A new approach for Malware to get in by first scanning networks for vulnerabilities; login credentials are collected using another Malware that was designed to steal sensitive information and then send it to a designated remote server, the use of JBOSS server applications and remote authenticated users bypass security controls, were a local user can obtain elevated privileges on the target system.
The other vulnerability is the use of Direct Use of Unsafe JNI. When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
How It works
The Malware will then use a brute-force attack to bypass authentication to deploy its components through a third party tool named psexec.exe through batch files. This Malware will perform the following actions once deployed:
- Use batch files to run its programs, logic and flow.
- Look for certain file extensions that are related to backup files in the system.
- Make sure they are not being locked up by other processes; otherwise, the Trojan terminates such processes.
- Delete the backup files.
- Encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA.
- It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.
Detection Avoidance Mechanisms
- Create a tunnel between target and distribution channel.
- Convert file extensions to be encrypted to Hex strings
- It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.
- Ensure that a strong password policy is implemented throughout the enterprise
- Disable the loading of macros in Office programs
- Disable macro loading through the Group Policy settings
- Keep your software up-to-date to mitigate possible software exploits.
- Use two-factor authentication