Thursday, March 28, 2024

New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

The new version of GandCrab ransomware discovered that attack the target system using SMB exploit spreader through compromised websites that posed as a download site.

GandCrab Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

This new version of Gandcrab contains the long hard-coded list of compromised websites that used to connect with it.

The attacker using a specific pseudo-random algorithm to choose the predefined word to generate Complete URL for each host and the final URL generated by following format  www.{host}.com/data/tmp/sokakeme.jpg.

Once the malware obtains the data, it connects to the URL  sends encrypted (and base64-encoded) victim data such as  IP Address, User name, Computer name,   Network DOMAIN, List of Installed AVs,  Operating System, Processor Architecture, Network and Local Drives etc.

Later on, GandCrab Ransomware Attack kill the specific listed of the process such as msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe,  oracle.exe,  synctime.exe, etc to ensure the full encryption of targeted files.

This killing process operation would helps to ensure that encryption routine to successfully complete its goal without any interruptions.

GandCrab Ransomware Attack – SMB Exploit

A various reports claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit” which is also used to propagate for  WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year.

The new extent of the changes. The code structure of the GandCrab Ransomware Attack was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

Based on the investigation report, a module called “network f**ker” is supposed to be responsible for performing the SMB exploit.

According to Fortinet, in spite of this string, we could not find any actual function that resembles the reported exploit capability.  Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

“We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative. Fortinet said.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles