Samas A Hybrid Malware

Vulnerabilities Scanning

A new approach for Malware to get in by first scanning networks for vulnerabilities; login credentials are collected using another Malware that was designed to steal sensitive information and then send it to a designated remote server, the use of JBOSS server applications and remote authenticated users bypass security controls, were a local user can obtain elevated privileges on the target system.

The other vulnerability is the use of Direct Use of Unsafe JNI. When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.

samasflowchart

How It works

The Malware will then use a brute-force attack to bypass authentication to deploy its components through a third party tool named psexec.exe through batch files. This Malware will perform the following actions once deployed:

  1. Use batch files to run its programs, logic and flow.
  2. Look for certain file extensions that are related to backup files in the system.
  3. Make sure they are not being locked up by other processes; otherwise, the Trojan terminates such processes.
  4. Delete the backup files.
  5. Encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA.
  6. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

 

Detection Avoidance Mechanisms

  1. Create a tunnel between target and distribution channel.
  2. Convert file extensions to be encrypted to Hex strings
  3. It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

 

 

Ver2_samas

 

Geo Distribution

Samas2

Mitigation

  1. Ensure that a strong password policy is implemented throughout the enterprise
  2. Disable the loading of macros in Office programs
  3. Disable macro loading through the Group Policy settings
  4. Keep your software up-to-date to mitigate possible software exploits.
  5. Use two-factor authentication

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *

"Ounce of preventive is worth a pound of cure."

Call An Expert 646-755-3933

Name (required)

Email (required)

Phone

Your Message

Our Clients Love Us

Douglas Haddad AFN

Accurate, Safe & Secure
It is the smallest things that can do the most damage. In the realm of security there is no greater asset than someone who can protect you from the things you didn’t even know existed. 2Secure Corp does an amazing job at keeping our operations safe and secure, at a price that works for us. Whenever we had any emergency it was dealt with the immediacy we have grown to expect and the solutions provided were both accurate and cost effective for our organization.

Advanced Funds Network LLC
Douglas A. Haddad
Managing Partner