Nýr lausnarhugbúnaður Rook er byggður á Babuk frumkóða

Helga Smithjanúar 4, 2022Síðast uppfært: janúar 5, 2022
1 mínútu lestur

Sentinel One experts hafa uppgötvað a new ransomware Rook, which appears to be based on the long-leaked source code of the Babuk ransomware.

The malware payload is usually delivered via Cobalt Strike, using phishing emails and pirated torrents as the initial infection vector. For more stealth, Rook payloads are packaged using UPX or other cryptographic means.

When launched, the ransomware tries to terminate any processes related to security mechanisms or other things that might also interrupt encryption.

Athyglisvert, in some cases the Process Hacker’s kph.sys driver comes into play when processes are shutting down, but in others it does not. This seems to be due to the need for attackers to use a driver to disable certain local security solutions for certain actions.segja sérfræðingar.

The report also notes that Rook uses vssadmin.exe to remove shadow copies.

Hingað til, researchers have not found any pinning mechanisms on the system, so Rook encrypts files by adding the .Rook extension to them, and then deletes itself from the compromised machine.

The researchers write that they noticed numerous code similarities between Rook and Babuk, whose source code was published on a Russian-language forum in the fall of 2021. Til dæmis, Rook uses the same API calls to get the name and status of each running service, and the same functions to kill them. Auk þess, the list of eliminated Windows processes and services is the same for both ransomware (þar á meðal: Steam, Microsoft Office and Outlook email client, sem og Mozilla Firefox and Thunderbird). Þar af leiðandi, Sentinel One experts conclude that Rook is based on the Babuk source code.

The Rooksite of leakshas already posted the data of two victims: a bank and an Indian company working in the aviation and aerospace industry. Information from both victims was added this month, which means it looks like the group is just getting started.

Ég minni á að við skrifuðum það Khonsari ransomware attacks Minecraft servers, sem og það Vísindamenn uppgötvuðu ALPHV lausnarhugbúnaður skrifaður í Rust.

Merki
Helga Smithjanúar 4, 2022Síðast uppfært: janúar 5, 2022
1 mínútu lestur

Helga Smith

Ég hafði alltaf áhuga á tölvunarfræði, sérstaklega gagnaöryggi og þemað, sem heitir nú á dögum "gagnafræði", síðan á unglingsárum mínum. Áður en þú kemur inn í teymið til að fjarlægja veirur sem aðalritstjóri, Ég starfaði sem sérfræðingur í netöryggi í nokkrum fyrirtækjum, including one of Amazon's contractors. Önnur upplifun: Ég hef kennt í Arden og Reading háskólunum.

Skildu eftir skilaboð

Your email address will not be published. Required fields are marked *

Þessi síða notar Akismet til að draga úr ruslpósti. Lærðu hvernig ummælagögnin þín eru unnin.

Aftur efst á hnappinn