Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Infiltrate C&C Server Behind CryptoBlock Ransomware

A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.

A command and control (C&C) server used for operating the CryptoBlock ransomware family has also been hosting stolen user credentials and other malware families, researchers say.

According to researchers from Malwarebytes Labs, who managed to gain access to the malicious server, the ransomware appears to still be under development at the moment, but is believed to have the potential of becoming a major threat. The malicious operation could even evolve into a RaaS (Ransomware as a Service), the researchers believe. 

A note on the domain fliecrypter.in informs wannabe-criminals that the RaaS will be live soon, but it appears that some users have already been infected with this malware (although the distribution mechanism isn’t clear as of now). The ransomware, however, is completely obfuscated with ConfuserEX, which is difficult to unravel, researchers say.

The security experts decided to have a look at the ransomware’s server, which they acquired during previous research, and which revealed, among other .php pages, a config.php file that included the actor’s login credentials for the server. Specifically, the file revealed “the complete master credentials (username and password) to the entire CryptoBlock server, valid for every email, database, SSH, cPanel, and more,” Nathan Scott, Malwarebytes Labs Lead Malware Intelligence Analyst, notes.

Courtesy of these, the researchers gained complete access to a threat actor’s overseas server, which allowed them to copy all of the data there, including databases, PHP files, and the personal information used to rent the server. However, because the hosting company only required an email address to host the server, and because the email was fake, the researchers couldn’t learn more on the actor.

Server logs, however, revealed that the ransomware might have already infected quite a few people, and that there were “a few IP addresses from Europe that have been visiting this server by the thousands since it was brought up.” These, the researchers say, might be the real IPs used by the threat actor owning the server while testing the malware (the most accessed part of the server was a PHP page that is used by the debug build of the ransomware server).

The server was also found to host a full database of stolen credentials from “Pay for Porn” sites, and the database of ransomware users (with IDs, BTC addresses, payments, and keys). Moreover, it revealed that the threat actor applied for a Blockchain API account, and was denied, and that other malware was being distributed from it as well.

“The threat actor is also distributing an exploitable Ammyy Admin executable from the server. It seems they either may be scamming people into letting them onto the machine remotely, or they are simply running it silently as a malicious drive-by. The file on the server is called test.exe,” Scott explains.

Advertisement. Scroll to continue reading.

Related: Attackers Leave Server Credentials in Ransomware’s Code

Related: Ransomware Module Found in Shamoon 2.0

Related: New Unlock26 Ransomware and RaaS Portal Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.