MountLocker ransomware uses Windows API to navigate the network

The MalwareHunterTeam team has announced a new version of MountLocker ransomware that has acquired a worm-like function and uses the Windows API.

MountLocker ransomware can now use Windows Active Directory corporate APIs to navigate networks and encrypt other devices.

MountLocker began operating in July 2020 as a service (RaaS), where developers are responsible for building ransomware software and a payment site, and affiliates are invited to hack into businesses and encrypt their devices.

“As part of this arrangement, the MountLocker core team receives a 20-30% share of the buyout and the affiliate receives the rest”, — journalists Bleeping Computer giải thích.

In March 2021, a new ransomware group called Astro Locker emerged and started using a customized version of MountLocker ransomware with ransom messages pointing to their own payment and leak sites.

Cuối cùng, in May 2021, a third group emerged called XingLocker, which also uses a customized MountLocker ransomware executable.

This week, MalwareHunterTeam shared a sample of what is considered the new MountLocker executable and contains a new worm feature that allows it to spread across other devices on the network and encrypt data.

This malware is a qualitative shift in the professional development of ransomware to exploit corporate networks”, — MalwareHunterTeam told.

The malware first uses the NetGetDCName () function to get the name of the domain controller. It then makes LDAP requests to the ADS domain controller using the ADsOpenObject () function with the credentials supplied on the command line. After connecting to Active Directory services, the ransomware searches the database for objectsobjectclass = computer”.

For each object found, MountLocker will attempt to copy the executable file to the \C$\ProgramData folder on the remote device. The ransomware then remotely creates a Windows service that downloads an executable file to continue encrypting the device.

Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using the stolen domain credentials.

MountLocker is the first known ransomware to use unique corporate network patterns to uncover additional encryption targets”, — Advanced Intel Director Vitali Kremez to BleepingComputer.

Because Windows network administrators typically use this API, the attacker who injected the code likely has some experience administering Windows domains, according to experts.

Although this API has been seen in other malware such as TrickBot, experts believe MountLocker may be considered the firstprofessional ransomwareto use these APIs to perform intelligence and propagation to other devices.

Read also: Virus NUSM – Làm thế nào để loại bỏ?

Helga Smith

Tôi luôn quan tâm đến khoa học máy tính, đặc biệt là bảo mật dữ liệu và chủ đề, được gọi là ngày nay "khoa học dữ liệu", kể từ khi tôi còn ở tuổi thiếu niên. Trước khi vào nhóm Diệt Virus với vai trò Tổng biên tập, Tôi đã làm việc với tư cách là chuyên gia an ninh mạng tại một số công ty, bao gồm một trong những nhà thầu của Amazon. Một trải nghiệm khác: Tôi đã nhận được đang giảng dạy tại các trường đại học Arden và Reading.

Gửi phản hồi

Website này sử dụng Akismet để hạn chế spam. Tìm hiểu bình luận của bạn được duyệt như thế nào.

Nút quay lại đầu trang