cybersecurity

3299 readers

73 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

Customizable Elpaco ransomware abuses the Everything library (securelist.com)

submitted 12 hours ago* (last edited 12 hours ago) by Joker@sh.itjust.works to c/cybersecurity@infosec.pub

0 comments fedilink hide all child comments

Introduction

In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).

The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands.

This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, we provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here