Security Week 22: ransomware in a virtual machine

Last week, Sophos specialists revealed the details of an interesting Ragnar Locket encryption trojan (article in the publication Zdnettechnical fast Sophos Blog). The ransomware drags a full-fledged virtual machine into the attacked system, in which it starts, gets access to the host file system and encrypts the data. Among other things, this case shows that installer inflation has reached malware. To hide the actual malicious code of 49 kilobytes in size, a 122 megabyte installer is delivered to the victim, which is decompressed to 282 megabytes.

According to Sophos, the ransomware uses a business-oriented grouping. An example is the attack on the electricity supplier Energias de Portugal. Allegedly, 10 terabytes of data were stolen from them, and 1580 bitcoins were demanded for decryption by cybercriminals. In the media, a virtual machine operation is described as an effective trick to bypass antivirus software. But in reality, such an “innovation” does not require any changes in security technologies.

Only the correct application of existing ones is necessary.

The company’s report did not say exactly how the computer is infected. To launch a malicious object, you must either convince the user to do this or take advantage of the vulnerability. There is only a hint of exploiting holes or simple passwords for an RDP connection. The attacks on Managed Service Providers, in other words, remote administrators from another company who have full access to the potential victim’s infrastructure, are also mentioned. Enough to hack into such an organization to be able to attack its customers.

And then everything is simple. An Oracle Virtualbox virtual machine is installed on the computer, and it’s incredibly ancient – the 2009 release, also on behalf of Sun. Using the script, the configuration parameters of the virtual machine are transmitted. A truncated image of Windows XP is launched (MicroXP 0.82, build 2008). A virtual network connection is established and access to all disks on the host rises:

The encryption process is not described in the Sophos publication. Before him, another script closes the list of applications and services on the main system in order to unlock the editable files. At the end, a text file with a ransom demand is placed on the attacked computer.

There are no advanced technologies here: this is a prepared virtual machine and a bunch of scripts. From the point of view of a protective solution, such an attack does not fundamentally differ from the appearance on the corporate network of an infected computer with access to network folders. Yes, there is a nuance – obviously malicious software on the attacked machine does not even appear: it is hidden inside a virtual image, and only legitimate software is launched.

The problem is solved by analyzing the behavior of the program or actions from the remote computer for clear markers “I want to encrypt something here.” A curious way to save on the development of complex malicious technologies.

What else happened

The Register Edition published Details of the attack on EasyJet. Between October 2019 and January 2020, cybercriminals stole credit card information from a relatively small number of customers (according to official figures, about 2200). Judging by the reports of the victims, the leak of reservation information (but not payment data) has affected millions of users.

Trustwave Company informsthat the attackers use the Google Firebase service. A service created for developers is used to host phishing pages. This is just one of many attempts to use Google’s legitimate tools in cyber attacks.

Cybercriminals attack services to pay compensation to victims of a pandemic. Fresh (but not the only one) example – attacks on government services in the United States. The group, allegedly operating from Nigeria, uses data from residents and companies to send compensation to their bank account.

Arrested the alleged distributor of the username and password database known as Collection 1. Originally available on the black market, this database of 773 million entries was made publicly available last January.

Researchers from the UK, Germany and Switzerland found new vulnerabilities in the Bluetooth protocol (newsresearch Job) Deficiencies in the authorization process allow an attacker to simulate a device with which the victim has already established a connection. The problem was confirmed on a sample of 31 devices with Bluetooth, on 28 different chipsets.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *