Categories: Ransomware

New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

The new version of GandCrab ransomware discovered that attack the target system using SMB exploit spreader through compromised websites that posed as a download site.

GandCrab Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

This new version of Gandcrab contains the long hard-coded list of compromised websites that used to connect with it.

The attacker using a specific pseudo-random algorithm to choose the predefined word to generate Complete URL for each host and the final URL generated by following format  www.{host}.com/data/tmp/sokakeme.jpg.

Once the malware obtains the data, it connects to the URL  sends encrypted (and base64-encoded) victim data such as  IP Address, User name, Computer name,   Network DOMAIN, List of Installed AVs,  Operating System, Processor Architecture, Network and Local Drives etc.

Later on, GandCrab Ransomware Attack kill the specific listed of the process such as msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe,  oracle.exe,  synctime.exe, etc to ensure the full encryption of targeted files.

This killing process operation would helps to ensure that encryption routine to successfully complete its goal without any interruptions.

GandCrab Ransomware Attack – SMB Exploit

A various reports claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit” which is also used to propagate for  WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year.

The new extent of the changes. The code structure of the GandCrab Ransomware Attack was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

Based on the investigation report, a module called “network f**ker” is supposed to be responsible for performing the SMB exploit.

According to Fortinet, in spite of this string, we could not find any actual function that resembles the reported exploit capability.  Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

“We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative. Fortinet said.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago