Maze is a Ransomware — a malware that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of the Maze Ransomware is that it is one of the first malware of the kind to publicly release stolen data.
Maze, also called ChaCha, is a Ransomware — a malicious program that
encrypts files of the victim and demands a ransom in exchange for a
decryption key that restores information. A defining feature of Maze is
that it publically releases sensitive files to the public unless the
ransom is paid.
Maze Ransomware has been operating actively since 2019 and,
unfortunately, the attack volume from this malware has been on a steady
rise since that time.
Maze Ransomware execution process
The execution process of the Maze ransomware is kind of typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. After it encrypts all targeted files, Maze drops a ransom note on the desktop. It also often changes the wallpaper to its own with a ransom text.
Notably, just like Sodinokibi aka REvil ransomware, this family has a similar infrastructure — websites with "tech support", information about cryptocurrency and ways to buy it, trial decryption and chat. Crooks behind the Maze ransomware are also kind of cocky and post on links to the information about their successful attacks on their website.
Maze Ransomware distribution
Maze Ransomware is distributed using several different ways. It has utilized the Spelevo and Fallout exploit kits and one of the vulnerabilities that Maze is targeting is the CVE-2018-15982 vulnerability in Flash Player. It is also worth noting that in the case of the Fallout kit, the users were redirected to the exploit from a fake cryptocurrency trading platform.
Another observed attack vector is via email spam campaigns containing a Microsoft Office document with a malicious macro.
Conclusion
Maze Ransomware is a significant threat to organizations and private users. This ransomware not only encrypts information but also strong-arms the victims into paying the ransom, threatening to release sensitive information. Unfortunately, Maze launched a little bit of a trend among threat actors and more and more Ransomware in the wild are starting to exhibit similar behavior.
IOC Details :
#SHA256
24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063
145b9acdc9feee6c4ad34cb4fcbe06623806238d59319460c0beae36c2ff0cea
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da
f65722a5c638266b43258c6787eb69ccd8d94e149d68444f8194f448f232da0d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
91424ac700abaf7d7a690bdeaba2f670c8383f11f15b2b412a52ec4260a12dc1
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74
4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e
18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e
c1142340db4f1f423fc1cce14e657dd5861c9eb59788dec6d4c54ea227a437b9
d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125
f03172bd32ed16df6dda8e8146d24b073b864da59d669218fcc5e97835a5e956
ac457fc7c907ca04a4aa2e243d4b5120c58d338b44771c84e0d282d625d463a0
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd
78fb8d34cf3e034fbbaefd8f7587bd364a000a1e12c4a6fa45e192d56b93a25a
dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
7656d6519e0305bd95d4228387ffcd7b419ed7ede733b077755d1773f24302b1
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
bba288819f375cbdd1a274609924aeba786e1d1b43065846a85e30bc998d9015
#URL/DOMAIN
lbi1.ru
i1fermer.ru
#C&C IP
192.168.100.199
192.168.100.102
91.218.114.11
91.218.114.4
91.218.114.25
192.168.100.238
91.218.114.31
192.168.100.115
192.168.100.27
192.168.100.134
192.168.100.3
192.168.100.68
192.168.100.49
192.168.100.119
192.168.100.9
192.168.100.51
192.168.100.185
91.218.114.32
91.218.114.26
192.168.100.96
Malware Sample Repo: https://github.com/netwrkspider/malwareSample/blob/master/maze_ransomware_latest_sample_23_09_2020.zip
Malware Sample Repo: https://github.com/netwrkspider/malwareSample/blob/master/27-07-2020-Maze-ransomware-sample.zip
Password : infected
No comments:
Post a Comment