{"id":84440,"date":"2017-06-22T18:03:26","date_gmt":"2017-06-22T12:33:26","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84440"},"modified":"2017-06-23T13:29:52","modified_gmt":"2017-06-23T07:59:52","slug":"aes-ni-ransomware-adopts-combination-fileless-code-injection-technique","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/aes-ni-ransomware-adopts-combination-fileless-code-injection-technique\/","title":{"rendered":"AES-NI Ransomware adopts combination of Fileless and Code Injection technique"},"content":{"rendered":"<p>Cybercriminals are adopting unique ways for spreading malware and this has been evident in the cases of the <a href=\"https:\/\/blogs.quickheal.com\/cerber-ransomware-kovter-trojan-team-together\/\">Cerber ransomware<\/a> where the RIG exploit was used and the <a href=\"https:\/\/blogs.quickheal.com\/wannacry-ransomware-recap-everything-need-know\/\">WannaCry ransomware<\/a> which used the SMBv1 vulnerability. And now it\u2019s the AES-NI ransomware which uses a combination of fileless and code injection technique.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-84450 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal_main.png\" alt=\"aes_in_ransomware_quick_heal_main\" width=\"533\" height=\"230\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal_main.png 718w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal_main-300x130.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal_main-650x281.png 650w\" sizes=\"(max-width: 533px) 100vw, 533px\" \/><\/p>\n<p>This threat involves the abuse of PsExec utility which is a Microsoft Sysinternals command line tool which can execute files on remote systems. The use of PsExec utility highlights that administrative login details have already been known to the attacker somehow.<\/p>\n<p>Similar to Troldesh ransomware, the creators of AES-NI ransomware run brute force attack on Remote Desktop Protocol (RDP) for guessing the login details before transferring the malware to the victim\u2019s computer and infecting it with a ransomware.<\/p>\n<p>AES-NI ransomware harnesses a self-destructive routine after its remote execution which gives it the capability of a fileless malware. This is further enhanced by using code injection in the genuine system process \u2018SVCHOST.EXE\u2019 which is responsible for data encryption. The ransomware also enumerates open share folders and connected devices that could be accessed through the network with saved credentials and encrypt the files once access is authenticated.<\/p>\n<figure id=\"attachment_84443\" aria-describedby=\"caption-attachment-84443\" style=\"width: 715px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84443\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal.png\" alt=\"Fig 1\" width=\"715\" height=\"164\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal.png 715w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal-300x69.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal-650x149.png 650w\" sizes=\"(max-width: 715px) 100vw, 715px\" \/><figcaption id=\"caption-attachment-84443\" class=\"wp-caption-text\">Fig 1<\/figcaption><\/figure>\n<p>The malware further removes all traces and artifacts such as system&#8217;s event logs. It also removes forensic evidence such as prefetch which contains information like files executed on system and timestamps using <em>wevtutil.exe.<\/em> These activities cannot be traced and thus they make it difficult for security analysts to analyze this malware. The chances of other ransomware adopting similar techniques are extremely high.<\/p>\n<p>Quick Heal successfully detects and prevents the AES-IN ransomware.<\/p>\n<figure id=\"attachment_84442\" aria-describedby=\"caption-attachment-84442\" style=\"width: 458px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84442 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal1.png\" alt=\"aes_in_ransomware_quick_heal1\" width=\"458\" height=\"260\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal1.png 458w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal1-300x170.png 300w\" sizes=\"(max-width: 458px) 100vw, 458px\" \/><figcaption id=\"caption-attachment-84442\" class=\"wp-caption-text\">Fig 2. Quick Heal detecting the ransomware<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_84441\" aria-describedby=\"caption-attachment-84441\" style=\"width: 296px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84441 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal2.png\" alt=\"Fig 2. Quick Heal\u2019s behavior-based detection system detecting the malicious behavior\" width=\"296\" height=\"158\" \/><figcaption id=\"caption-attachment-84441\" class=\"wp-caption-text\">Fig 3. Quick Heal\u2019s behavior-based detection system detecting the malicious behavior<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_84444\" aria-describedby=\"caption-attachment-84444\" style=\"width: 292px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84444 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/aes_in_ransomware_quick_heal3.png\" alt=\"aes_in_ransomware_quick_heal3\" width=\"292\" height=\"157\" \/><figcaption id=\"caption-attachment-84444\" class=\"wp-caption-text\">Fig 4. Quick Heal detecting the malicious file in real-time<\/figcaption><\/figure>\n<p>Given the extent of the damage a ransomware can do to your data, it is important that you follow the recommended security measures mentioned below.<\/p>\n<ol>\n<li>Back up your files on a regular basis. A ransomware goes after your files when it infects your computer. If you have a backup of all your important files, there is no reason why you should give in to the ransomware\u2019s demands. Remember to disconnect the Internet while you are backing up on an external hard drive. Unplug the drive before you go online again. Several free and paid Cloud backup services available on the market that can take data backup periodically.<\/li>\n<li>Provide Read\/Write privileges to network shares only when required. Try not to keep open shares as they are likely to fall prey to encryption if there is a ransomware infection.<\/li>\n<li>Use strong login credentials for both the user and administrator. Weak credentials can be easily brute forced to gain system access.<\/li>\n<li>Use an <a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-total-security\" target=\"_blank\">antivirus software<\/a> that gives multilayered protection against infected emails, malicious websites, and stop infections that can spread through USB drives. Keep the software up-to-date.<\/li>\n<li>Apply recommended security updates for your computer\u2019s Operating System and all other programs such as Adobe, Java, Internet Browsers, etc.<\/li>\n<li>Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources. Even if such emails seem to be from a known source, it is better to call up the sender and verify them first.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><strong>ACKNOWLEDGMENT<\/strong><\/p>\n<p>Subject Matter Expert<\/p>\n<ul>\n<li>Shantanu Vichare | Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals are adopting unique ways for spreading malware and this has been evident in the cases of the Cerber ransomware where the RIG exploit was used and the WannaCry ransomware which used the SMBv1 vulnerability. And now it\u2019s the AES-NI ransomware which uses a combination of fileless and code injection technique. This threat involves the [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":84445,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[151,910,5],"tags":[50],"class_list":["post-84440","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-password","category-ransomware","category-security","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84440"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84440"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84440\/revisions"}],"predecessor-version":[{"id":84451,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84440\/revisions\/84451"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84445"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}