The latest splash has been made by the Petya or NotPetya Ransomware that exploded in Ukraine and is infecting companies all over the World. It’s getting some people in deep trouble as there’s no way to recover the files once encrypted.
The malware seems to be trying to hide it’s intent as it doesn’t really seem to be about making money, $300 is a pretty low amount and they setup a very poor mechanism for collecting the money (the Posteo account they used has been shut down).
It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.
The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms. Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, encrypting the infected machines’ filesystems.
Although it demands about $300 in Bitcoin to unscramble the hostage data, the mechanisms put in place to collect this money from victims quickly disintegrated. Despite the slick programming behind the fast-spreading malware, little effort or thought was put into pocketing the loot, it appears.
At the current value of Bitcoin there’s around $10,000 USD in the wallet mentioned, but with the e-mail address down there’s no way for the victims to get in contact with the bad guys to decrypt their files.
It’s quite probably a nation state attack aimed at the Ukraine, and it just happened to spread outside. It also doesn’t spread over the Internet like WannaCry but only over the local network.
So far, the vast majority of infections have occurred in Ukraine and Russia, but some big names in the West have also suffered. International advertising conglomerate WPP was taken offline (even its website was down), global law firm DLA Piper was infected and, most worryingly, shipping goliath Maersk is warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were borked for hours by the malware.
In Ukraine itself, which appears to be ground zero for the attack, the situation was critical. Large numbers of businesses were caught by the software nasty – the contagion has broken the automatic radiation monitoring systems in Chernobyl, meaning some unlucky scientists are going to have to take readings manually for the time being. Energy companies were hit as well as government agencies.
According to Ukraine’s cyber-cops, as well as phishing emails booby-trapped with malware-laden attachments, financial software firm MeDoc was used to infect computers in the ex-Soviet nation. We’re told miscreants managed to compromise a software update for the biz’s products, which are widely used in the country, so that when it was downloadable and installed by victims it contaminated their network with NotPetya. If this software was running with domain admin access, it would be immediately game over.
It’s definitely some pretty slick coding and an impressive piece of malware. But why it’s been unleashed? We’re unlikely to find out unfortunately.
Source: The Register
Winpayloads is a tool to provide undetectable Windows payload generation with some extras running on Python 2.7.
It provides persistence, privilege escalation, shellcode invocation and much more. The tool uses metasploits meterpreter shellcode, injects the users IP and port into the shellcode and writes a python file that executes the shellcode using ctypes. This is then AES encrypted and compiled to a Windows Executable using pyinstaller.
- UACBypass – PowerShellEmpire
- PowerUp – PowerShellEmpire
- Persistence – Adds payload persistence on reboot
- Psexec Spray – Spray hashes until successful connection and psexec payload on target
- Upload to local webserver – Easy deployment
- Powershell stager – allows invoking payloads in memory & more
Winpayloads also comes with a few features such as UAC bypass and payload persistence. These are powershell files that execute on the system when the meterpreter gets a reverse shell. The UAC bypass is written by PowerShellEmpire and uses an exploit to bypass UAC on local administrator accounts and creates a reverse meterpreter running as local administrator back to the attackers machine.
Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames,domain,passwords or hashes.
git clone https://github.com/nccgroup/winpayloads.git
./setup.shwill setup everything needed for Winpayloads
- Start Winpayloads
- Type ‘help’ or ‘?’ to get a detailed help page
You can download Winpayloads here:
Or read more here.
TheFatRat is an easy-to-use Exploitation Tool that can help you to generate backdoors and post exploitation attacks like browser attack DLL files. This tool compiles malware with popular payloads and then the compiled malware can be executed on Windows, Linux, Mac OS X and Android.
The malware that is created with this tool also has the ability to bypass most AV software protection.
- Create backdoor for Windows, Linux, Mac OS X and Android
- Bypass antivirus backdoor
- Checks for metasploit service and starts if not present
- Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Mac OS X and Android
- Start multiple meterpreter reverse_tcp listeners
- Fast Search in searchsploit
- Bypass AV
- File pumper
- Create backdoor with another technique
- Autorunscript for listeners (easy to use)
- Drop into Msfconsole
git clone https://github.com/Screetsec/TheFatRat.git
chmod +x setup.sh && ./setup.sh
You can download TheFatRat here:
Or read more here.
So far this Nayana payout is the biggest ransomware payment I’ve seen reported, there’s probably some bigger ones been paid but kept undercover.
Certainly a good deal for the bad actors in this play, and well using an outdated Kernel along with PHP and Apache versions from 2006 you can’t feel too sorry for Nayana.
A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare.
Nayana first announced the attack on June 10, saying customer video files and its database had been encrypted, and promising to work to recover the data.
More than 150 servers were hit, hosting the sites of more than 3,400 mostly small business customers.
After a lengthy negotiation with the hackers, a demand for Bitcoin worth 5 billion won (nearly $4.4 million) was trimmed to around $1 million (397.6 Bitcoin), and the company paid up. The ransom was demanded in three instalments; so far, two have been made.
They’ve made 11 Announcements so far about the situation with the latest being from yesterday, in which they state they’ve paid the ransom but it will still quite some time for them to decrypt the customer data and restore it properly (10 days or more in some cases).
Obviously it’ll depend on the number of files, the size of the files encrypted and the power of the machine running the decryption.
Trend Micro reckons the attack used a version of Erebus ported to Linux.
Trend says at the time of the attack, Nayana was running a witch’s brew of vulnerable systems – an old Linux kernel (126.96.36.199) compiled in 2008, Apache 1.3.36 and PHP 5.1.4 (both dating from 2006).
As well as getting schooled in why systems need to be kept up to date, Nayana says it’s working with the Korea Internet and Security Agency and other “cyber criminal investigators”.
The company’s next recovery status announcement is due today (Tuesday, 20 June).
For those that say they don’t have a budget for security, they should look at this. You could hire a whole red team, an external security audit and use top notch protection tools for far less than $1 Million USD.
I hope this serves as a lesson to more organisations than just Nayana.
Source: The Register
pyrasite is a Python-based toolkit to inject code into running Python processes. pyrasite works with Python 2.4 and newer. Injection works between versions as well, so you can run Pyrasite under Python 3 and inject into 2, and vice versa. Usage
usage: pyrasite [-h] [--gdb-prefix GDB_PREFIX] [--verbose] [--output OUTPUT_TYPE] pid [filepath|payloadname]
pyrasite - inject code into a running python process
pid The ID of the process to inject code into
filepath|payloadname The second argument must be a path to a
file that will be sent as a payload to the
target process or it must be the name of
an existing payload (see --list-payloads).
-h, --help show this help message and exit
GDB prefix (if specified during installation)
--verbose Verbose mode
--output OUTPUT_TYPE This option controls where the output from
the executed payload will be printed. If
the value is 'procstreams' (the default) then
the output is sent to the stdout/stderr of the
process. If the value is 'localterm' then the
output is piped back and printed on the local
terminal where pyrasite is being run.
--list-payloads List payloads that are delivered by pyrasite
For updates, visit https://github.com/lmacken/pyrasite
You can download pyrasite here: pyrasite-2.0.zip Or read more here.
Snitch is an information gathering tool which automates the process for a specified domain. Using built-in dork categories, this tool helps gather specified information domains which can be found using web search engines. It can be quite useful in early phases of penetration tests (commonly called the Information Gathering phase). snitch can identify general information, […]
This is pretty interesting, the prices for Fake News as a Service have come out after some research by Trend Micro, imagine that you can create a fake celebrity with 300,000 followers for only $2,600. Now we all know this Fake News thing has been going on for a while, and of course, if it’s […]
Credmap is an open source credential mapper tool that was created to bring awareness to the dangers of credential reuse. It is capable of testing supplied user credentials on several known websites to test if the password has been reused on any of these. It is not uncommon for people who are not experts in […]
Lazydroid is a tool written as a bash script to facilitate some aspects of an Android Security Assessment. Features It provides some common tasks such as: Set the debug flag of an application to true Set the backup flag of an application to true Re-Build the application Re-Sign the application Smart log extraction of an […]
The OneLogin hack is blowing up now it seems like whoever got access can also decrypt encrypted customer data which is just about AS BAD as it can get for a password/identity management service. Now I’m a HUGE supporter of password management tools as I’ve mentioned many times here, so anyone who signed up for […]