iDefense engineers have identified and analyzed a recently updated version of the dangerous ransomware MegaCortex, which is known to have previously caused costly incidents across various industries in Europe and North America.
So far, cybercriminals have only used MegaCortex in manual, post-exploitation, targeted attacks where important files on servers and network hosts are encrypted and the victims are asked to pay the ransom to reinstate access to their files. The ransom request is the range of two to 600 Bitcoins, which is equivalent to approximately US$20,000 to as much as US$5.8 million. The threat actors state in their ransom note “We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course).” So, it is clear that the actors behind MegaCortex are targeting corporations instead of home users.
The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze. However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.
The authors of MegaCortex v2 have redesigned the ransomware to self-execute and removed the password requirement for installation; the password is now hard-coded in the binary. Additionally, the authors also incorporated some anti-analysis features within the main malware module, and the functionality to stop and kill a wide range of security products and services; this task was previously manually executed as batch script files on each host.
The main differences between the original and version 2 of MegaCortex are:
- Network compromise
- Manual execution of batch files to kill/stop security services
- Manual execution of batch file to spread the malware to other hosts
- Manual execution of the malware loader with a supplied password
- Main payload DLL is executed by rundll32.exe
- Network compromise
- Manual execution of batch file to spread the malware to other hosts (unconfirmed)
- Execution of the malware loader
- Main payload DLL is decrypted and executed from memory
- Main payload includes anti-analysis and kill/stop security services functionality
The changes in Version 2 suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation. Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.
How can you identify the threat? iDefense recommends searching for the presence on disk of the following system artifacts:
iDefense suggests leveraging following YARA rule for in-memory hunting/detection:
description = “Detects MegaCortex DLL samples from version 2”
hash = “53dddbb304c79ae293f98e0b151c6b28”
author = “iDefense”
date = "2019-07-29"
$ = "If you are reading this text, it means, we've hacked your corporate network" nocase wide ascii
$ = "No one can help you to restore your data without our special decipherer" nocase wide ascii
$ = "You will receive decrypted samples and our conditions how to get the decipherer" nocase wide ascii
$ = "Man is the master of everything and decides everything" nocase wide asci
$ = "@mail.com" nocase wide ascii
$ = ".log" nocase wide ascii
$ = "MEGA-" nocase wide ascii
$ = "elevate" nocase wide ascii
$ = "fail:" nocase wide ascii
$ = "scaning" nocase wide ascii
$ = "taskkill" nocase wide ascii
$ = "payload.dll" nocase wide ascii
all of them
Size: 956,416 bytes
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Size: 745,408 bytes
File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Take a look at our detailed analysis of MegaCortex v2. A dedicated iDefense team is working to track and monitor cyber threats and attacks. We offer regular updates and communications on cyber resilience. Please take a look at our extensive analysis and reports on cybersecurity.
Legal Notice & Disclaimer
Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change. The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. As such, all information and content set out is provided on an “as-is” basis without representation or warranty and the reader is responsible for determining whether or not to follow any of the suggestions, recommendations or potential mitigations set out in this report, entirely at their own discretion. Accenture accepts no liability for any action or failure to act in response to the information contained or referenced in this alert.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks