“MegaCortex” Ransomware in action -A MayDay gift no-one wanted

Sudden presence of all new megaCortex ransomware on various enterprise network was not less then a May Day surprise for Infotech world.

A new ransomware named as MegaCortex got noticed on last wednesday when a serious hike was noticed against multiple clients of sophos around the globe.

According to Sophos lab investigation, attack was delivered by invoking a meterpreter reverse shell by using common red-team attack tool script. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initial dropped malware) on specified machines.

There have been (so far) 76 confirmed attacks stopped by Intercept X since February, with 47 of those (or about two thirds of the known incidents) happening in the past 48 hours. Each attack targeted an enterprise network and may have involved hundreds of machines.

As per sophos lab investigation – Andrew Brandt

According to initial analysis of sophos lab investigation preliminary sign of ransomware infection is
Event ID 10028 , When attacker is attempting to spread the malware, alerts like this one with Event ID 10028, indicating the file can’t be transmitted to some machines, may appear in the administrator’s console.


Event ID 10028 Log

MegaCortex Attack process : How it strikes ?

According to Sophos lab Investigation there may be relation between ongoing Emotet or Trickbot malware infection.

Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) and Trickbot malware

As per Andrew Brandt, Security Researcher in Sophos

These malware families are known for serving further malicious payload on infected machines, which can also download and install additional ransomware payloads to infected computers, but there has been no direct evidence till yet.

As per Andrew Brandt blog, victims have reported that attack was initiated from a compromised DC.

Lets break down the stages of this infection

1. Firstly attacker executed a highly obfuscated PowerShell script using stolen admin credential.

Image Source: Sophos Lab Investigation, blog by Andrew Brandt

2. On de-obfuscating the above script, Sophos lab researchers decoded series of commands from base64-encoded data. Commands and script appeared to be a Cobalt Strike script that opens a Meterpreter reverse shell into the victim’s network.

Image Source: Sophos Lab Investigation, blog by Andrew Brandt

3. Attacker executed these commands and scripts via Compromised DC, which was being remotely accessed using the reverse shell.

Attacker uses WMI through DC to introduce the malware in the environment/Network — a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file, so that rest of the systems in in network can also be reached, and then runs the batch file remotely via PsExec.

4. Batch file introduced in above step messes with various processes and services, in order to prevent them from running again.

  • It kills multiple processes.
  • It issues stop command to various running services.
  • It switches the startup type of various services to disabled state.
  • It also targets a lot of security software and services, including some Sophos services, to stop them and try to set them to Disabled, but a properly configured installation won’t allow this.
Processes Killed, Image Source: Sophos Lab Investigation, blog by Andrew Brandt
Process disabled, Image Source: Sophos Lab Investigation, blog by Andrew Brandt

5. After killing and disabling all services and processes, making sure none of them interrupts in ransomeware encryption activity, batch file launch the initially downloaded executable, winnit.exe with a command flag of base64-encoded malicious data.

winnit.exe executing payload, Image Source: Sophos Lab Investigation, blog by Andrew Brandt

According to sophos investigation, blog by Andrew Brandt – Sophos security researcher, command invokes winnit.exe to drop and execute a DLL payload with an eight-random-alphabetic character filename that performs the hostile encryption. There are also indications the attackers use other batch files, named with the numbers 1.bat through 6.bat, that are being used to issue commands to distribute the winnit.exe and the “trigger” batch file around the victim’s network.

As per Andrew Brandt, Security Researcher in Sophos

6. After the successful infection attacker leaves the ransom note in plain text, note observed in MegaCortex infection was:

Ransom note, Image Source: Sophos Lab Investigation, blog by Andrew Brandt

This ransomware creates a file with a .tsv file extension and eight-random-letter filename as the malicious DLL, and drops it to the hard drive. The ransom demand asks that a victim should submit this file with their request to pay the ransom, sent to either of two free mail.com email addresses present in ransom note.

Recommended protection against this

Unfortunately at present there is no such full proof protection against this ransomware, as sophos researchers are still working on it to get complete picture behind this ransomware attack process.

We’re still trying to develop a clearer picture of the infection process, but for now, it appears that there’s a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims’ networks with both Emotet and Qbot. If you are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start.

We have not seen any indication so far that Remote Desktop Protocol (RDP) has been abused to break into the customer networks, but we know that holes in enterprise firewalls that allow people to connect to RDP remain relatively common. We strongly discourage this practice and suggest that any IT admin who wishes to do this put the RDP machine behind a VPN.

As the attack seems to indicate that an administrative password was abused by the criminals, we also recommend the widespread adoption of two-factor authentication for everything that currently requires just a password, and can use 2FA.

As per Andrew Brandt, Security Researcher in Sophos

Reference: For more in depth-detailed information

Leave a Comment

Your e-mail address will not be published. Required fields are marked *