Jcry

Cyber criminals spreading new ransomware called Jcry which is written in Go language via #OpJerusalem2019 campaign that attack Windows users to encrypt the file and demand the ransom.

#OpJerusalem2019 is recently launched a cyber attack against the Israeli Government and the private websites including Coca-Cola, ToysRUs, McDonald ’s.

In result, An anonymous hacker group compromised hundreds of websites and destroyed nearly 1 million Israeli based webpages that belong to some of the leading brands.

Attackers goal was “erasing Israel from the Internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict.

There are various attack vectors used by cybercriminals including website defacements, denial-of-service distributed attacks (DDoS), especially vulnerabilities in the 3rd party plug-ins.

This #OpJerusalem cyber attack mainly target the windows users and dropping the JCry ransomware which is distributed via defaced websites by this campaign.

A vulnerability that existing the third party accessibility plugin-in called nagich.co.il loaded malicious JavaScript code that defaced the sites and let attackers took advantage to exploit and compromise the millions of web pages.

JCry Ransomware Distribution

Once the targeted websites will be compromised then the cybercriminals placed the malicious javascript that executes and trigger the malicious Adobe update message.

Adobe update trick and force users to click “update” by displaying ”
Your version of Adobe Flash Player is outdated – Update“.

Once the unknowingly click the link then suddenly IT drops the
malicious file ” “flashplayer_install.exe” ” from hxxp://185.163.47.134.

This first .exe is a dropper Winrar SFX which contains 3 archives, Enc.exe , one of the archives responsible to encrypted all the target files from user’s devices.

According to Pedro Tavares from seguranca-informatica said to
GBHackers On Security” via Email “I analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims. This means that a unique RSA private key can be used to decrypt all the files as well.”

After successful encryption process against all the file on the infected system then the new file extension is appended (.jcry).

Finally, the ransomware note will be created and displayed with the note
named JCRY_Note.html where attacker demand the $500 ransom payment via bitcoin.

In order to make a payment to receive the decryption key, attackers provide the recovery link which is pointed to the Tor that contains a field that receives the address of the wallet and the unique key generated.

By getting this private key, files of each infected users can be recovered – since the key to decrypt the files is also unique. Researcher said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity News updates.

Indicators of Compromise (IOCs)

Hashes

c86c75804435efc380d7fc436e344898 (flashplayer_install.exe)
775b0c7b3741221e6abef787b1595431 (Enc.exe)
c86e3bbe43d5c0ddf2eb9a2e1c555230 (Dec.exe)