Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
Security researchers at Palo Alto Networks' Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed "ToolShell").
The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).
The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.
"Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it," Unit 42 said.
The 4L4MD4R ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems.
4L4MD4R decryption instructions (Unit 42)
Microsoft and Google have also linked the ToolShell attacks to Chinese threat actors, with Microsoft security researchers naming three separate state-backed hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
To date, numerous high-profile targets have been compromised in this ongoing campaign, including the U.S. National Nuclear Security Administration, the Department of Education, Florida's Department of Revenue, the Rhode Island General Assembly, and government networks in Europe and the Middle East.
"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said. "In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."
... continue reading