News New Ransomware Shows Off Its Abilities: - Printable Version +- Red Security (https://redsecurity.info/cc) +-- Forum: General (https://redsecurity.info/cc/forumdisplay.php?fid=1) +--- Forum: News (https://redsecurity.info/cc/forumdisplay.php?fid=4) +--- Thread: News New Ransomware Shows Off Its Abilities: (/showthread.php?tid=1325)

New Ransomware Shows Off Its Abilities: - Mad-Architect - 11-21-2019                               A new type of ransomware called "SectopRAT" that was first discovered by MalwareHunterTeam stated in a November 15th tweet, that this new ransomware was able to create a second "hidden" desktop that was able to fully control the chosen browser.               According to an article by ZDNet:                             "The first SectopRAT sample is signed by Sectigo RSA Code Signing CA and uses a Flash icon, whereas the second is not signed. Both samples of the Remote Access Trojan (RAT) use arbitrary characters in their names, have write/execute characteristics, and make use of ConfuserEx for obfuscation.  According to the researchers, the malware contains a RemoteClient.Config class with four valuables for configuration -- IP, retip, filename, and mutexName.  The IP variable relates to the Trojan's command-and-control (C2) server, whereas the retip variable has been designed to set up new C2 IPs that the server can override using the "set IP" command."              The article goes on:              "Filename and mutexName, however, are set but not in active use.  The hardcoded filename spoolsvc.exe is added to the registry for persistence, a mimicry of the legitimate Microsoft service spoolsv.exe. Once connected with its C2, the Trojan can be commanded to either stream an active desktop session or create a secondary one, hardcoded as "sdfsddfg," which is hidden from view. The researchers say that operators of the malware are able to use the "Init browser" command to initiate a browser session through the secondary desktop. "                            As far as this goes, its been stated by the team at MalwareHunter that the sample they received seems to show that the malware isn't finished, and is merely out in the wild for testing purposes.               Original article can be found here.              That was the news folks, have a good day, and stay safe out there.              ---Mad-Architect