New ransomware strain exploits Windows search tool Everything

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,281
Security researchers at Trend Micro have discovered a new ransomware strain that abuses the application programming interfaces of a third-party Windows search engine tool called Everything.

The ransomware, which Trend Micro named Mimic, targets Russian and English-speaking users. It has the following capabilities:
  • Collecting system information
  • Bypassing User Account Control (UAC)
  • Disabling Windows Defender
  • Disabling Windows telemetry
  • Activating anti-shutdown measures
  • Activating anti-kill measures
  • Unmounting virtual drives
  • Terminating processes and services
  • Disabling sleep mode and shutdown of the system
  • Removing indicators
  • Preventing system recovery

For more information
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
One of the search file tools the Malware Hub recommends in a case of a ransomware attack, helps find all encrypted files. Using the portable version is recommended.

Ultrasearch is another one that worked very well in ransomware tests in the Hub. Portable version.
 

simmerskool

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,987
One of the search file tools the Malware Hub recommends in a case of a ransomware attack, helps find all encrypted files. Using the portable version is recommended.

Ultrasearch is another one that worked very well in ransomware tests in the Hub. Portable version.
Thanks! you answered my question what to replace Everything with, if that needs to be done. As I understood the neowin article, you have to DL the ransomware then it uses everything files to encrypt, or help encrypt, your files. So this ransomware would have to get past your security to get to everything?, but why take that chance; however, I'm thinking the ransomware coders have read the neowin article, so they'll move on to apps you're suggesting above, or is that easier to imagine than done?? :unsure:
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
I don’t think having everything on your system is the vector for infection.
Seems it was one vector as it even actively used the installed version for it's encryption phase. According to the report that is.

Mimic uses Everything32.dll, a legitimate Windows filename search engine that can return real time results for queries, in its routine. It abuses the tool by querying certain file extensions and filenames using Everything’s APIs to retrieve the file’s path for encryption.
It uses the Everything_SetSearchW function to search for files to be encrypted or avoided
implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything’s APIs for its encryption (minimizing resource usage, therefore resulting in more efficient execution).
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,669
Seems it was one vector as it even actively used the installed version for it's encryption phase. According to the report that is.




Maybe I'm confused by this:
When executed, it will first drop its components to the %Temp%/7zipSfx folder. It will then extract the password protected Everything64.dll to the same directory
Otherwise it would only attack systems with Everything installed? It's a great tool, but I can't imagine the userbase is big enough for that to be a lucrative attack.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
Thanks! you answered my question what to replace Everything with, if that needs to be done. As I understood the neowin article, you have to DL the ransomware then it uses everything files to encrypt, or help encrypt, your files. So this ransomware would have to get past your security to get to everything?, but why take that chance; however, I'm thinking the ransomware coders have read the neowin article, so they'll move on to apps you're suggesting above, or is that easier to imagine than done?? :unsure:
Instead of completely replace it, try use the portable version instead, but avoid install the Everything service. That will then only drop 2 extra files, a .ini and a .db file. Create a new folder where you place these files in along with the .exe.

That attackers misuse legit installed tools or download those as a part of the infection chain is nothing new in itself, but a bit cleaver in this case with a search tool like Everything as these are very fast and effective and one reason why the Hub recommends it's testers to use it. Would they move onto for example, Ultrasearch? I don't know, but also wouldn't be surprised see it in some future report. But the main advice here is actually more about the portable option and I'll give a small example on what can happen in a ransomware case, from one of the tests in the Hub.

2022-10-30-11-07-12.jpg

2022-10-30-11-20-38.jpg

2022-10-30-11-21-58.jpg

I have the Tor browser always ready and installed in my VM and in this case, it didn't helped at all because the ransomware destroyed it and forced me to download it again.

2022-10-30-11-23-53.jpg


Parts of the " Tools " folder was not encrypted, so that's why I could easy start Ultrasearch, but it's also Portable so less risk of misuse.

Ultrasearch and Everything is just two 3rd party tools among many, but as we used these successful in the Hub, I do recommend them for anyone. Portable!
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
Otherwise it would only attack systems with Everything installed? It's a great tool, but I can't imagine the userbase is big enough for that to be a lucrative attack.
No I was thinking the same, and I can't say for sure because that is not mentioned in the report from Trendmicro. One can guess this version is more capable and would use other means for it's encryption etc. 🤷‍♂️
 

simmerskool

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,987
Instead of completely replace it, try use the portable version instead, but avoid install the Everything service. That will then only drop 2 extra files, a .ini and a .db file. Create a new folder where you place these files in along with the .exe.


The " Tools " folder was not encrypted for unknown reasons, so that's why I could easy start Ultrasearch, but it's also Portable so less risk of misuse.

Ultrasearch and Everything is just two 3rd party tools among many, but as we used these successful in the Hub, I do recommend them for anyone. Portable!
Before I saw your post, I went to Ultrasearch JAM website and downloaded free version, came as setup file, I did not see portable version but was not really looking, I'll go back, unless their setup file has the option to make it portable.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
Before I saw your post, I went to Ultrasearch JAM website and downloaded free version, came as setup file, I did not see portable version but was not really looking, I'll go back, unless their setup file has the option to make it portable.
They could have done that a bit better, but check again on the download page and click on the text and you should see this:

2023-01-27_23-03-41.jpg
 
G

Guilhermesene

@upnorth

Sorry for the out of context question, but just to ask, does VMWare Workstation Player work for users on SUA (Standard Account)?

Obviously, if I decide to use it I will install it using the administrative account (logged into it only) and then go back to SUA to use the system normally.

Again, I apologize for the question out of context, but it is just to take advantage of the fact that you answered a short time ago and you are probably online and also use SUA. Please don't be mad at me.

Thanks 🙂
 

simmerskool

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,987
@upnorth

Sorry for the out of context question, but just to ask, does VMWare Workstation Player work for users on SUA (Standard Account)?

Obviously, if I decide to use it I will install it using the administrative account (logged into it only) and then go back to SUA to use the system normally.

Again, I apologize for the question out of context, but it is just to take advantage of the fact that you answered a short time ago and you are probably online and also use SUA. Please don't be mad at me.

Thanks 🙂
I am not an expert, but VMware is running great on my win10. I am normally SUA on win10 host, open VM as admin, I have 2 monitors and vm in one monitor host in other. I have Workstation 16.2.5 not Player but I assume same ref your question. The nuance part is getting the vm settings correct or optimized for guest OS. When vm tweaked, at least on mine, the vm_win10 guest is fast smooth and stable.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
Well, I'm going to stop answering here because otherwise it's going to get off topic.
Naah no worries, but a bit better thread about SUA is the one here :

 
G

Guilhermesene

@upnorth Thank you for your help ;)

I had been through this thread and similar ones, but had not stopped to read the references cited by the various MT members.

Well, I confess that I am using SUA and I am not getting out of it. It is amazing the "greater sense of security" and that I can use my programs normally. Thank you for being a source of inspiration to change my concept of security level regarding the use of devices.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top