Some of these highlight LV’s less-sophisticated arsenal of skills. However, there are key differences between the two groups, according to CTU. LV appears to be replicating REvil’s playbook in many ways, according to the analysis, including stealing information during attacks and posting the names of its victims on “name and shame” leak sites. “Files on the victim’s system will be encrypted with session keys that are protected by LV’s public key, and victims will be directed to LV’s ransom payment site via the updated ransom note.” LV Configuration Updates and Changes “If done correctly, the binary will successfully execute using LV’s updated configuration,” according to the post.
-1024x768_0.jpg "hex fiend security risk")
#Hex fiend security risk code
“These changes are necessary because the REvil code calculates the configuration’s CRC32 hash value at runtime and terminates if the calculated and hard-coded hashes do not match.”įinally, Gold Northfield needed to add the RC4 key, the CRC32 hash, the length of the encrypted configuration and the encrypted configuration itself to the REvil binary, they added. “To bypass REvil’s anti-tamper control that ensures the integrity of the configuration, Gold Northfield also had to generate a CRC32 hash of the updated encrypted configuration and then replace the hard-coded precalculated CRC32 hash stored in the binary with the updated configuration’s CRC32 hash,” researchers said. Then, the group needed to to RC4-encrypt the fresh configuration with a 32-byte key. To that end, to repurpose the REvil binary, Gold Northfield needed to provide a configuration replacement that has the same identical configuration as the REvil code, in the form of a JSON-formatted string containing key elements, according to CTU. So, perhaps it’s no surprise that other cybercrime syndicates want to be just like them, code and all. Sodinokibi, is the gang reportedly behind a high-profile recent attack on the Sol Oriens nuclear contractor, the $11 million JBS Foods attack, the $50 million squeeze placed on Apple just hours before its splashy new product launch, an attack on Quanta, which is contracted to assemble Apple products, and on and on. “The threat actors likely used a hex editor to remove potentially identifying characteristics from the binary to conceal that LV is a repurposed version of REvil.” Hijacking the REvil Binary
“This type of code modification suggests that Gold Northfield does not have access to REvil’s source code,” researchers wrote.
In LV’s code, the insults are stripped out. This can be seen in a snarky code snippet found in REvil 2.03 that’s meant to insult prominent security researchers, including Vitali Kremez, among others. For instance, among the differences between the two is the fact that in LV’s code, REvil 2.03’s strings are replaced by spaces. It’s also possible that Gold Northfield simply stole the source code – but CTU researchers noted that some signs discount that theory. These characteristics align with REvil 2.02 samples first identified in the wild on June 17, 2020.” “The version value in the LV binary is 2.02, its compile timestamp is 16:24:05, and its configuration is stored in a section named ‘.7tdlvx’. “The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil,” researcher said in a Tuesday blog post.
This indicates a likely reverse-engineering job, researchers said. They say imitation is the sincerest form of flattery: The LV ransomware, a strain that cropped up just this spring, turns out to be based on what is most likely pirated REvil ransomware code, according to researchers.Ī malware analysis of LV from Secureworks Counter Threat Unit (CTU) found that its operators (which it calls Gold Northfield), replaced the configuration of a REvil v2.03 beta version to basically copy and repurpose the REvil binary for its own ransomware.
0 kommentar(er)
