Bills C26 and C27 Prompt Major Regulatory Changes in Cybersecurity and Data Collection What Canada’s Vital Industries Should Know About Bills C26 and C27 The nature of cybersecurity and data collection in Canada is set to experience major changes that will impact all of Canada’s tech industries. The introduction of [...]
When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same in March. Everyone who didnt patch lost your computer. In the days and weeks that followed everyone said PATCH PATCH PATCH! to remain safe and ensure backups. You would think people would have patched by now or disabled SMB altogether?
Now entering Petya Ransomware, also attributed by some as Golden Eye variant.
Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.
Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. The ransomware is found to be spreading via SMB and WMIC. Some reports suggest to prevent infection we should block WMIC.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
| category | type | value |
| Payload delivery | filename|sha1 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d |
| External analysis | link | https://www.hybrid-analysis.com/search?query=027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Payload delivery | filename|sha256 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Payload delivery | filename|md5 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|71b6a493388e7d0b40c83ce903bc6b04 |
| Payload delivery | x509-fingerprint-sha1 | 4d6f357f0e6434da97b1afc540fb6fdd0e85a89f |
| Payload installation | filename|md5 | %WINDIR%\dllhost.dat|aeee996fd3484f28e5cd85fe26b6bdcd |
| Payload installation | filename|sha1 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|532bea84179e2336caed26e31805ceaa7eec53dd |
| Payload installation | filename|sha512 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|cefeb349970c7d7f1bdef4123b4cb71f1a76c4ce8197d9dbb10c5f5d0bb0e86cffe51829f0a9c7590e4072194a503eb4bff507dcdb992df08c154c818fb4f431 |
| Payload delivery | x509-fingerprint-sha1 | 3036e3b25b88a55b86fc90e6e9eaad5081445166 |
| Payload delivery | x509-fingerprint-sha1 | 3ea99a60058275e0ed83b892a909449f8c33b245 |
| Payload delivery | x509-fingerprint-sha1 | 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f |
| Payload installation | filename|sha512 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31 |
| Payload delivery | filename|sha512 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f |
| Payload installation | filename|md5 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|9a7ffe65e0912f9379ba6e8e0b079fde |
| Payload installation | filename|md5 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|5f6e775124efbd810c58f349d3f96400 |
| Payload installation | filename|sha1 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|766d70566b38c5fbf8b2e891c2f70f146561789f |
| Payload installation | filename|sha256 | \\192.168.56.11\ADMIN$\PSEXESVC.EXE|eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc |
| Payload installation | filename|sha256 | C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651 |
| Payload installation | filename|sha256 | %TEMP%\FE04.tmp|41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165 |
| Payload installation | filename|md5 | %TEMP%\FE04.tmp|5733d78651a308b8dfacb41a7ec2b99a |
| Payload installation | filename|sha256 | %WINDIR%\dllhost.dat|f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 |
| Payload installation | filename|sha1 | %TEMP%\FE04.tmp|98f9ade6d75c887d06b0343b506aebd948a61818 |
| Payload installation | filename|sha512 | %TEMP%\FE04.tmp|a10227d5090014f7c5e9ed8911823a622fb599683ab6a1e18706138e49dda98d3228ce4a74e3e8f0dfe2c6f8f81a6811eedf8d17f589f22cfcd60fe2c895c272 |
| Payload installation | filename|sha512 | %WINDIR%\dllhost.dat|e7c0b64ca5933c301f46dc3b3fd095bcc48011d8741896571bf93af909f54a6b21096d5f66b4900020dcaece6ab9b0e1d1c65791b8b5943d2e4d5bab28340e6f |
| Payload installation | filename|sha1 | %WINDIR%\dllhost.dat|cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 |
| Artifacts dropped | pdb | c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb |
| Persistence mechanism | regkey|value | HKCU\SOFTWARE\SYSINTERNALS\PSEXEC\EULAACCEPTED|01000000 |
| Artifacts dropped | pdb | c:\src\Pstools\psexec\EXE\Release\psexec.pdb |
| Artifacts dropped | yara | <yara><yarahits><rule author=”Florian Roth” description=”Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)” name=”Tiny_Network_Tool_Generic”><strings><hit><value>KERNEL32.DLL</value></hit><hit><value>LoadLibraryA</value></hit><hit><value>GetProcAddress</value></hit><hit><value>ADVAPI32.DLL</value></hit><hit><value>USER32.DLL</value></hit><hit><value>FreeSid</value></hit><hit><value>To</value></hit></strings></rule></yarahits></yara> |
Russia, Ukraine,France, Netherlands, USA, UK, India, Japan
Financial Institutions, Telecoms, Power and Utility, Airlines and Transportation, Energy , Oil & Gas
https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users
https://www.nytimes.com/reuters/2017/06/27/business/27reuters-ukraine-cyber-attacks-ukrenergo.html
http://www.bbc.com/news/technology-40416611
Header image from: https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png
Single sign-on provider OneLogin has experienced a breach. If you or your company uses OneLogin to sign in to applications, or if you use any of their other services, you ...
How Cobalt Strike Is Being Turned Against Canadian Industry Cobalt Strike Malware Stirs Concerns Across Canada Cobalt Strike is one of the many tools used by hackers for compromising networks, harvesting sensitive data, and extorting money from victims. Cobalt Strike malware is a complex issue to address for IT professionals in Canada, as it is ...
