• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Dridex and Locky authors revamped the Bart malware

Dridex and Locky authors revamped the Bart malware

Pierluigi Paganini June 30, 2016

The authors responsible for Dridex and Locky malware have recently made another appearance, this time with their latest release – Bart malware.

Similar to other ransomware, infected users are notified of the compromise with their desktop backgrounds changed with a warning, confirming that their files have been encrypted and offering a number of URLs accessible via the TOR network where they can receive instructions on obtaining their private keys. Recovery instructions are also placed into a text file names recover.txt and located in many of the users folders.

bart malware

A screenshot of the desktop wallpaper recover.bmp

Unlike previous versions the cost of unlocking encrypted files has increased dramatically to 3 bitcoins (at time of writing equating to around 1425 Pounds Sterling or 1900 US Dollars) compared to the initial 0.5 or 1 bitcoin of its predecessors.

This particular ransomware was first discovered a few days ago by security vendor Phishme.

It differs greatly in operation from previous malware from presumably the same authors, notably in its lack of reliance on Command and Control servers, thus reducing the required investment and complexity on the attacker’s side.

Similar to Locky and Dridex the tool employs rogue JavaScript, invoking the Rockloader malware for delivery which is disseminated via ZIP attachments within emails, often containing permutations of the names photos.zip, pictures.zip or image.zip.

Other similarities include the payment portals, coding structure, email distribution mechanism and curiously the encryption of .n64 ROM files, with Locky being the only other malware to do this.

The ransom note, which displays itself as the desktop background is localized for English, Spanish, French, German and Italian and interestingly if the user’s language pack is detected in Russian, Ukrainian or Belorussian the users’ files aren’t encrypted.

Instead of employing the typical C2 key pair storing procedure where the encrypted files key is passed to the attackers command servers only available on release following payment of the ransom, Bart malware operates by placing the victims files in password protected ZIPs.

bart malware 2

Bart malware ’s payment portal, almost identical to that of Locky

The methods of operation and increased cost in terms of the price of the ransom, shows a worrying change in direction from the authors of these already difficult and potentially crippling digital infections.

The cost of operations and complexity have reduced on the attackers side, which arguably will see a rise in the volume of these attacks as the tools become more accessible to a larger number of malicious players.

The hardest hit in this latest wave won’t be the organizations who can respond quickly to these threats, employ an adequate backups system for restore in occasion of compromise and have the ability the filter the included attachment names at the perimeter but instead the numerous security naive end users on their home machines.

This, coupled with the increased cost for unlocking, could see Bart malware as one of the most destructive and intrusive forms of malware to date, particularly within the public realm.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bart malware, hacking)


facebook linkedin twitter

Bart malware Cybercrime Dridex Hacking Locky ransomware

you might also like

Pierluigi Paganini July 30, 2025
Apple fixed a zero-day exploited in attacks against Google Chrome users
Read more
Pierluigi Paganini July 30, 2025
PyPI maintainers alert users to email verification phishing attack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Apple fixed a zero-day exploited in attacks against Google Chrome users

    Security / July 30, 2025

    PyPI maintainers alert users to email verification phishing attack

    Hacking / July 30, 2025

    FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

    Cyber Crime / July 30, 2025

    Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

    Malware / July 30, 2025

    Orange reports major cyberattack, warns of service disruptions

    Security / July 29, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT