Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Erebus Ransomware Bypasses UAC for Privilege Elevation

A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.

A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.

Dubbed Erebus, the malware appears to be new, though it features the same name as a piece of ransomware that emerged in late September 2016. However, the different characteristics of the two malicious apps suggest that the newly discovered variant is either a completely different malware or a fully rewritten release, BleepingComputer’s Lawrence Abrams notes.

Details on Erebus’ distribution mechanism aren’t available at the moment. What is known, however, is that the malware leverages a UAC bypass technique that was detailed in August last year and which abuses Event Viewer to infect the compromised systems without alerting the user.

For that, the ransomware copies itself to a random named file in the same folder, after which it modifies the Windows registry to hijack the association for the .msc file extension and set it to launch the randomly named Erebus file instead.

Next, the ransomware executes eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file, which will attempt to execute mmc.exe. Because the .msc file is no longer associated with mmc.exe, however, the randomly named Erebus executable is launched instead. Moreover, because Event Viewer runs in an elevated mode, the executable will run with the same privileges, which allows it to bypass UAC.

When executed, the malware connects to two different domains to determine the victim’s IP address and the country that they are located in. Next, the malware downloads a TOR client and uses it to connect to its command and control (C&C) server.

Advertisement. Scroll to continue reading.

The ransomware then proceeds to scan the victim’s computer and search for certain file types to encrypt using AES encryption. At the moment, the malware targets around 60 file types, including images and documents. Erebus encrypts the file’s extension using ROT-23, the researcher says.

During encryption, the ransomware also clears the Windows Volume Shadow Copies, in an attempt to prevent users from restoring their files this way. As soon as the encryption process has been completed, the malware drops a ransom note on the Desktop under the name of README.HTML, and then displays it. Additionally, Erebus displays a message box on the desktop, alerting the victim that their files have been encrypted.

The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users are provided with payment instructions. The requested ransom amount is .085 Bitcoin, or around $90 at the moment, which is one of the lowest when compared to other ransomware families out there.

Related: Sage 2.0 Ransomware Demands $2,000 Ransom

Related: Destructive KillDisk Malware Turns Into Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.