Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • MIST Threat Advisory: Maze Ransomware Attack and Preventative Measures

    Încărcat de

    manu_zacharia
    71 vizualizări11 pagini
    The document provides information on recent Maze ransomware attacks and recommendations for prevention. It notes that the Maze ransomware operators have been actively targeting firms through RDP brute forcing and exploit kits. A recent victim was a London-based research firm that had some stolen files published after refusing to pay ransom. The document lists indicators of compromise and provides best practices for users, including keeping backups, network segmentation, and ensuring antivirus software is up to date.

    Descriere originală:

    Titlu original

    MIST_Advisory_on_Maze_ransomware_attack_and_preventative_measures

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    The document provides information on recent Maze ransomware attacks and recommendations for prevention. It notes that the Maze ransomware operators have been actively targeting firms through RDP brute forcing and exploit kits. A recent victim was a London-based research firm that had some stolen files published after refusing to pay ransom. The document lists indicators of compromise and provides best practices for users, including keeping backups, network segmentation, and ensuring antivirus software is up to date.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    71 vizualizări11 pagini

    MIST Threat Advisory: Maze Ransomware Attack and Preventative Measures

    Încărcat de

    manu_zacharia
    The document provides information on recent Maze ransomware attacks and recommendations for prevention. It notes that the Maze ransomware operators have been actively targeting firms through RDP brute forcing and exploit kits. A recent victim was a London-based research firm that had some stolen files published after refusing to pay ransom. The document lists indicators of compromise and provides best practices for users, including keeping backups, network segmentation, and ensuring antivirus software is up to date.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 11

    MIST Threat Advisory

    (April 2020)

    Maze ransomware attack and preventative measures

    Executive Summary
    EY MIST team tracks the recent variants of the Maze ransomware in our threat intel platform.
    We aware that Maze ransomware operators have been quite active, it seems there is no
    stopping. In the recent attack of Maze ransomware, one of the top IT firm got affected by
    Maze ransomware operators. Malware researchers also spotted the Maze ransomware
    operators attacked firms related to environmental services, manufacturers of electronic
    equipment. Very recently, London-based Hammersmith Medicines Research suffered a data
    breach. On March 21, the Maze ransomware operators published some of the stolen files on
    their leak site, after the refusal of the research firm of paying the ransom.

    Infection vector and distribution


    In typical ransomware attacks, we usually seen the ransomware campaigns propagate via
    malspam campaigns, exploit kits and with the help of botnets. But Maze ransomware was
    known to be a targeted attack which employs brute forcing of RDP connections in the victim
    network. It also has two exploit kits:
    • Fallout
    • Spelevo

    Maze ransomware was first discovered in May 2019. Threat actor TA2101 was behind the
    distribution of Maze ransomware. After it got deployed in the victim machine, the
    ransomware scans all folders and encrypts all files except itself and .ini file extensions and
    creates a ransom note in each folder. The ransom amount is not stated in the ransom note,
    and victims are directed to email the threat actor at one of two email addresses. Currently,
    there is no known publicly available decryptor.

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    Recommendations
    EY recommends blacklisting the hashes, IPs and URLs mentioned in the IOC section. We also
    recommend using the YARA rules mentioned in the IOC section for host-based scan to detect
    the presence of any traces of the infection. We also recommend following best practices to
    help the users keep protected:
    General best practices:
    • Do not download files that are suspicious, unusual or from an unknown sender.
    • Periodically carry out backups so that systems can be re-established quickly, with
    minimal possible information loss and operative impact.
    • Improve the segmentation of the network in order to prevent massive propagation of
    the threat.
    • Review and strengthen, where necessary, the security policies of the organization.
    Antivirus best practices:
    • Administrators need to ensure that installed AVs and other security products are
    running with latest definition.
    • Ensure whether any machines in the network got any removal of antimalware
    solutions. In typical ransomware attacks, intruders remove the security programs
    from the machine after they achieved highest privilege. This will help the ransomware
    to evade and proceed for deploying of ransomware malware in the machines.
    • If any suspicious removal of security products/Antimalware programs spotted in the
    log monitoring, should be checked immediately and verified with the concern whether
    it is a planned admin activity or not.
    Firewall best practices:
    • It is always recommended to blacklist the latest threat intel feeds shared by EY MIST
    team which covers recent trending threats including ransomware attacks.
    • After blacklisting, if any outbound communication to the malicious IPs logged in the
    firewall logs, it needs to be analyzed from the host level to find the depth of the
    analysis.
    • We recommend analyzing the communication in the logs from non-business locations
    which can be tracked using GeoIP during the log monitoring. If the identified IPs found
    to be malicious, deploy rules to block that traffic.

    IOC section

    MD5
    a2d631fcb08a6c840c23a8f46f6892dd
    2fbd10975ee65845a18af6b7488a5236
    ee26e33725b14850b1776a67bd8f2d0a

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    2fbd10975ee65845a18af6b7488a5236
    a2d631fcb08a6c840c23a8f46f6892dd
    ad30987a53b1b0264d806805ce1a2561
    53d5bdc6bd7904b44078cf80e239d42b
    3bfcba2dd05e1c75f86c008f4d245f62
    21a563f958b73d453ad91e251b11855c
    27c5ecbb94b84c315d56673a851b6cf9
    0f841c6332c89eaa7cac14c9d5b1d35b
    f5ecda7dd8bb1c514f93c09cea8ae00d
    0f841c6332c89eaa7cac14c9d5b1d35b
    a0c5b4adbcd9eb6de9d32537b16c423b
    b40a9eda37493425782bda4a3d9dad58
    5df79164b6d0661277f11691121b1d53
    79d137d91be9819930eeb3876e4fbe79
    65cf08ffaf12e47de8cd37098aac5b33
    fba4cbb7167176990d5a8d24e9505f71
    deebbea18401e8b5e83c410c6d3a8b4e
    87239ce48fc8196a5ab66d8562f48f26
    a3a3495ae2fc83479baeaf1878e1ea84
    8205a1106ae91d0b0705992d61e84ab2
    b4d6cb4e52bb525ebe43349076a240df
    a3386e5d833c8dc5dfbb772d1d27c7d1
    d552be44a11d831e874e05cadafe04b6
    bf2e43ff8542e73c1b27291e0df06afd
    e69a8eb94f65480980deaf1ff5a431a6
    5774f35d180c0702741a46d98190ff37
    f04d404d84be66e64a584d425844b926
    be537a66d01c67076c8491b05866c894
    d2dda72ff2fbbb89bd871c5fc21ee96a
    910aa49813ee4cc7e4fa0074db5e454a
    8205a1106ae91d0b0705992d61e84ab2

    IP Addresses (Dropper):
    hxxp://104.168.215.54/wordupd.tmp
    hxxp://149.56.245.196/wordupd.tmp
    hxxps://104.168.198.208/wordupd.tmp
    hxxp://104.168.198.230/wordupd.tmp
    hxxp://104.168.201.47/wordupd.tmp

    Maze URLs:
    hxxps://mazedecrypt.top/c3100a28b009e7a9
    hxxp://aoacugmutagkwctu.onion/c3100a28b009e7a9

    IP Addresses:
    91[.]218.114.37

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    91[.]218.114.77
    91[.]218.114.4
    91[.]218.114.11
    91[.]218.114.31
    91[.]218.114.79
    91[.]218.114.25
    91[.]218.114.26
    91[.]218.114.38
    91[.]218.114.32

    YARA RULES
    Rule to detects Maze ransomware payload dll unpacked
    rule crime_win32_ransom_maze_dll_1 {
    meta:
    description = "Detects Maze ransomware payload dll unpacked"
    author = "@VK_Intel"
    reference = "https://twitter.com/VK_Intel/status/1251388507219726338"
    tlp = "white"
    date = "2020-04-18"
    strings:
    $str1 = "Maze Ransomware" wide
    $str2 = "--logging" wide
    $str3 = "DECRYPT-FILES.txt" wide
    $tick_server_call = { ff ?? ?? 8b ?? ?? ?? ?? ?? ff d6 8b ?? 89 f9 50 ff ?? ?? ff d6 8d ?? ?? ?? 89
    ?? ?? ?? 56 e8 ?? ?? ?? ?? 83 c4 04 b9 67 66 66 66 89 c5 f7 e9 89 d0 d1 fa c1 e8 1f 01 c2 8d ?? ?? 29 c5
    56 e8 ?? ?? ?? ?? 83 c4 04 b9 56 55 55 55 89 c6 f7 e9 89 f9 89 d0 c1 e8 1f 01 d0 8d ?? ?? 29 c6 8b ??
    55 56 ff ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 89 ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 c5 50 ff d3 89 c6 ff ?? ?? ?? ff d3
    8b ?? ?? ?? 01 f0 3d ff 03 00 00 0f ?? ?? ?? ?? ?? 55 ff ?? ?? ?? 68 a2 95 c3 00 53 ff ?? ?? ?? ?? ?? 83 c4
    10 c6 ?? ?? ?? c6 ?? ?? ?? ??}
    condition:
    ( uint16(0) == 0x5a4d and
    ( 3 of them )
    ) or ( all of them )
    }

    YARA rule to detect unpacked Maze samples


    rule maze_unpacked {

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    meta:
    description = “Rule to detect unpacked Maze samples”
    author = “Marc Rivero | McAfee ATR Team”
    strings:
    $opcode_sequence = { 5589e583ec208b450c8b4d08c745fc00 }
    $opcode_sequence_2 = { 5589e553575683e4f883ec28c7042400 }
    $opcode_sequence_3 = { 5589e55dc3662e0f1f84000000000090 }
    $opcode_sequence_4 = { 5589e553575683e4f081ec600200008b }
    $opcode_sequence_5 = { 5589e553575683e4f081ecc00000000f }
    $opcode_sequence_6 = { 5589e583ec208b45108b4d0c8b550883 }
    $opcode_sequence_7 = { 5589e5575683ec388b45108b4d0c8b55 }
    $opcode_sequence_8 = { 5589e5575683e4f883ec088b45088b48 }
    $opcode_sequence_9 = { 558b6c241468997a41000f84bdc50000 }
    $opcode_sequence_10 = { 5589e553575683e4f883ec588b5d088b }
    $opcode_sequence_11 = { 5589e553575683e4f083ec408a42048b }
    $opcode_sequence_12 = { 5589e583ec188b4508837d08008945fc }
    $opcode_sequence_13 = { 5589e553575683e4f8b8d05b0000687f }
    $opcode_sequence_14 = { 5589e5508b450831c98945fc89c883c4 }
    $opcode_sequence_15 = { 5589e553575683e4f883ec708b5d0889 }
    $opcode_sequence_16 = { 5589e583ec308b45088b4d08894df883 }
    $opcode_sequence_17 = { 5589e553575683e4f881ec18030000f2 }
    $opcode_sequence_18 = { 5589e583ec188b45088b4d08894df48b }
    $opcode_sequence_19 = { 5589e583ec2056be74c14400566a0068 }
    $opcode_sequence_20 = { 5589e553575683e4f081ec900000008b }
    $opcode_sequence_21 = { 5589e583e4f083ec208b4d108b450c0f }
    $opcode_sequence_22 = { 5589e55383e4f883ec108b4d0c8b4508 }
    $opcode_sequence_23 = { 558b8e150409133f03fd08f81b0c4f22 }
    $opcode_sequence_24 = { 5589e553575683e4f883ec7031f68379 }
    $opcode_sequence_25 = { 5589e553575683e4f881ec3001000089 }
    $opcode_sequence_26 = { 5589e553575683e4f881ece00000000f }
    $opcode_sequence_27 = { 558b589608361d1943a57d0ba6492beb }
    $opcode_sequence_28 = { 5589e553575683e4f883ec1089ce6a00 }
    $opcode_sequence_29 = { 5589e5575683e4f883ec688b75088b7d }

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    $opcode_sequence_30 = { 5589e553575683e4f883ec386a006a00 }
    $opcode_sequence_31 = { 558b7c240868dca8440057683d484300 }
    $opcode_sequence_32 = { 5589e55683e4f881ec2801000089ce8d }
    $opcode_sequence_33 = { 5589e583ec188b450831c98b5508c704 }
    $opcode_sequence_34 = { 5589e583ec308b450c8b4d088b55088b }
    $opcode_sequence_35 = { 5589e583ec348b450831c983c1188b55 }
    $opcode_sequence_36 = { 5589e553575683e4f881ec78040000f2 }
    $opcode_sequence_37 = { 5589e583ec108b4508837d08008945f8 }
    $opcode_sequence_38 = { 5589e583ec348b4508837d08008945dc }
    $opcode_sequence_39 = { 5589e55683ec548b45088b4d08894df0 }
    $opcode_sequence_40 = { 558bec5de9a48efeffe9ef8efeffcccc }
    $opcode_sequence_41 = { 5589e553575683ec108b45108b4d0c8b }
    $opcode_sequence_42 = { 5589e5575683ec348b4508c745f40100 }
    $opcode_sequence_43 = { 558bec8325a0c345000083ec1c5333db }
    $opcode_sequence_44 = { 5589e553575683e4f083ec208b750c0f }
    $opcode_sequence_45 = { 5589e583ec348b450c8b4d088b55088b }
    $opcode_sequence_46 = { 558b6fd8d843ef516154e2526781aecd }
    condition:
    ( uint16(0) == 0x5a4d) and 38 of them
    }

    List of IOCs collected from EY MIST Threat Intel


    MD5 Hashes File Names
    0F841C6332C89EAA7CAC14C9D5B1D35B wordupd.tmp
    21A563F958B73D453AD91E251B11855C wordupd.tmp
    27C5ECBB94B84C315D56673A851B6CF9 wordupd.tmp
    2FBD10975EE65845A18AF6B7488A5236 USPS_Delivery.doc
    44B21AF75880AF21BAD9FDA1DD953815 peexe
    5774F35D180C0702741A46D98190FF37 peexe
    5DF79164B6D0661277F11691121B1D53 peexe
    79D137D91BE9819930EEB3876E4FBE79 peexe
    87239CE48FC8196A5AB66D8562F48F26 winupd.tmp, peexe
    A0DC59B0F4FDF6D4656946865433BCCE peexe
    A0C5B4ADBCD9EB6DE9D32537B16C423B wordupd.tmp
    A3A3495AE2FC83479BAEAF1878E1EA84 peexe
    B3E674E85A9BB5ACA3ABBC17FD99F603 peexe

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    BE537A66D01C67076C8491B05866C894 peexe
    BF2E43FF8542E73C1B27291E0DF06AFD peexe
    D2DDA72FF2FBBB89BD871C5FC21EE96A peexe
    D727F747F5D1F6C88FC0032B8B1B8BA9 peexe
    E69A8EB94F65480980DEAF1FF5A431A6 peexe
    F5ECDA7DD8BB1C514F93C09CEA8AE00D wordupd.tmp
    F83FB9CE6A83DA58B20685C1D7E1E546 peexe
    1304606861C8D05f5BBA92D225ADC69A VERDI.DOC
    Steuerbescheid-8508884191-78843000-
    1FFECD461B3D4B65E44fAFF8537F68D6 140.doc
    3BFCBA2DD05E1C75F86C008F3D245F62 eset.exe
    53D5BDC6BD7904B44078CF80E239D42B VERDI.doc
    54C9A5FC6149007E9B727FCCCDAFBBD4 Coupon_91658155.exe
    65CF08FFAF12E47DE8CD37098AAC5B33 peexe, 01NYX3xs.tmp
    80043A5B285DA88FB63D469243655751 Steuerbescheid.doc
    8205A1106AE91D0B0705992D61E84AB2 1473359.exe, peexe
    916D7838CD5A30015D75D1D783053EF7 Windowsupdate.bat
    9ABAD04C13B62E379642EEEC6E55C712 ball.exe, peexe
    A2D631FCB08A6C840C23A8F46F6892DD cure.doc
    A3386E5D833C8DC5DFBB772D1D27C7D1 7.dd, peexe
    AA87D4E3133F9E4591EA6179CA7AFF3C Invoice_97544835.exe, peexe
    AD30987A53B1B0264D806805CE1A2561 VERDI.doc
    B40A9EDA37493425782BDA4A3D9DAD58 Invoice_29557473.exe, peexe
    B4D6CB4E52BB525EBE43349076A240DF dospizdos.tmp, peexe
    C09AF442E8C808C953F4FA461956A30F Steuerbescheid.doc
    C3341B7DFBB9D43BCA8C812E07B4299F pass.exe
    D552BE44A11D831E874E05CADAFE04B6 LOAD_ENCDLL.EXE, peexe
    DEEBBEA18401E8B5E83C410C6D3A8B4E ESET32.EXE, peexe
    EE26E33725B14850B1776A67BD8F2D0A R19340003422.doc
    F04D404D84BE66E64A584D425844B926 out2.exe, peexe
    FBA4CBB7167176990D5A8D24E9505F71 1-1.exe, peexe

    Domains List
    introle[.]biz
    plex[.]direct
    agenziaentrate[.]icu
    agenziaentrateinformazioni[.]icu
    agenziainformazioni[.]icu
    bzst-info[.]icu
    hilfe-center-1und1[.]icu
    intralian[.]icu

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    usps-deliveryservice[.]icu
    zhengjuncai[.]monster
    healtyproductbest[.]review
    download-invoice[.]site
    malaysiaterkini[.]site
    conbase[.]top
    mazedecrypt[.]top
    condurises[.]xyz
    emplementriaton[.]xyz
    fantimit[.]xyz
    heatmoscover[.]xyz
    publistendick[.]xyz
    thistrich[.]xyz
    succeptishough[.]xyz
    thropossion[.]xyz
    werenceptical[.]xyz
    yearinesents[.]xyz
    1drivelive[.]com
    aloha-edc[.]net
    gsitestat[.]com
    nesinoder[.]com
    set-validator[.]com
    wwwcolnbase[.]com
    canadian-overnite[.]com
    info-delivery-notification[.]com
    lj-kabel[.]net
    hotspot.easygonet[.]com
    webislem[.]kibrisonline[.]com
    activate[.]netonline[.]net
    bayi.netonline[.]net
    beta-bayi[.]kibrisonline[.]com
    dev-bayi[.]netonline[.]net
    dev-hotspotpanel[.]netonline
    [.]net
    gidra2web[.]shop
    gidraruzxpnew4af[.]com
    gudra2wed[.]com
    gudra2wep[.]com
    gybra2web[.]com
    gydra2web[.]co
    gydra2web[.]shop
    gydra2wed[.]com

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    gydra2wep[.]com
    hedra2wep[.]com
    hibra2web[.]com
    hidra2wed[.]com
    hidra2wep[.]com
    hudra2wed[.]com
    hudra2wep[.]com
    hybra2web[.]co
    hydpa2web[.]com
    hydr2aweb[.]com
    hydra2ewb[.]com
    hydra2ved[.]com
    hydra2wed[.]co
    hydra2weg[.]com
    hydra2wep[.]co
    hydra4web[.]com
    hydro2wed[.]com
    hydro2wep[.]com
    onion[.]business
    onion[.]capital
    onion[.]cards
    onion[.]fish
    onion[.]limited
    onion[.]management
    onion[.]photo
    onion[.]shopping
    dependepeal[.]info
    mostualled[.]info
    all-apk[.]info
    apkbit[.]info
    apkeseay[.]info
    apkfinder[.]info
    apk-get-update[.]info
    apkhila[.]info
    apkitsall[.]info
    apks-rec[.]info
    apk-rool[.]info
    apkrool[.]info
    apk-tools[.]info
    apktool[.]info
    apktwin[.]info

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    apk-update[.]info
    appsfans[.]info
    bit-apk[.]info
    freshapk[.]info
    get-apk-update[.]info
    instaapk[.]info
    pure-apk[.]info
    qwecklyapk[.]info
    to-apk[.]info
    true-apk[.]info
    trueapk[.]info
    upd-ur-apk[.]info
    update-ur-apk[.]info
    sicurezza[.]me
    mx2[.]mgk [.]pl
    fermeri1[.]ru
    i1fermer[.]ru
    lbi1[.]ru
    bayi[.]netcity[.]net[.]tr
    shop[.]nethouse[.]net[.]tr
    missiondirectorates[.]us
    soresponsiblesd[.]us
    nano-care[.]vn

    IP List
    5.199.167.188
    45.76.149.204
    91.218.114.4
    91.218.114.11
    91.218.114.25
    91.218.114.26
    91.218.114.31
    91.218.114.32
    91.218.114.37
    91.218.114.38
    91.218.114.77
    92.63.8.47
    92.63.11.151
    92.63.15.6
    92.63.15.8
    92.63.15.56

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP


    MIST Threat Advisory
    (April 2020)

    92.63.17.245
    92.63.29.137
    92.63.32.2
    *92.63.32.55
    92.63.37.100
    92.63.194.3
    92.63.194.20
    104.238.158.250
    104.168.174.32
    104.168.198.208
    104.168.198.230
    104.168.201.35
    104.168.201.47
    104.168.215.54
    146.0.72.85
    149.56.245.196
    185.147.15.22
    195.123.217.13
    198.50.168.67

    References
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
    https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-04-18-maze-ransomware-
    unpacked-payload.vk.yar
    https://twitter.com/VK_Intel/status/1251388507219726338
    https://twitter.com/underthebreach/status/1251605359409664005
    https://www.peerlyst.com/posts/ta2101-maze-threat-actor-ransomware-cnc-sigma-ioc-detection-
    rule-soc-prime
    https://www.virustotal.com/gui/url/0ff6dc133f486178bd13acf266b02c0ca6771e6a066fb419dd0e17
    ed40a4756b/details
    https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-
    ransomware-cyber-attack/

    EY MIST Facility, India MIST_TA_2020_01_05 Ernst & Young LLP

    S-ar putea să vă placă și