“WastedLocker” to Attack Large Corporations in the United States

  • Russian actors were caught preparing large company networks for WastedLocker infections.
  • The attacks deployed a set of tools like Cobalt Strike, which help the hackers establish a wide presence.
  • The actors are pushing a fake browser update via 150 compromised websites, with the ZIP containing Cobalt Strike.

Symantec researchers are warning about an imminent wave of attacks against multiple American organizations. Reportedly, the threat actors are planning to deploy the “WastedLocker” ransomware strain to cripple corporate networks of key firms, including eight Fortune 500 companies. The motives behind this malicious campaign are purely financial, as it seems. Symantec says they have noticed and recorded cases of network breach and preparatory work for extensive system lock-downs. The actors are using the “SocGholish” JavaScript framework to push fake updates through 150 compromised websites, and then deploy the Cobalt Strike malware to steal credentials, escalate privileges, and move laterally.

All of this preparation is done to establish a presence on a large number of systems in the compromised network, thus having the capacity to cripple a firm’s IT system by encrypting large portions of it. Hitting one or two computers with WastedLocker wouldn’t do much against companies that follow security practices such as network layering and segmentation. This presence-establishing process often takes time, though, and the actors run the risk of getting noticed. The Symantec’s Threat Hunter team already confirmed hacking attempts against 31 organizations based in the U.S. The actors got noticed by Symantec’s AI, which identified specific patterns.

industry sector
Source: Symantec

The success of these attacks is again based on the human factor, as the hackers are pushing fake browser updates in ZIP files. Opening the file leads to a series of unfortunate events as detailed in the below flowchart. Windows Defender is unable to stop the infection as the attackers are disabling the scanning of downloaded files and attachments through a PsExec command-line action. In some cases, researchers noticed the removal of all installed definitions or even the disabling of real-time monitoring.

WastedLocker_Flowchart
Source: Symantec

As for the attribution, Symantec is limited to assumptions for the time being. WastedLocker is a new ransomware strain that appeared fairly recently and is thought to be the work of the “Evil Corp” group. This is a hacking group that has also been associated with the BitPaymer strain and Dridex banking Trojan. Two Russian hackers have been linked with Evil Corp by the U.S. DoJ, so this could be yet another case of Russian actors going against American firms.

System admins are advised to deploy file-based protection and also intrusion prevention solutions, as they should have anyway. Firms should train their employees to not apply browser updates via ZIP files that appear all of a sudden when browsing on unrelated websites. Symantec has already reported the C2 domains to the corresponding registrars, so the actors will notice a disruption in their operations now.

REVIEW OVERVIEW

Recent Articles

How to Watch ‘L.A.’s Finest’ Season 2 Online: Live Stream on Fox

Gabrielle Union and Jessica Alba are back for another season of L.A.'s Finest. We're going to watch L.A.'s Finest online, so let's see how...

8 Best Kodi Movie Addons in 2020

Thanks to the most popular Kodi addons right now, you are always just a few clicks away from a huge library of content. Of course,...

How to Watch ‘Filthy Rich’ Season 1 Online: Live Stream on Fox

There is a new show heading for Fox, and we are quite eager to see all the latest episodes, especially since it features Kim...