You might also be interested in this article One Year of Russian-Ukrainian War in Cybersecurity, or this: Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials.

Also information security specialists noted that Due to the sanctions, Russian hackers are looking for new ways to launder money.

How hackers mimic the Enlisted game

Trojanized versions of the game are distributed through fake sites, where the game installer comes with a ransomware that pretends to be the third version of the sensational WannaCry malware (the malware even changes the extensions of the affected files to .wncry).

Enlisted was released by Gaijin Entertainment in 2021 and has between 500,000 and a million active players every month. Since the game is free-to-play, the attackers were able to easily download the installer from the publisher’s website and modify it to distribute the malware to players.

WannaCry 3.0 Payload analysis

According to Cyble analysts who analyzed the threat, this supposedly new variant of WannaCry is actually based on an open-source Python locker Crypter created for educational purposes. The game installer downloaded from the fake site is named “enlisted_beta-v1.0.3.115.exe“, and when run, it dumps two executable files on the user’s disk: ENLIST~1 (the actual game) and enlisted (the malware’s Python launcher).

Upon initialization, the ransomware creates a mutex to avoid multiple running instances on the infected machine. It then parses its JSON config file to determine which file types to target, which directories to skip, which ransom note to generate, and which wallet address to enter to receive the ransom.

As a result, the ransomware scans the working directory looking for the key.txt file to use in the encryption step (if it does not exist, it creates it). The AES-256 algorithm is used for encryption, and as mentioned above, all locked files receive the .wncry extension.

Interestingly, the malware does not attempt to terminate processes or services, which is standard practice in modern lockers, but goes the usual way for ransomware and removes shadow copies to prevent data recovery.

After verifying the process of encrypting files, the ransomware shows the victim a ransom note using a special application with a graphical interface for this and giving the victim three days to make a decision. In case the victim’s antivirus blocks the display of the ransom note, the ransomware also changes the background image on the user’s work slot.

What then?

The researchers note that the hackers do not use the Tor website, instead suggesting that victims use a Telegram bot to contact them. According to experts, many popular online shooters may now be unavailable to Russian users, so Enlisted has become an alternative for them. If the attackers have already paid attention to this, they can probably create other fake sites for similar games with Russian localization.

Well, what can I say? Being Russian-speaking now is not something that is not fashionable, but also dangerous. However, cybercriminals must be detected and punished, despite extenuating circumstances.

The post WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players appeared first on Gridinsoft Blog.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

The owner of such infected computers may notice that some processes in their system use a lot of CPU %, which often slow down the computer or even freeze it completely. The main problem with a miner program is using your PC to make money.

It can be just a slow down of the computer for the average user, but be careful. If you ignore this problem, you can lose part of your PC because of overheating. So if you notice that CPU temperatures are over 50 degrees, then be ready that someone is already using your PC for mining.

Such viruses can often be downloaded from the Internet by the users themselves. Often when users open unknown files from the spam message, they infect the computer with different kinds of virus-like malware or adware. But the developer usually has a plan B. They attach similar viruses to installing various free programs; hence, if you skip the installation process and don’t look to the advantage setting, then ready that your computer will be infected with virus-like this.

We discovered a sample of Trojan.CoinMiner written in Delphi, which is distributed via spam mail:

GridinSoft Antim-Malware detect it as “Trojan.Win32.CoinMiner.dd” (like on image below):

MD5: 922e0891ae30ac3adb3a09cb963570cc
SHA1: 77feeefff422519cdb63faa438fea87e5e70882a

Other antivirus programs detect Trojan.CoinMiner (csrss.exe) as:

The trojan miner creates the next folder:

C:\Windows\MicrosoftU

And create these files:

• Auto.bat
• Start.vbs
• Start2.vbs
• Hide.bat
• Start.bat
• Start2.bat
• 1.bat
• 2.bat
• Srvany.exe
• Csrss.exe
• Srvanyx.exe

After Trojan.CoinMiner has been unpacked. It hides its presence using the strings in Hide.bat, setting the hidden and system attributes to the folder and files.

Attrib C:\Windows\MicrosoftU + S + H / S / D
Attrib C:\Windows\MicrosoftU\*. * + S + H / S / D

“Ttrojan Miner” uses the name of one of the system files “csrss.exe” to hide its presence in the system.

The virus starts with the following parameters:

Stratum + tcp: //xmr.pool.minergate.com: 45560 – Resource for which “mining” will be entered
Tatyana.kostomarova@gmail.com – user login from whom the extraction will be introduced
Cryptonight – Mining algorithm

Another parameter is how many threads the program will work in. This “miner” has a formula for calculating the number of processor cores involved. It is in the .bat file that launches the “miner” for the first time:

Set / a CPU =% NUMBER_OF_PROCESSORS% / 2 + 1
Srvanyx -a cryptonight -o stratum + tcp: //xmr.pool.minergate.com: 45560 -u tatyana.kostomarova@gmail.com -p x -t% cpu%

Another good miner example – Adylkuzz. This miner used SMB vulnerability for several weeks, and this is a similar vulnerability that uses widespread WannaCry (Wana Decrypt0r) which infected millions of computers last week. The main difference between those two viruses is that Adylkuzz miner hides as deep as possible and uses computer performance to mine Bitcoin and WCry (Wana Decryptor) aggressively encrypt data on the user’s computer.

Moreover, the researchers are sure that the malicious Adylkuzz miner infected the computer much earlier than WannaCry, on May 2, 2017. Adylkuzz did not attract as much attention as the Wana Decrypt0r (Wanacry Ransomware) for the simple reason that it is much more challenging to notice infection in this case. The only “symptoms” that the victim can see is the slowdown of the PC, as the miner uses the system’s resources. In addition, specialists say that Adylkuzz protected its users from WannaCry ransomware attacks. After the miner infects the user’s computer, it closes the “hole” in SMB and does not allow other malware to use the gap.

The specialists of both companies remind everyone who has not yet installed the update MS17-010, which closes the gap in SMB, that it should be done immediately and near the 445 port.

The miners are worth noting that the program used only for “mining” does not carry a direct threat but can be used for undesirable actions. Therefore, we highly recommend you to download and scan your PC with professional anti-malware tool and clean up your PC.

The post What is Trojan CoinMiner csrss.exe? appeared first on Gridinsoft Blog.

How WannaCry (or Wanna Decrypt0r 2.0) is spreading and what is it capable of?

You can infect a PC by downloading some pirate programs, clicking on suspicious pop-ups with fake “update” links, and via emails. Be careful before clicking on some attachments and running programs from an unknown source.

When it infects your PC it will scan all files and encrypt them with WNCRY extension. Access is blocked to images, documents, music, and system files. After that, you will see the message on the screen “Oops, your files have been encrypted” and demand to pay $300 in Bitcoins to decrypt your files. However, no one guarantees that after paying the ransom the files will be decrypted.

To ensure that this epidemic bypasses you immediately need to install the patch MS17-010 from Microsoft. After installation, restart the computer. You need to scan your PC and in the case of detection of malicious attacks (Trojan.Win64.EquationDrug.gen) – reboot the system again and make sure that the patch MS17-010 is installed.

If you are already infected follow the steps below to eliminate the virus.

1. It is necessary to enable the safe mode with the network drivers loaded.
2. Then you need to scan the system with a strong antivirus program and remove all detected files

The final step for the user is to restore the encrypted files, you can only do this after Wannacry is uninstalled. Otherwise, system files and the registry can be damaged. For this, you can try different decryption programs, but they don’t guarantee to restore files.

So as we can see viruses don’t sleep and are evolving every day. WannaCry will be on our next list of the top 10 viruses.

The post How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! appeared first on Gridinsoft Blog.