Skip to main content

Security Alert; Bart Ransomware Bypasses Corporate Firewalls

A new ransomware variant has emerged that’s similar to widespread threats such as Dridex 220 and Locky Affid=3, but uses a security-evading technique that may allow it to attack organisations protected from other malware, according to computer security researchers.
Ransomware has spread quickly in the last few months, as a number of payouts have attracted cyber-criminals to the technique.



No external connection needed

HSBCThe new variant, called Bart, doesn’t need to connect to an outside server before maliciously encrypting a user’s files, making it harder to block, according to Proofpoint.
“Because Bart does not require communication with (command and control) infrastructure prior to encrypting files… Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” the firm’s researchers said in an advisory.

The malicious file arrives in the form of a zipped JavaScript attachment, so organisations need to ensure that zipped executables are blocked by their email gateway, Proofpoint said.

Bart, first discovered being distributed by a large spam campaign on Friday, arrives as an email with the subject line “Photos” and an attachment called “photos.zip”, the firm said. The zip archive contains a JavaScript file called PDF_123456789.js, but by default the .js extension doesn’t display on Windows, making the file appear at first glance to be a PDF document.

Russians, Ukrainians and Belorussians in no danger


The program, once launched, checks for the system language and doesn’t infect computers using the Russian, Ukrainian or Belorussian languages, researchers found.
If the Italian, French, German, Spanish or English languages are detected, it uses files translated into those languages.ransomware
“This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised,” the researchers wrote.

Once a system is encrypted, users are asked to pay 3 bitcoins, or about £1,500, to unlock the files. Instead of communicating with a command server, the malware appears to link to the payment server using the URL “id” parameter, Proofpoint said.

Development

Bart appears to have been developed by the attackers behind ransomware variants called Dridex 220 and Locky Affid=3, according to the firm, which said the method of distribution, the ransom message style and the payent portal style were all similar to the earlier programs.
The server hosting Bart’s malicious payload was also found hosting Dridex and Locky Affid=3, and there is a certain amount of code sharing between Locky and Bart, according to Proofpoint.

Ransomware has increasingly shifted to using JavaScript as users have grown increasingly wary of opening Word documents that may contain malicious macros, security researchers have said.
Earlier this month Sophos found a ransomware variant called RAA that carried out all its encryption activities using JavaScript, rather than downloading malicious code from a remote server, streamlining the infection process and bypassing security controls.

Comments

Post a Comment

Popular posts from this blog

EC Slaps Apple With £11bn Irish Tax Bill

The European Commission (EC), as expected, has ordered the Irish government to recover up to €13 billion (£11bn) plus interest in “illegal tax benefits”. An investigation found Apple had been able to avoid taxation on almost all profits generated in the EU single market thanks to a structure which routed revenues through two “paper” headquarters in Ireland and minimal tax rates in the country. The EC says Apple only paid an effective corporate tax rate that fell from one percent in 2003 to 0.005 percent in 2014 – a rate which other companies in Ireland were not subjected to. This effectively amounted to state aid, the commission said. Apple tax amazon“Member States cannot give tax benefits to selected companies – this is illegal under EU state aid rules,” said Commissioner Margrethe Vestager, who is in charge of competition policy. “The Commission’s investigation concluded that Ireland granted illegal tax benefits to Apple, which enabled it to pay substantially less tax than ...
Post a Comment
Read more

England Eliminated And Manager Roy Hodgson resigns

Wayne Rooney gave Roy Hodgson's side a fourth-minute lead from the penalty spot at the Allianz Riviera on Monday, but two goals in 12 minutes turned the match in Iceland's favour, setting up a quarter-final clash against France.
Post a Comment
Read more