Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Erebus Ransomware Bypasses UAC for Privilege Elevation

A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.

A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.

Dubbed Erebus, the malware appears to be new, though it features the same name as a piece of ransomware that emerged in late September 2016. However, the different characteristics of the two malicious apps suggest that the newly discovered variant is either a completely different malware or a fully rewritten release, BleepingComputer’s Lawrence Abrams notes.

Details on Erebus’ distribution mechanism aren’t available at the moment. What is known, however, is that the malware leverages a UAC bypass technique that was detailed in August last year and which abuses Event Viewer to infect the compromised systems without alerting the user.

For that, the ransomware copies itself to a random named file in the same folder, after which it modifies the Windows registry to hijack the association for the .msc file extension and set it to launch the randomly named Erebus file instead.

Next, the ransomware executes eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file, which will attempt to execute mmc.exe. Because the .msc file is no longer associated with mmc.exe, however, the randomly named Erebus executable is launched instead. Moreover, because Event Viewer runs in an elevated mode, the executable will run with the same privileges, which allows it to bypass UAC.

When executed, the malware connects to two different domains to determine the victim’s IP address and the country that they are located in. Next, the malware downloads a TOR client and uses it to connect to its command and control (C&C) server.

The ransomware then proceeds to scan the victim’s computer and search for certain file types to encrypt using AES encryption. At the moment, the malware targets around 60 file types, including images and documents. Erebus encrypts the file’s extension using ROT-23, the researcher says.

During encryption, the ransomware also clears the Windows Volume Shadow Copies, in an attempt to prevent users from restoring their files this way. As soon as the encryption process has been completed, the malware drops a ransom note on the Desktop under the name of README.HTML, and then displays it. Additionally, Erebus displays a message box on the desktop, alerting the victim that their files have been encrypted.

Advertisement. Scroll to continue reading.

The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users are provided with payment instructions. The requested ransom amount is .085 Bitcoin, or around $90 at the moment, which is one of the lowest when compared to other ransomware families out there.

Related: Sage 2.0 Ransomware Demands $2,000 Ransom

Related: Destructive KillDisk Malware Turns Into Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.