Original Post from SC Magazine
Author: Doug Olenick
A spike in activity surrounding the relatively new
ransomware MegaCortex was detected on May 1 hitting North America and several
MegaCortex, a take on Metacortex from The Matrix,
first surfaced in late January when it was uploaded to VirusTotal from the
Czech Republic. Since February there have been 76 confirmed attacks using the
malware with 47 happening on May 1 and 2, in each case targeting a large
enterprise and impacting hundreds of end points, Sophos
“The convoluted infection methodology MegaCortex
employs leverages both automated and manual components, and appears to involve
a high amount of automation to infect a greater number of victims,” the report
Not all of the attack details are known, but Sophos sees
some correlation between MegaCortex and Emotet and possibly Qbot/Qakbot as all
have been seen on the same network. This hints to Sophos that the systems hit with
MegaCortex may have a preexisting situation where Emotet or Qbot/Qakbot are
already on board.
“If you are seeing alerts about Emotet or Qbot
infections, those should take a high priority,” Sophos warned.
Brandon Levene, head of applied
intelligence at Chronicle, VirusTotal’s parent company, said there is evidence
MegaCortex is being used by the same actors as those behind Rietspoof.
“While there are no earlier samples of MegaCortex available, the same signer certificate (CN) is used in both the Rietspoof loader and MegaCortex samples dating back to at least Jan. 22, 2019. This means it is highly likely that the people using Rietspoof with that signature are also using MegaCortex,” he said. “I can’t say definitively that the same threat actors are behind both Rietspoof and Megacortex, but this finding solidifies a correlation.”
What is known for certain is the attacker, using
stolen admin credentials execute a heavily obfuscated PowerShell script that
covers a Cobalt Strike script that opens a Meterpreter reverse shell into the
The attack command is issued through the compromised domain controller, which Sophos said, “uses WMI to push the malware — a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file — to the rest of the computers on the network that it can reach, and then runs the batch file remotely via PsExec.”
The malware then kills 44 processes, issues stop
commands to 189 different services and switch the Startup Type for 194
different services to disabled. Next on the strike list is the security
software, where it tries to set improperly configured such software to disabled.
The final step launches the already downloaded
winnit.exe which drops and executes a DLL payload with an eight-digit
alphanumeric filename that actually performs the encryption.
At this point the rather snarky ransom note appears, which Sophos said goes back to the Matrix theme and is written in the same cadence in which Morpheus speaks in the film.
The ransom amount is not mentioned; instead, the attacker demands the victim send a message to one of two email addresses provided and ask to pay up.
Go to Source
Author: Doug Olenick