A new fileless ransomware has been discovered in the wild. This ransomware, titled SOREBRECT, injects malicious code into a valid system process (svchost.exe) on targeted systems and then self-destructs in order to evade detection by antivirus. This is unlike more generic “spray-and-pray” ransomware and has been designed to specifically target enterprise systems in various industries.
SOREBRECT also takes it a few steps further to cover its tracks and deletes the infected system’s event logs (using wevtutil.exe) that can provide forensic information such as files executed on the system, including the timestamps. These deletions deter analysis and prevent SOREBRECT’s activities from being traced.
How does it do it?
This ransomware uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files after it has taken control of the machine. “PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs,” Trend Micro says.
SOREBRECT can also encrypt network shares
SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It scans the network for assets and open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network. Once a live host is identified, it initiates a connection after discovering the shares. If the share has read-and-write access to it by the infected device, the share will also be encrypted.
SOREBRECT uses the Tor network protocol to anonymize its connection to its command-and-control (C&C) server.
SOREBRECT Ransomeware Spreads Worldwide
According to Trend Micro, Sorebrect was initially targeting Middle Eastern countries like Kuwait and Lebanon, but since last month, this threat has started infecting machines in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.
In February, Kaspersky researchers also discovered fileless malware that resided solely in the memory of the compromised computers, which was found targeting banks, telecommunication companies, and government organizations in 40 countries.
Kaspersky said: “Unfortunately the use of common tools combined with different tricks makes detection very hard. In fact, detection of this attack would be possible in RAM, network and registry only.”