Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Multi-Purpose Ransomware Fuels DDoS Attacks

Cybercriminals using Ransomware appear to be leveraging infected machines for additional nefarious purposes, such as launching distributed denial of service (DDoS) attacks, researchers at Invincea warn.

Cybercriminals using Ransomware appear to be leveraging infected machines for additional nefarious purposes, such as launching distributed denial of service (DDoS) attacks, researchers at Invincea warn.

In addition to holding the victim’s data hostage until a ransom is paid, a newly spotted ransomware variant is also exploiting compromised machines as part of potential DDoS attacks, Invincea’s Ikenna Dike explains.

The researchers managed to tie the ransomware to the Cerber family and discovered that the malware was making changes to the computer’s screensaver, which allowed it to post a permanent ransom note on the victim’s screen. Additionally, the malware exhibited strange network behavior, calling out a large address range: from 85.93.0.0 to 85.93.63.255.

The actors behind this malware were using a weaponized Office document for distribution, while employing a fileless attack method. An RTF document arriving in the victim’s inbox prompted the user to allow macros to run in Microsoft Word to view the file content. However, once executed, the macros would spawn an elevated command shell on the host, meant to execute an encoded VBscript.

According to Invincea’s researcher, the malware’s code was obfuscated to hinder analysis attempts, but the functions and variables appeared computer generated. Pieces of code that resemble human readable functions were also observed, but the researcher believes that variables, integers, and comments in the code were actually added there to confuse analysts.

Dike also discovered that some of the functions in the code pointed to the creation of text files, while at the end, the code is exported to a .vbs file and then executed. After the script (which is called “3263.vbs” in this particular attack) is created and executed, it creates another malicious binary “3311.tmp,” which is believed to be the Cerber ransomware.

Advertisement. Scroll to continue reading.

In addition to modifying the screensaver to display the ransom note and to calling the aforementioned large 255.255.192.0 subnet, the malware creates a hexadecimal tmp file that subsequently launches the explorer.exe process. The process also creates a series of tmp files and writes them to the disk, and this sequence of events is supposedly related to a loop in the VBscript.

According to the researcher, there is a chance that the analyzed malware variant didn’t fully complete its process to deliver the final payload. If so, it means that, in addition to the already observed nefarious operations, the malware might perform other malicious activities on the victim’s machine if the binary can run to completion.

“The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive,” the researcher concludes.

Earlier this week, Microsoft warned of improvements in macro malware, which now employs additional techniques meant to better hide malicious code. Highly popular in the 1990s, macro malware returned to focus last year. Earlier this year, Dridex and Locky, two malware families that spread through malicious documents, started using forms to hide malicious code.

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

F5 has appointed Cathy Peterman as Chief People Officer.

Sean Murphy has joined F5 as a Field Chief Information Security Officer - North America.

CodeHunter has appointed Stephen McCarney as Chief Strategy Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.