A new strain of ransomware is infecting corporate networks through a complicated chain of events, with some infections beginning with stolen credentials for domain controllers inside target networks.
The ransomware first began popping up in January, but recently there has been a significant increase in infections in the last few days, according to researchers at Sophos who have been tracking the outbreak. Known as MegaCortex, the ransomware has a few interesting attributes, including its use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. Researchers said the ransomware often is present on networks that already are infected with the Emotet and Qakbot malware, but are not sure whether those tools are part of the delivery chain for MegaCortex.
Ransomware, for the most part, targets individuals rather than enterprise networks. That has mainly to do with individuals being relatively easier targets than corporate machines, but some attackers have begun to move up the food chain. Corporate ransomware infections can be much more profitable and efficient, with larger payouts for criminals who can compromise an organization rather than dozens or hundreds of individual victims. MegaCortex seems to be part of that trend, targeting enterprises with a mix of techniques.
“The convoluted infection methodology MegaCortex employs leverages both automated and manual components, and appears to involve a high amount of automation to infect a greater number of victims. In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment,” an analysis of the MegaCortex ransomware by Andrew Brandt of Sophos says.
“From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initial dropped malware) on specified machines.”
MegaCortex first emerged on the VirusTotal malware site in January and there were more infections in February. But Brandt said Sophos observed a major spike in infections late last week. The initial stage of the infection chain involves the compromise of a domain controller on a network, typically with stolen credentials. The attackers then run an obfuscated PowerShell script, which once decoded, includes another script that opens the reverse shell for the attacker on the compromised machine.
The attacker then uses the domain controller to spread the malware to other computers on the network and runs a batch file on them. That batch file performs a number of tasks, including halting the processes of security applications and runs an executable that is downloaded earlier in the infection chain.
“This command invokes winnit.exe to drop and execute a DLL payload with an eight-random-alphabetic character filename that performs the hostile encryption. There are also indications the attackers use other batch files, named with the numbers 1.bat through 6.bat, that are being used to issue commands to distribute the winnit.exe and the 'trigger' batch file around the victim’s network,” Brandt said.
“If you are seeing alerts about Emotet or Qbot infections, those should take a high priority."
The MegaCortex samples that Sophos analyzed are signed by a legitimate certificate, and researchers at Chronicle, the parent company of VirusTotal, said that certificate has been used in other malware campaigns recently.
“While there are no earlier samples of MegaCortex available, the same signer certificate (CN) is used in both the Rietspoof loader and MegaCortex samples dating back to at least Jan. 22, 2019. This means it is highly likely that the people using Rietspoof with that signature are also using MegaCortex. I can't say definitively that the same threat actors are behind both Rietspoof and Megacortex, but this finding solidifies a correlation," said Brandon Levene, head of applied intelligence at Chronicle.
Oddly, MegaCortex doesn’t include a specific ransom demand in the note it leaves on infected machines. Rather, it includes a message that criticizes the security of the victim’s network and tells the victim to send a couple of specific files back to the author in order to receive the software needed to decrypt the machine.
“The software price will include a guarantee that your company will never be inconvenienced by us. You will also receive a consultation on how to improve your companies [sic] cybersecurity,” the message says.
The potential connection between the MegaCortex infections and existing infections by Emotet and Qakbot is an intriguing one. Both Emotet and Qakbot are well-known pieces of malware that often are used to install other malicious software.
“If you are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start,” Brandt said.
Qakbot recently modified its infection routine, allowing it to evade detection more effectively. The malware is more than 10 years old, and this change has given it a new weapon.
“Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In this blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and potentially evade detection,” an analysis of Qakbot by Ashlee Benge of the Cisco Talos Intelligence Group and Nick Randolph of the Threat Grid Research and Efficacy team says.