“WastedLocker” to Attack Large Corporations in the United States

  • Russian actors were caught preparing large company networks for WastedLocker infections.
  • The attacks deployed a set of tools like Cobalt Strike, which help the hackers establish a wide presence.
  • The actors are pushing a fake browser update via 150 compromised websites, with the ZIP containing Cobalt Strike.

Symantec researchers are warning about an imminent wave of attacks against multiple American organizations. Reportedly, the threat actors are planning to deploy the “WastedLocker” ransomware strain to cripple corporate networks of key firms, including eight Fortune 500 companies. The motives behind this malicious campaign are purely financial, as it seems. Symantec says they have noticed and recorded cases of network breach and preparatory work for extensive system lock-downs. The actors are using the “SocGholish” JavaScript framework to push fake updates through 150 compromised websites, and then deploy the Cobalt Strike malware to steal credentials, escalate privileges, and move laterally.

All of this preparation is done to establish a presence on a large number of systems in the compromised network, thus having the capacity to cripple a firm’s IT system by encrypting large portions of it. Hitting one or two computers with WastedLocker wouldn’t do much against companies that follow security practices such as network layering and segmentation. This presence-establishing process often takes time, though, and the actors run the risk of getting noticed. The Symantec’s Threat Hunter team already confirmed hacking attempts against 31 organizations based in the U.S. The actors got noticed by Symantec’s AI, which identified specific patterns.

industry sector
Source: Symantec

The success of these attacks is again based on the human factor, as the hackers are pushing fake browser updates in ZIP files. Opening the file leads to a series of unfortunate events as detailed in the below flowchart. Windows Defender is unable to stop the infection as the attackers are disabling the scanning of downloaded files and attachments through a PsExec command-line action. In some cases, researchers noticed the removal of all installed definitions or even the disabling of real-time monitoring.

Source: Symantec

As for the attribution, Symantec is limited to assumptions for the time being. WastedLocker is a new ransomware strain that appeared fairly recently and is thought to be the work of the “Evil Corp” group. This is a hacking group that has also been associated with the BitPaymer strain and Dridex banking Trojan. Two Russian hackers have been linked with Evil Corp by the U.S. DoJ, so this could be yet another case of Russian actors going against American firms.

System admins are advised to deploy file-based protection and also intrusion prevention solutions, as they should have anyway. Firms should train their employees to not apply browser updates via ZIP files that appear all of a sudden when browsing on unrelated websites. Symantec has already reported the C2 domains to the corresponding registrars, so the actors will notice a disruption in their operations now.


Recent Articles

What is Zero Trust Network Access (ZTNA) and Why Does it Matter?

Security is not something that's simply tacked on to an existing system. It's a fundamental aspect of that system's design. This is especially true...

How to Watch ‘CMA Best of Fest’ Live Online

We may not be able to attend concerts right now, but we can still enjoy some of our favorite music, especially when it comes...

5 Best VPN for Hong Kong in 2020 (Protect Yourself From The New National Security Law)

Without any doubt, Internet users in Hong Kong are in a very delicate situation right now. As you surely know, this previously independent territory...

How to Watch Quaker State 400 Online – Live Stream NASCAR Cup Series at Kentucky

We've got another NASCAR race on our hands, and the Quaker State 400 is just around the corner. We plan on watching the Quaker...

Seattle Police Booby-Trapped a File to Catch Ransomware Actor

An interesting method used by U.S. law enforcement authorities has been revealed. The FBI and the police use booby-trapped files that are...