The malware first appeared in January of this year and first infection signs were observed in the beginning of February; however, no major attack was noted until 1 May when the malware began to affect users around the world, including Italy, the United States, Canada, the Netherlands, Ireland and France.
The malware infection methodology includes both automated and manual components but relies heavily on automation to infect a large number of victims.
The ransomware seems to be distributed through Emotet and Qbot Trojans (also called Qakbot) (these are usually found on MegaCortex attacks networks). Both malware families can drop malicious code, but researchers did not find any evidence that MegaCortex was either used.
The attack in at least one victim environment has been initiated inside a corporate network from a compromised domain controller (DC) after the attackers have been able to obtain administrative credentials as part of “a practical interruption,” according to the researchers.
The credentials were used as part of the attack to execute a heavily obscured PowerShell script to open a reverse Meterpreter shell into the network of the victim. Commands were given via the DC, accessed by the attacker via the reverse shell.
WMI was then used to push a malicious payload on other network computers. A copy of the PsExec, the main malware executable, and a batch file included the payload. The batch file was performed over PsExec remotely.
“The batch file seems like a long list of commands for killing 44 processes, issuing stop commands for 189 different services and turning the start-up type for 194 different services into Disabled, preventing it from rebooting,” Sophos states.
In the end, the batch file would start the winnit.exe executable with a command flag to drop and run a DLL payload.
Although the malware has been operative since February, more than half of the MegaCortex attacks confirmed to date have been reported since 1 May by Sophos. Each attack targeted a company environment, which probably included hundreds of machines.
The dropped ransom note does not mention the ransom amount, but the cyber-criminals behind the attacks require the victim to contact them for the ransom and submit an extension with.tsv (which the ransomware creates).
“This means that people who use Rietspoof with this signature are very likely to use MegaCortex as well. I definitely can not state that both Rietspoof and Megacortex are behind the same threat actors, but that finding strengthens a correlation, “Levene said.
He also notes that since the beginning of the year the’ big game hunting’ technique used in the MegaCortex ransomware attacks has been found quite often.
“I believe that this trend will continue throughout the year as more and more profitable objectives remain accessible. Organizations can no longer ignore commodity malware because attackers use their beachheads increasingly to perform highly lucrative (and harmful) attacks, “Levene said.
