COBRA - Crysis / Dharma Ransomware

COBRA CRYSIS - NEW VARIANT OF RANSOMWARE

New variant of the Crysis / Dharma ransomware that adds the .cobra extension to the encrypted files

Recently, security researcher Jakub Kroustek discovered a new ransomware sample that appears to be a new variant of the ransomware Crysis that appends the .cobra extension to the file name of the encrypted file.

It is not known exactly how this variant is distributed, but in the past Crysis is normally propagated by piracy in remote desktop services and manually installs the ransomware.
When this variant of Cobra ransomware is installed, a computer will be scanned for data files and encryption of them. When you encrypt a file, an extension will be added in the .id- [id]. [E-mail] .cobra format .id- [id]. [E-mail] .cobra .id- [id]. [E-mail] .cobra . For example, a file called pepe.jpg was encrypted and the name was changed to pepe.jpg.id-BCBEF350.[Cranbery@colorendgrace.com].cobra .

 
It should be noted that this ransomware will encrypt assigned network drives and unassigned network shares. Therefore, it is important to make sure that the actions of your network are blocked so that only those who really need access have permission.
When this variant encodes a computer, it will also remove all plumes from volume snapshots on the machine so that they can not be used to recover encrypted files. It is removed by running the vssadmin delete shadows /all /quiet .
 
This ransomware will also create two different rescue notes on the infected machine. One of them is the file info.hta , which was launched by an automatic execution when a user initiates a session on the computer.

The other note is called encrypted files !!. Txt and can be found on the desktop.
Both rescue notes contain instructions to contact cranbery@colorendgrace.com in order to obtain payment instructions.
 
Finally, the ransomware will be configured to start automatically when it connects to Windows. This allows you to encrypt new files that are created since the last time executed.

It is not possible to decipher the new variant of Crysis Cobra

Unfortunately, at this time it is not possible to decrypt the files encrypted by the .cobra Crysis ransomware for free. The only way to recover the encrypted files is through a backup, or if you are unbelievably lucky, through volume snapshots. Although Crysis does not attempt to remove volume snapshots, in rare cases, ransomware infections do not do so for any reason.

How to protect yourself from the Crysis ransomware

In order to protect yourself from Crysis, or from any ransomware, it is important that you use good computer habits and security software. First and foremost, you should always have a reliable and proven backup of data that can be restored in the event of an emergency, such as an attack on the ransomware. You must also have security software that contains behavioral detections such as squared Anti-Malware, Malwarebytes, or HitmanPro

IOC :

COBRA SHA256: de6376e23536b3039afe6b0645da4fc180969b1dc3cc038b1c6bd5941d88c4d8

Cobra Associated Emails:

cranbery@colorendgrace.com

 Ref Link :

https://www.hybrid-analysis.com/sample/45fb6d93d7bbfdde3d56ddad3861d85e94551c86bd1409c709ad5895d5f7e4ae?environmentId=100

https://virustotal.com/ru/file/de6376e23536b3039afe6b0645da4fc180969b1dc3cc038b1c6bd5941d88c4d8/analysis/
 

QRadar Community Edition - Free

QRadar Community Edition:

 Download and use the QRadar Community Edition for free.!!!!

Install on your laptop, run it at home, try out apps, build apps, or just have some fun !

 

Download Link :

https://www-01.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=swg-qradarcom

Videos / Other Resources :

https://ibm.ent.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc

Janusec - WebCruiser Ultimate Web Penetration Testing Tool

WebCruiser:-
                   Web Vulnerability Scanner for Windows, Mac OS, and iOS (iPhone/iPad) , HTTP Replay/Repeater for iPhone and iPad, SQL Injection, XSS. Also an effective and powerful web penetration testing tool that will aid you in auditing your website! It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, Local File Inclusion, Remote File Inclusion, Redirect, Obsolete Backup etc.

The most typical feature of WebCruiser comparing with other Web Vulnerability Scanners is that WebCruiser Web Vulnerability Scanner focuses on high risk vulnerabilities, and WebCruiser can scan a designated vulnerability type, or a designated URL, or a designated page separately, while the others usually will not.

 

WebCruiser v3.4.0 is available, new feature: support scanning absolete backup files which may cause potential information leakage.

User Guide : http://www.janusec.com/download/WebCruiserUserGuide.pdf

Download Link : http://www.janusec.com/download/WebCruiserPro.zip 

http://www.janusec.com/download/WebCruiser.zip

 

FireEye - GoCrack Password Cracking tool

FireEye - GoCrack Tool

                           FireEye's Innovation and Custom Engineering (ICE) team released a tool called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Below Figure shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

GoCrack provides APIs to manage password cracking tasks across supported cracking engines.

Prerequisites

• Linux (Ubuntu 16.04+ although other distributions may work) or MacOS
• Computer(s) with NVIDIA or AMD GPUs

Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations. We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks.

Keeping in mind the sensitivity of passwords, GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task. Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators. Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as “Shared”, which allows other users to use them in task yet do not grant them the ability to download or edit. This allows for sensitive dictionaries to be used without enabling their contents to be viewed.

GoCrack is shipping with support for hashcat v3.6+, requires no external database server (via a flat file), and includes support for both LDAP and database backed authentication. In the future, we plan on adding support for MySQL and Postgres database engines for larger deployments, ability to manage and edit files in the UI, automatic task expiration, and greater configuration of the hashcat engine. We’re shipping with Dockerfile’s to help jumpstart users with GoCrack. The server component can run on any Linux server with Docker installed. Users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.

GoCrack is available immediately for download along with its source code on the project's GitHub page. If you have any feature requests, questions, or bug reports, please file an issue in GitHub.

 Ref Link : https://github.com/fireeye/gocrack

Updated IOC's - Bad Rabbit Ransomware

A new ransomware worm named "Bad Rabbit" began spreading across the world Last Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.

This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.

Briefly about yesterday's events :

• The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
• Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
• Mimikatz was used to extract user credentials from the memory of an infected PC;
• Legitimate DiskCryptor software used to encrypt files;
• Types of file extensions that were encrypted on a user's PC:

#Bad-Rabbit encrypts following files:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der .dib.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods .odt.ora.ost.ova.ovf.p12.p7b.p7c
.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd
.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

Original Name	256hash	Description
install_flash_player.exe	630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da de5c8d858e6e41da715dca1c019df0bfb92d32c0– SHA1	Dropper
infpub.dat	579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 79116fe99f2b421c52ef64097f0f39b815b20907 – SHA1	DLL payload
cscc.dat	0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6	DiskCryptor Driver (x64)
dispci.exe	8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 afeee8b4acff87bc469a6f0364a81ae5d60a2add-SHA1	DiskCryptor Client
xxxx.tmp	301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c 16605a4a29a101208457c47ebfde788487be788d – SHA1	Mimikatz (x64)
xxxx.tmp	2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 413eba3973a15c1a6429d9f170f3e8287f98c21c -SHA1	Mimikatz (x32)
cscc.dat	8d63e37aa74ca33a926bec7c7aa8fda0f764ffbb20e8f64bb9c3999b5975f9a6	cscc.dat
page-main.js	4f61e154230a64902ae035434690bf2b96b4e018	JS/Agent.NWC
Ransomware	8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93	Ransomware
DiskCryptor driver x86	682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806	DiskCryptor driver x86
Invoice_file_06565.doc	7217fae6f3634cde7d54eba3858e8958eb1e5e85e2c36d968818cdce75a3fae9	Invoice_file_06565.doc

C&C servers

Payment site: http://caforssztxqzf2nm[.]onion

Inject URL: http://185.149.120[.]3/scholargoogle/

Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Scheduled Tasks names:

In Taskschd.msc, look for and remove these tasks

• viserion_
• rhaegal
• drogon

List of compromised web sites

URL

185.149.120.3/scholargoogle/

1dnscontrol.com/flash_install.php

caforssztxqzf2nm.onion

argumentiru.com

www.fontanka.ru

grupovo.bg

www.sinematurk.com

www.aica.co.jp

spbvoditel.ru

argumenti.ru

www.mediaport.ua

blog.fontanka.ru

an-crimea.ru

www.t.ks.ua

most-dnepr.info

osvitaportal.com.ua

www.otbrana.com

calendar.fontanka.ru

www.grupovo.bg

www.pensionhotel.cz

www.online812.ru

www.imer.ro

novayagazeta.spb.ru

i24.com.ua

bg.pensionhotel.com

ankerch-crimea.ru

x90.im

myk104.com

montenegro-today.com

otbrana.com

hercegnovi.me

bahmut.com.ua

ucarsoft.com

pensionhotel.de

tweetlerim.gen.tr

sarktur.com

 Distribution Paths:

• /flash_install.php
• /index.php

Intermediary Server:

• 185.149.120[.]3

Hidden service:

• caforssztxqzf2nm[.]onion

Defense Kill Switch: to create read-only file C:\windows\infpub.dat. In case of infection files won't be encrypted Restrict Scheduled Tasks: viserion_, rhaegal, drogon Make backup of important data Update operation systems and security systems Isolate infected PCs Block IP-addresses and domain names from Indicators list Block inbound SMB Use Credential Guard in Windows Control # of admins  Monitor scheduled tasks and service creation