August 05, 2019
New version of MegaCortex targets business disruption
By: Leo Fernandes

iDefense engineers have identified and analyzed a recently updated version of the dangerous ransomware MegaCortex, which is known to have previously caused costly incidents across various industries in Europe and North America.

So far, cybercriminals have only used MegaCortex in manual, post-exploitation, targeted attacks where important files on servers and network hosts are encrypted and the victims are asked to pay the ransom to reinstate access to their files. The ransom request is the range of two to 600 Bitcoins, which is equivalent to approximately US$20,000 to as much as US$5.8 million. The threat actors state in their ransom note “We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course).” So, it is clear that the actors behind MegaCortex are targeting corporations instead of home users.

The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze. However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.

The authors of MegaCortex v2 have redesigned the ransomware to self-execute and removed the password requirement for installation; the password is now hard-coded in the binary. Additionally, the authors also incorporated some anti-analysis features within the main malware module, and the functionality to stop and kill a wide range of security products and services; this task was previously manually executed as batch script files on each host.

The main differences between the original and version 2 of MegaCortex are:

Original version:

  • Network compromise
  • Manual execution of batch files to kill/stop security services
  • Manual execution of batch file to spread the malware to other hosts
  • Manual execution of the malware loader with a supplied password
  • Main payload DLL is executed by rundll32.exe

Version 2:

  • Network compromise
  • Manual execution of batch file to spread the malware to other hosts (unconfirmed)
  • Execution of the malware loader
  • Main payload DLL is decrypted and executed from memory
  • Main payload includes anti-analysis and kill/stop security services functionality

The changes in Version 2 suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation. Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.

How can you identify the threat? iDefense recommends searching for the presence on disk of the following system artifacts:

  • c:\nxahoft_G9.log
  • c:\!!!_READ-ME_!!!.txt
  • C:\x5gj5_gmG8.log

iDefense suggests leveraging following YARA rule for in-memory hunting/detection:

rule MegaCortex_v2_DLL
description = “Detects MegaCortex DLL samples from version 2”
hash = “53dddbb304c79ae293f98e0b151c6b28”
author = “iDefense”
date = "2019-07-29"
$ = "If you are reading this text, it means, we've hacked your corporate network" nocase wide ascii
$ = "No one can help you to restore your data without our special decipherer" nocase wide ascii
$ = "You will receive decrypted samples and our conditions how to get the decipherer" nocase wide ascii
$ = "Man is the master of everything and decides everything" nocase wide asci
$ = "" nocase wide ascii
$ = ".log" nocase wide ascii
$ = "MEGA-" nocase wide ascii
$ = "elevate" nocase wide ascii
$ = "fail:" nocase wide ascii
$ = "scaning" nocase wide ascii
$ = "taskkill" nocase wide ascii
$ = "payload.dll" nocase wide ascii
all of them

Files analyzed:

MD5: 65939a4515a59da3697e4a454d6e8378
SHA-1: 470a8189915b01bc4012d7e0bdccba8e97a6a2d6
SHA-256: 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2
Size: 956,416 bytes
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 53dddbb304c79ae293f98e0b151c6b28
SHA-1: 2632529b0fb7ed46461c406f733c047a6cd4c591
SHA-256: 873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466
Size: 745,408 bytes
File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Take a look at our detailed analysis of MegaCortex v2. A dedicated iDefense team is working to track and monitor cyber threats and attacks. We offer regular updates and communications on cyber resilience. Please take a look at our extensive analysis and reports on cybersecurity.

Legal Notice & Disclaimer

Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change. The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. As such, all information and content set out is provided on an “as-is” basis without representation or warranty and the reader is responsible for determining whether or not to follow any of the suggestions, recommendations or potential mitigations set out in this report, entirely at their own discretion. Accenture accepts no liability for any action or failure to act in response to the information contained or referenced in this alert.

More blogs on this topic

    Popular Tags