- Russian actors were caught preparing large company networks for WastedLocker infections.
- The attacks deployed a set of tools like Cobalt Strike, which help the hackers establish a wide presence.
- The actors are pushing a fake browser update via 150 compromised websites, with the ZIP containing Cobalt Strike.
All of this preparation is done to establish a presence on a large number of systems in the compromised network, thus having the capacity to cripple a firm’s IT system by encrypting large portions of it. Hitting one or two computers with WastedLocker wouldn’t do much against companies that follow security practices such as network layering and segmentation. This presence-establishing process often takes time, though, and the actors run the risk of getting noticed. The Symantec’s Threat Hunter team already confirmed hacking attempts against 31 organizations based in the U.S. The actors got noticed by Symantec's AI, which identified specific patterns.
The success of these attacks is again based on the human factor, as the hackers are pushing fake browser updates in ZIP files. Opening the file leads to a series of unfortunate events as detailed in the below flowchart. Windows Defender is unable to stop the infection as the attackers are disabling the scanning of downloaded files and attachments through a PsExec command-line action. In some cases, researchers noticed the removal of all installed definitions or even the disabling of real-time monitoring.
As for the attribution, Symantec is limited to assumptions for the time being. WastedLocker is a new ransomware strain that appeared fairly recently and is thought to be the work of the “Evil Corp” group. This is a hacking group that has also been associated with the BitPaymer strain and Dridex banking Trojan. Two Russian hackers have been linked with Evil Corp by the U.S. DoJ, so this could be yet another case of Russian actors going against American firms.
System admins are advised to deploy file-based protection and also intrusion prevention solutions, as they should have anyway. Firms should train their employees to not apply browser updates via ZIP files that appear all of a sudden when browsing on unrelated websites. Symantec has already reported the C2 domains to the corresponding registrars, so the actors will notice a disruption in their operations now.