U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CSE Malware ZLab – Malware Analysis Report: A new variant of Mobef Ransomware

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, a malware that in the past mainly targeted Italian users. Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users. I personally obtained the sample by […]

Mobef ransomware

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, a malware that in the past mainly targeted Italian users.

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.

I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.

Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.

Mobef ransomware

Mobef ransomware note

The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.

After the execution, the ransomware creates three files:

  • 4YOU: it contains the ransom note as shown in the popup window; it is stored in each folder in which there are encrypted files.
  • KEI: it contains the personal key used to identify the victim; it is stored in each folder in which there are encrypted files.
  • log: it contains the list of the encrypted files and it is stored in “C:\Windows”. This file represents also the kill-switch of the malware and the filename is the same for every infection.
Mobef ransomware

Mobef ransomware – List of encrypted files

Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.

It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.

A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.

Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180228_CSE_Mobef_ransomware_new_variant.pdf

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mobef ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]