuticals And PUS GmbH

A Data Leak Site (DLS) belonging to a new extortion group named Morpheus, which...

1000’s Of SonicWall Devices Remain Vulnerable To CVE-2024-40766

A recent investigation revealed that the Akira and Fog ransomware groups are actively exploiting...