Evil Corp hackers attacked dozens of US news websites with WastedLocker Ransomware
Evil Corp is an international cybercrime network that uses malicious software to steal money from its victims’ bank accounts. In the last decade, Evil Corp has stolen millions of dollars from hundreds of bank accounts worldwide. Many consider Evil Corp to be the world’s largest, most harmful hacking group. The Russian cybercrime group, Evil Corp, has added new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise and deployed via fake application/program updates.
Evil Corp uses multiple different types of malware to infect user machines. Its latest strain of malware, Dridex, uses a combination of techniques to automate the theft of users’ banking credentials. The terms are used interchangeably. Dridex is distributed using massive phishing email campaigns that send millions of messages per day.
Symantec confirmed that “dozens of U.S. newspaper websites owned by the same parent company have been compromised by SocGholish injected code. Some of the organizations targeted by WastedLocker could have been compromised when an employee browsed the news on one of its websites,”
UPDATE on our #WastedLocker investigation. Dozens of US newspaper websites owned by the same parent company were compromised by attackers in order to infect potential targets. Symantec has notified the company and it has now removed the malicious code. https://t.co/28E9iNr0o3
— Threat Intelligence (@threatintel) July 1, 2020
The researchers said that the group has attacks started with the SocGholish framework being used to infect targets who visited over 150 hacked websites (dozens of them being US newspaper websites as mentioned in today’s update).
WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT Intell. On examination, the code turned out to be very basic and used also by other malware families such as Netwalker, Gozi ISFB v3, ZLoader, and Smokeloader. The crypter mainly contains junk code to increase the entropy of the sample and hide the actual code.
WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly. First, Wastedlocker decrypts the strings which are stored in the .bss section and then calculates a DWORD value that is used later for locating decrypted strings that are related to the encryption process.
This is described in more detail in the String encryption section. In addition, the ransomware creates a log file lck.log and then sets an exception handler that creates a crash dump file in the Windows temporary folder with the filename being the ransomware’s binary filename. WastedLocker chooses a random name from a generated name list in order to generate filename or service names.
What are your views on the WastedLocker ransomware? do mention it in the comment section below. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here