MegaCortex Ransomware
Sophos released intelligence on a new ransomware campaign dubbed “MegaCortex”. The campaign started on May 1st, 2019 worldwide including in Italy, the United States, Canada, the Netherlands, Ireland, and France. Initial infection is speculated to start from the Emotet exploit kit. MegaCortex uses both a manual and automated process starting with Meterpreter reverse shell scripts. From there, PowerShell scripts, batch files and remotely executed commands are utilized to execute the final stage malware on specific machines.
Once activated, the malware encrypts files on the machine with an undetermined encryption algorithm. In one case, the extension “.aes128ctr” was appended to the existing files however it’s unknown at this time if that is static to all campaigns. The attackers then demand an unspecified ransom with a note left in the root directory.
The ransom notification appears on the root of the victim’s hard drive as a plain text file.
Further details at – https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/
IP address/domains
Meterpreter’s reverse shell C2 address
89.105.198.28
File hashes
Batch script:
37b4496e650b3994312c838435013560b3ca8571
PE EXE:
478dc5a5f934c62a9246f7d1fc275868f568bc07
Secondary DLL memory injector:
2f40abbb4f78e77745f0e657a19903fc953cc664
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.