Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Maze Gang Distributed Ransomware Payload Inside VM
  • Cyber Attacks
  • Data Breach
  • Malware

Maze Gang Distributed Ransomware Payload Inside VM

6 years ago David Bisson
Maze Gang Distributed Ransomware Payload Inside VM

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

Sophos’ Managed Threat Response (MTR) observed the technique in action while investigating an attack that occurred back in July 2020.

In that incident, the attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to their data leaks site.

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:SDRSMLINK and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Back in May 2020, Sophos’ MTR spotted the Ragnar Locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

This technique highlights the need for organizations to defend themselves against a ransomware infection. They can do so by working to prevent a crypto-malware attack in the first place.

The post ” Maze Gang Distributed Ransomware Payload Inside VM” appeared first on TripWire

Source:TripWire – David Bisson

Tags: Encryption, Malware, Ransomware, TripWire

Continue Reading

Previous Google Play Bans Stalkerware and ‘Misrepresentation’
Next Apple Bug Allows Code Execution on iPhone, iPad, iPod

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

4 hours ago [email protected] (The Hacker News)
  • Data Breach
  • Vulnerabilities

How Ceros Gives Security Teams Visibility and Control in Claude Code

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover

7 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Fake Remote Jobs

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data
  • How Ceros Gives Security Teams Visibility and Control in Claude Code
  • DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover
  • CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT