MountLocker ransomware uses Windows API to navigate the network

The MalwareHunterTeam team has announced a new version of MountLocker ransomware that has acquired a worm-like function and uses the Windows API.

MountLocker ransomware can now use Windows Active Directory corporate APIs to navigate networks and encrypt other devices.

MountLocker began operating in July 2020 as a service (RaaS), where developers are responsible for building ransomware software and a payment site, and affiliates are invited to hack into businesses and encrypt their devices.

“As part of this arrangement, the MountLocker core team receives a 20-30% share of the buyout and the affiliate receives the rest”, — journalists Bleeping Computer explained.

In March 2021, a new ransomware group called Astro Locker emerged and started using a customized version of MountLocker ransomware with ransom messages pointing to their own payment and leak sites.

最後一刻, in May 2021, a third group emerged called XingLocker, which also uses a customized MountLocker ransomware executable.

This week, MalwareHunterTeam shared a sample of what is considered the new MountLocker executable and contains a new worm feature that allows it to spread across other devices on the network and encrypt data.

This malware is a qualitative shift in the professional development of ransomware to exploit corporate networks”, — MalwareHunterTeam told.

The malware first uses the NetGetDCName () function to get the name of the domain controller. It then makes LDAP requests to the ADS domain controller using the ADsOpenObject () function with the credentials supplied on the command line. After connecting to Active Directory services, the ransomware searches the database for objectsobjectclass = computer”.

For each object found, MountLocker will attempt to copy the executable file to the \C$\ProgramData folder on the remote device. The ransomware then remotely creates a Windows service that downloads an executable file to continue encrypting the device.

Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using the stolen domain credentials.

MountLocker is the first known ransomware to use unique corporate network patterns to uncover additional encryption targets”, — Advanced Intel Director Vitali Kremez to BleepingComputer.

Because Windows network administrators typically use this API, the attacker who injected the code likely has some experience administering Windows domains, 據專家介紹.

Although this API has been seen in other malware such as TrickBot, experts believe MountLocker may be considered the firstprofessional ransomwareto use these APIs to perform intelligence and propagation to other devices.

Read also: NUSM Virus – 如何刪除?

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕