Cyber criminals spreading new ransomware called Jcry which is written in Go language via #OpJerusalem2019 campaign that attack Windows users to encrypt the file and demand the ransom.
#OpJerusalem2019 is recently launched a cyber attack against the Israeli Government and the private websites including Coca-Cola, ToysRUs, McDonald ’s.
In result, An anonymous hacker group compromised hundreds of websites and destroyed nearly 1 million Israeli based webpages that belong to some of the leading brands.
Attackers goal was “erasing Israel from the Internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict.
There are various attack vectors used by cybercriminals including website defacements, denial-of-service distributed attacks (DDoS), especially vulnerabilities in the 3rd party plug-ins.
This #OpJerusalem cyber attack mainly target the windows users and dropping the JCry ransomware which is distributed via defaced websites by this campaign.
A vulnerability that existing the third party accessibility plugin-in called nagich.co.il loaded malicious JavaScript code that defaced the sites and let attackers took advantage to exploit and compromise the millions of web pages.
Once the targeted websites will be compromised then the cybercriminals placed the malicious javascript that executes and trigger the malicious Adobe update message.
Adobe update trick and force users to click “update” by displaying ”
“Your version of Adobe Flash Player is outdated – Update“.
Once the unknowingly click the link then suddenly IT drops the
malicious file ” “flashplayer_install.exe” ” from hxxp://185.163.47.134.
This first .exe is a dropper Winrar SFX which contains 3 archives, Enc.exe , one of the archives responsible to encrypted all the target files from user’s devices.
According to Pedro Tavares from seguranca-informatica said to
“GBHackers On Security” via Email “I analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims. This means that a unique RSA private key can be used to decrypt all the files as well.”
After successful encryption process against all the file on the infected system then the new file extension is appended (.jcry).
Finally, the ransomware note will be created and displayed with the note
named JCRY_Note.html where attacker demand the $500 ransom payment via bitcoin.
In order to make a payment to receive the decryption key, attackers provide the recovery link which is pointed to the Tor that contains a field that receives the address of the wallet and the unique key generated.
By getting this private key, files of each infected users can be recovered – since the key to decrypt the files is also unique. Researcher said.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity News updates.
Hashes
c86c75804435efc380d7fc436e344898 (flashplayer_install.exe)
775b0c7b3741221e6abef787b1595431 (Enc.exe)
c86e3bbe43d5c0ddf2eb9a2e1c555230 (Dec.exe)
A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…
Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…
Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…
Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…
Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging…
Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to challenges in reverse engineering DRAM addressing,…