Skip to main content

Security Alert; Bart Ransomware Bypasses Corporate Firewalls

A new ransomware variant has emerged that’s similar to widespread threats such as Dridex 220 and Locky Affid=3, but uses a security-evading technique that may allow it to attack organisations protected from other malware, according to computer security researchers.
Ransomware has spread quickly in the last few months, as a number of payouts have attracted cyber-criminals to the technique.



No external connection needed

HSBCThe new variant, called Bart, doesn’t need to connect to an outside server before maliciously encrypting a user’s files, making it harder to block, according to Proofpoint.
“Because Bart does not require communication with (command and control) infrastructure prior to encrypting files… Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” the firm’s researchers said in an advisory.

The malicious file arrives in the form of a zipped JavaScript attachment, so organisations need to ensure that zipped executables are blocked by their email gateway, Proofpoint said.

Bart, first discovered being distributed by a large spam campaign on Friday, arrives as an email with the subject line “Photos” and an attachment called “photos.zip”, the firm said. The zip archive contains a JavaScript file called PDF_123456789.js, but by default the .js extension doesn’t display on Windows, making the file appear at first glance to be a PDF document.

Russians, Ukrainians and Belorussians in no danger


The program, once launched, checks for the system language and doesn’t infect computers using the Russian, Ukrainian or Belorussian languages, researchers found.
If the Italian, French, German, Spanish or English languages are detected, it uses files translated into those languages.ransomware
“This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised,” the researchers wrote.

Once a system is encrypted, users are asked to pay 3 bitcoins, or about £1,500, to unlock the files. Instead of communicating with a command server, the malware appears to link to the payment server using the URL “id” parameter, Proofpoint said.

Development

Bart appears to have been developed by the attackers behind ransomware variants called Dridex 220 and Locky Affid=3, according to the firm, which said the method of distribution, the ransom message style and the payent portal style were all similar to the earlier programs.
The server hosting Bart’s malicious payload was also found hosting Dridex and Locky Affid=3, and there is a certain amount of code sharing between Locky and Bart, according to Proofpoint.

Ransomware has increasingly shifted to using JavaScript as users have grown increasingly wary of opening Word documents that may contain malicious macros, security researchers have said.
Earlier this month Sophos found a ransomware variant called RAA that carried out all its encryption activities using JavaScript, rather than downloading malicious code from a remote server, streamlining the infection process and bypassing security controls.

Comments

Post a Comment

Popular posts from this blog

US Demands Immediate End To South Sudan Fighting

The United States demanded an immediate end to renewed fighting in the capital of South Sudan on Sunday, ordering all non-essential personnel out of the troubled country. "The United States strongly condemns the latest outbreak of fighting in Juba today between forces aligned with President Salva Kiir Mayardit and those aligned with First Vice President Riek Machar Teny, including reports we have that civilian sites may have been attacked," State Department spokesman John Kirby said in a statement.
Post a Comment
Read more

Prisoner escapes in Benin city

An inmate on Wednesday morning escaped from the court where he was taken to for his trial. The unidentified inmate, escaped from the watchful eyes of prison officials who took him and other inmates to court. The prisoner, an awaiting trial inmate in Oko medium prison, Benin, escaped at the premises of the state high court, Benin. A prison official who spoke with The reporter under the condition of anonymity, said prison warders have been sent to go after the escaped prisoner. Meanwhile, the spokesman of the Edo command of the Nigerian Prison Services (NPS), Mr Aminu Suleiman declined speaking to journalists on it. The spokesman, who could neither deny nor confirm the report, said he was not in a position to speak on the issue. Suleiman said that the state commander of the NPS, Mr Effiom Etowa, was out of the state on official assignment.
Post a Comment
Read more