Multi-Purpose Ransomware Fuels DDoS Attacks

Captain Awesome

Level 23
Thread author
Verified
Top Poster
Well-known
May 7, 2016
1,285
Cybercriminals using Ransomware appear to be leveraging infected machines for additional nefarious purposes, such as launching distributed denial of service (DDoS) attacks, researchers at Invincea warn.

In addition to holding the victim’s data hostage until a ransom is paid, a newly spotted ransomware variant is also exploiting compromised machines as part of potential DDoS attacks, Invincea’s Ikenna Dike explains.

The researchers managed to tie the ransomware to the Cerber family and discovered that the malware was making changes to the computer’s screensaver, which allowed it to post a permanent ransom note on the victim’s screen. Additionally, the malware exhibited strange network behavior, calling out a large address range: from 85.93.0.0 to 85.93.63.255.

The actors behind this malware were using a weaponized Office document for distribution, while employing a fileless attack method. An RTF document arriving in the victim’s inbox prompted the user to allow macros to run in Microsoft Word to view the file content. However, once executed, the macros would spawn an elevated command shell on the host, meant to execute an encoded VBscript.

According to Invincea’s researcher, the malware’s code was obfuscated to hinder analysis attempts, but the functions and variables appeared computer generated. Pieces of code that resemble human readable functions were also observed, but the researcher believes that variables, integers, and comments in the code were actually added there to confuse analysts.
Read Full Story:Multi-Purpose Ransomware Fuels DDoS Attacks | SecurityWeek.Com
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
That's why my operating system is still MS-DOS :cool::p
Thanks for the post :)
 
Last edited:
  • Like
Reactions: Der.Reisende

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Ransomware developers seem to have found another way to monetize their operations by adding a DDoS component to their malicious payloads.

Security researchers from Invincea reported this past Wednesday on a malware sample that appeared to be a modified version of an older threat, the Cerber ransomware.

The malware analysis team that inspected the file discovered that, besides the file encryption and screen locking capabilities seen in most ransomware families, this threat also comes with an additional payload, which, when put under observation, seemed to be launching network packets towards a network subnet.

This type of behavior is specific to DDoS bots, and this was the first time something like this was seen bundled with ransomware.

Bastard Cerber ransomware spread via weaponized RTF documents
The sample Invincea analyzed isn't very stealthy, being detected by 37 out of the 57 antivirus engines on VirusTotal, and spreads via weaponized RTF files.

The documents rely on user activating the Macro feature in Office, which then executes a malicious VBScript that downloads and runs the malware.

The ransomware is executed first, which encrypts the user's data and then blocks their access to the computer by locking the screen. After this sequence, a second binary called 3311.tmp is also launched into execution and starts sending a large amount of network traffic out of the infected computer.

Surely to become a trend
"The observed malware seems to serve multiple purposes. First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack," Invincea's Ikenna Dike explained.

"The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."

Adding DDoS capabilities to ransomware is actually not a bad idea, on the malware operator's part. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years.

Even if a lot of people get infected with ransomware, not all of them pay to unlock their files. By adding DDoS bots to the ransomware payload, the crook can squeeze some network traffic out of non-paying victims and use it as part of their side-operation.

Additionally, if the user doesn't wipe their system clean, even if they pay the ransom, there's a large chance the DDoS bot will remain on the infected computer.

While this may have been the first case where crooks bundled ransomware with DDoS bots, expect it to become the norm in the upcoming months.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top