Skip to main content

Security Alert; Bart Ransomware Bypasses Corporate Firewalls

A new ransomware variant has emerged that’s similar to widespread threats such as Dridex 220 and Locky Affid=3, but uses a security-evading technique that may allow it to attack organisations protected from other malware, according to computer security researchers.
Ransomware has spread quickly in the last few months, as a number of payouts have attracted cyber-criminals to the technique.



No external connection needed

HSBCThe new variant, called Bart, doesn’t need to connect to an outside server before maliciously encrypting a user’s files, making it harder to block, according to Proofpoint.
“Because Bart does not require communication with (command and control) infrastructure prior to encrypting files… Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” the firm’s researchers said in an advisory.

The malicious file arrives in the form of a zipped JavaScript attachment, so organisations need to ensure that zipped executables are blocked by their email gateway, Proofpoint said.

Bart, first discovered being distributed by a large spam campaign on Friday, arrives as an email with the subject line “Photos” and an attachment called “photos.zip”, the firm said. The zip archive contains a JavaScript file called PDF_123456789.js, but by default the .js extension doesn’t display on Windows, making the file appear at first glance to be a PDF document.

Russians, Ukrainians and Belorussians in no danger


The program, once launched, checks for the system language and doesn’t infect computers using the Russian, Ukrainian or Belorussian languages, researchers found.
If the Italian, French, German, Spanish or English languages are detected, it uses files translated into those languages.ransomware
“This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised,” the researchers wrote.

Once a system is encrypted, users are asked to pay 3 bitcoins, or about £1,500, to unlock the files. Instead of communicating with a command server, the malware appears to link to the payment server using the URL “id” parameter, Proofpoint said.

Development

Bart appears to have been developed by the attackers behind ransomware variants called Dridex 220 and Locky Affid=3, according to the firm, which said the method of distribution, the ransom message style and the payent portal style were all similar to the earlier programs.
The server hosting Bart’s malicious payload was also found hosting Dridex and Locky Affid=3, and there is a certain amount of code sharing between Locky and Bart, according to Proofpoint.

Ransomware has increasingly shifted to using JavaScript as users have grown increasingly wary of opening Word documents that may contain malicious macros, security researchers have said.
Earlier this month Sophos found a ransomware variant called RAA that carried out all its encryption activities using JavaScript, rather than downloading malicious code from a remote server, streamlining the infection process and bypassing security controls.

Comments

Post a Comment

Popular posts from this blog

Buhari Considers Hadiza Bala Usman As Head Of NPA

Nigerian Ports Authority (NPA) and the Minister of Transportation, Mr. Chibuike Amaechi, has submitted Ms. Hadiza Bala Usman’s name to President Muhammadu Buhari to take over as the new managing director of NPA, says Reporter.Should Buhari approve the recommendation, Ms. Bala Usman, 40, will become the first female chief executive of a top tier federal government agency and of the NPA. She shall take over from Alhaji Habib Abdullahi, who was reinstated by Buhari in August 2015 as the managing director of NPA, after he had been shown the exit by former President Goodluck Jonathan in April 2015.
Post a Comment
Read more

Yahoo Fails To Reveal Buyer, Suffers £332m Loss In Q2

Yahoo has failed to update investors on the sale of its core internet business as it revealed it suffered a £332 million loss in its second quarter. Instead, CEO Marissa Mayer said that “progress” has been made on its strategic alternatives but failed to define what that subjective term meant. Yahoo saw a rise in revenue to $1.3 billion (£1bn) in the second quarter, with mobile revenue growing from £252 million to $378 million (£287m).                  
Post a Comment
Read more