While the general layout of the loader was analyzed, BlackBerry was unable to obtain a copy of the exact JavaScript that would have been downloaded in this particular example of the final phase. Initially the JavaScript file contained obfuscated code within a variable labeled “ knew”:
For each domain, generates a random string to be used as part of a download URL.Loops through an array of three domains.
Run freefilesync with psexec zip file#
Once opened, the ZIP file initiated a JavaScript payload via wscript.exe.įollowing execution of the Gootkit loader, the final deobfuscated code snippet performs the following actions: Upon accessing the compromised site, users were redirected to hxxps://fibarokrakowcom/aboutphp, initiating the download of the Gootkit loader ZIP file.
Run freefilesync with psexec archive#
In this case, the REvil group posted a ZIP archive containing a Gootkit loader on a compromised website disguised as an informational page containing a description of a search term popular among its intended victims.
This is accomplished by compromising a website that the group expects will be visited by a target group. REvil is notorious for using “watering hole” attacks to gain initial access into networks. This blog dives deep into REvil's latest tactics, techniques, and procedures (TTPs), drawing insights from a recent incident handled by the BlackBerry Incident Response Team. These developments also highlight the immediate need for security professionals to fully understand the inner workings of this group and the associated malware family, to better protect their organizations and stakeholders. and European law enforcement agencies revealed new seizures and arrests this week involving the REvil ransomware group, underscoring the intense interest and outrage following in the wake of these malicious campaigns.
0 kommentar(er)
