Monday, June 24, 2024

REvil Ransomware links With GandCrab to Attack Windows Users via RDP Servers and Exploit kits

A financially motivated hacking group called “GOLD SOUTHFIELD” launch a newly developed REvil Ransomware (aka Sodinokibi) which used the GandCrab ransomware code and infected the Windows users around the world.

Threat actors are distributing it through various medium including software installers with backdoor capabilities, exploit kits, exploiting RDP servers, and scan-and-exploit techniques.

Malware developers behind the GandCrab ransomware declared that they were shutting down its operations after earning $2 billion in ransom payments and security software maker Bitdefender released a free decryption tool for GandCrab.

During the time interval, researchers from Secureworks learning the spikes of REvil ransomware and indented that REvil is likely associated with the GandCrab ransomware by having evidence of sharing its code.

REvil Ransomware
Code similarities B/w REvil & GandCrab (Credits:secureworks)

REvil can perform a variety of malicious tasks, including the following,

1.Exploit the CVE-2018-8453 vulnerability to elevate privileges
2.Terminate blacklisted processes prior to encryption to eliminate resource conflicts
3. Wipe the contents of blacklisted folders
4. Encrypt non-whitelisted files and folders on local storage devices and network shares
5. Exfiltrate basic host information

REvil Ransomware Infection Process

Researchers learned that the first stage of REvil ransomware infection starts by exploiting the Oracle web logic servers, but later threat actors expanded their infection process via spam email campaign RDP attacks.

Some of the recent reports indicate that the REvil ransomware distributing by compromising the Italian WinRAR website and replace the malicious executable with a legitimate one and another scenario states that, it compromised MSP service provides and deploy the customer’s system.

Encryption Flow

During the encryption routine, REvil resolves the system library functions and compare with REvil binary to evade evades detection via static analysis and attempt to create a mutex .

If it is successfully created, REvil attempts to elevate privileges using an LPE exploit and execute either 32-bit or 64-bit shellcode based on the victim’s machine architecture.

Later it attempts to exploit the CVE-2018-8453, a Win32k Elevation of Privilege Vulnerability that allows an attacker to run arbitrary code in kernel mode.

REvil aka Sodinokibi already attempted to exploit this vulnerability in July, and infect the victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea. 

According to SecureWorks research ” REvil performs another privilege-related validation within its main function prior to profiling host information. If REvil’s current process is running with system-level integrity, then the process attempts to impersonate the security context of the first explorer.exe process it finds running on the compromised system. “

During the preparation for encryption, it generates, unique ID (UID), encryption keys and generate the random file extension and store the Base64-decoded ransom note template in nbody key of REvil’s configuration.

REvil Ransomware

To obtain the decryption key from attackers, victims need to pay 0.203194 (roughly 2,300 USD) bitcoin within 4 days, if it failed then the ransom amount will be increased.

The analyzed sample requested that payment be sent to the Bitcoin address 3E9F7gE3upQ8rgsPjwiKH7ugfdneypPjqj, and there is no payment received for this wallet so far.

“Given the diverse and advanced delivery mechanisms, code complexity, and resources utilized by REvil, CTU researchers assess that this ransomware will replace GandCrab as a widespread threat. ” Secureworks concluded.

You can also read the “Ransomware Attack Response and Mitigation Checklist” to prevent yourself from the ransomware attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles