“Rorschach does not exhibit any clear-cut overlaps with any of the known ransomware groups but does appear to draw inspiration from some of them,” the researchers noted. They did not say how the attackers delivered the malicious ZIP file onto the target organization’s system, nor whether the threat was found on more than one system. “The main Rorschach payload config.ini is subsequently loaded into memory as well, decrypted and injected into notepad.exe, where the ransomware logic begins,” the researchers explained. In the case they observed, the attackers brought to the victim’s machine a ZIP file that includes three files: cy.exe (Cortex XDR Dump Service Tool version 7.0), which is is abused to side-load into memory winutils.dll (packed Rorschach loader and injector) and config.ini (encrypted Rorschach ransomware containing all the logic and configuration). “The cybercriminals are using the Cortex XDR’s Dump Service Tool as a standalone tool they deliver themselves,” Sergey Shykevich, Threat Intelligence Group Manager at Check Point, told Help Net Security. This all results in file encryption at lightning speed.īut perhaps the most interesting thing about it is how it’s delivered and deployed. It uses a cryptography scheme that combines the curve25519 and eSTREAM cipher hc-128 algorithms, encrypts only part of the files, and uses very effective thread scheduling.It has a hard-coded configuration but has additional capabilities that can be deployed via different command line arguments (e.g., the operator can choose not to change the wallpaper of the infected machine or deliver a ransom note, or make it so that a password is needed to run the sample).It clears Windows event logs on affected machines, disables the Windows firewall, and deletes shadow volumes and backups (to make data recovery more difficult).It can spread itself automatically when executed on a Domain Controller (DC), where it creates a group policy that puts copies of itself on all workstations, then one that kills specific processes, and finally one that registers a scheduled task that will run the main executable ![]() ![]() Previously analyzed by ASEC AhnLab’s researchers, the Rorschach ransomware has some typical and some unique features: Rorschach’s execution flow (Source: Check Point) The peculiarities of Rorschach ransomware The solution in question is Palo Alto Networks’ Cortex XDR, whose Dump Service Tool the attackers appropriated and are now misusing to side-load the DLL that decrypts and injects the (newly labeled) Rorschach ransomware. ![]() An unbranded ransomware strain that recently hit a US-based company is being deployed by attackers who are misusing a tool included in a commercial security product, Check Point researchers have found.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |