Hackers Spreading JCry Ransomware that Infecting Windows users via Compromised Websites

Cyber criminals spreading new ransomware called Jcry which is written in Go language via #OpJerusalem2019 campaign that attack Windows users to encrypt the file and demand the ransom.

#OpJerusalem2019 is recently launched a cyber attack against the Israeli Government and the private websites including Coca-Cola, ToysRUs, McDonald ’s.

In result, An anonymous hacker group compromised hundreds of websites and destroyed nearly 1 million Israeli based webpages that belong to some of the leading brands.

Attackers goal was “erasing Israel from the Internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict.

There are various attack vectors used by cybercriminals including website defacements, denial-of-service distributed attacks (DDoS), especially vulnerabilities in the 3rd party plug-ins.

This #OpJerusalem cyber attack mainly target the windows users and dropping the JCry ransomware which is distributed via defaced websites by this campaign.

A vulnerability that existing the third party accessibility plugin-in called nagich.co.il loaded malicious JavaScript code that defaced the sites and let attackers took advantage to exploit and compromise the millions of web pages.

JCry Ransomware Distribution

Once the targeted websites will be compromised then the cybercriminals placed the malicious javascript that executes and trigger the malicious Adobe update message.

Adobe update trick and force users to click “update” by displaying ”
Your version of Adobe Flash Player is outdated – Update“.

Once the unknowingly click the link then suddenly IT drops the
malicious file ” “flashplayer_install.exe” ” from hxxp://185.163.47.134.

This first .exe is a dropper Winrar SFX which contains 3 archives, Enc.exe , one of the archives responsible to encrypted all the target files from user’s devices.

According to Pedro Tavares from seguranca-informatica said to
GBHackers On Security” via Email “I analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims. This means that a unique RSA private key can be used to decrypt all the files as well.”

After successful encryption process against all the file on the infected system then the new file extension is appended (.jcry).

Finally, the ransomware note will be created and displayed with the note
named JCRY_Note.html where attacker demand the $500 ransom payment via bitcoin.

In order to make a payment to receive the decryption key, attackers provide the recovery link which is pointed to the Tor that contains a field that receives the address of the wallet and the unique key generated.

By getting this private key, files of each infected users can be recovered – since the key to decrypt the files is also unique. Researcher said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity News updates.

Indicators of Compromise (IOCs)

Hashes

c86c75804435efc380d7fc436e344898 (flashplayer_install.exe)
775b0c7b3741221e6abef787b1595431 (Enc.exe)
c86e3bbe43d5c0ddf2eb9a2e1c555230 (Dec.exe)


Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…

18 hours ago

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…

19 hours ago

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…

20 hours ago

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…

20 hours ago

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging…

22 hours ago

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to challenges in reverse engineering DRAM addressing,…

1 day ago