Skip to main content

Security Alert; Bart Ransomware Bypasses Corporate Firewalls

A new ransomware variant has emerged that’s similar to widespread threats such as Dridex 220 and Locky Affid=3, but uses a security-evading technique that may allow it to attack organisations protected from other malware, according to computer security researchers.
Ransomware has spread quickly in the last few months, as a number of payouts have attracted cyber-criminals to the technique.



No external connection needed

HSBCThe new variant, called Bart, doesn’t need to connect to an outside server before maliciously encrypting a user’s files, making it harder to block, according to Proofpoint.
“Because Bart does not require communication with (command and control) infrastructure prior to encrypting files… Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” the firm’s researchers said in an advisory.

The malicious file arrives in the form of a zipped JavaScript attachment, so organisations need to ensure that zipped executables are blocked by their email gateway, Proofpoint said.

Bart, first discovered being distributed by a large spam campaign on Friday, arrives as an email with the subject line “Photos” and an attachment called “photos.zip”, the firm said. The zip archive contains a JavaScript file called PDF_123456789.js, but by default the .js extension doesn’t display on Windows, making the file appear at first glance to be a PDF document.

Russians, Ukrainians and Belorussians in no danger


The program, once launched, checks for the system language and doesn’t infect computers using the Russian, Ukrainian or Belorussian languages, researchers found.
If the Italian, French, German, Spanish or English languages are detected, it uses files translated into those languages.ransomware
“This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised,” the researchers wrote.

Once a system is encrypted, users are asked to pay 3 bitcoins, or about £1,500, to unlock the files. Instead of communicating with a command server, the malware appears to link to the payment server using the URL “id” parameter, Proofpoint said.

Development

Bart appears to have been developed by the attackers behind ransomware variants called Dridex 220 and Locky Affid=3, according to the firm, which said the method of distribution, the ransom message style and the payent portal style were all similar to the earlier programs.
The server hosting Bart’s malicious payload was also found hosting Dridex and Locky Affid=3, and there is a certain amount of code sharing between Locky and Bart, according to Proofpoint.

Ransomware has increasingly shifted to using JavaScript as users have grown increasingly wary of opening Word documents that may contain malicious macros, security researchers have said.
Earlier this month Sophos found a ransomware variant called RAA that carried out all its encryption activities using JavaScript, rather than downloading malicious code from a remote server, streamlining the infection process and bypassing security controls.

Comments

Post a Comment

Popular posts from this blog

Floods Leave Many Dead in Southern Ghana

Four days of heavy and steady rain has left at least 10 people dead in the south of Ghana. The streets of Accra have been left under water after the torrential downpours caused widespread flooding earlier this week. The nation's capital was hit bit 185mm of rain on Sunday, which is more than they would expect for the entire month of June. This is the wettest month of the year with an average rainfall of 178mm. Since the weekend a further 50mm of rain has fallen exacerbating the severe problems already faced. President John Dramani Mahama has surveyed the areas concerned. He was reported to have driven through several neighbourhoods on a motorcycle. Heavy downpours were also recorded 150km to the west of Accra in the Central Regional capital, Cape Coast where 10 people died in floods,  Sandy Amartey, regional coordinator of the National Disaster Management organisation, told AFP. "In all we have 10 to 12 who lost their lives during this rainy season." The rain...
Post a Comment
Read more

Etisalat Has Launched Its Mobile (4G LTE) Services In Nigerian

The Chief Executive Officer, Etisalat Nigeria, Matthew Willsher, who announced the new service roll-out, said the latest offering demonstrates the telco’s unwavering commitment to deliver superior customer experience to its subscribers.
Post a Comment
Read more