New Code-injecting SOREBRECT Fileless Ransomware detected in the wild

The number of fileless malware continues to increase, recently security researchers spotted a new Fileless Ransomware dubbed Sorebrect.

Sorebrect is able to inject malicious code into a legitimate system process (svchost.exe) on a targeted system and it terminates its binary to evade detection. It also make hard forensics analysis by deleting the affected system’s event logs using wevtutil.exe and shadow copies with vssadmin,and other artifacts such as files executed on the system.

SOREBRECT leveraged on Tor network to anonymize communications to command-and-control (C&C) server.

Unlike other ransomware, Sorebrect has been designed to specifically target enterprise’s systems in various industries (manufacturing, technology, and telecommunications), the malicious code it injects is tasked of file encryption on the local machine and connected network shares. The Sorebrect ransomware scans the local network for other connected systems with open shares and encrypts files stored on them.

“Extracting and analyzing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Its abuse of the PsExec utility is also notable; SOREBRECT’s operators apparently use it to leverage the ransomware’s code injection capability.” states the analysis shared by Trend Micro.

“While file encryption is SOREBRECT’s endgame, stealth is its mainstay. The ransomware’s self-destruct routine makes SOREBRECT a fileless threat. The ransomware does this by injecting code to a legitimate system process (which executes the encryption routine) before terminating its main binary.”

The experts noticed that the SOREBRECT fileless ransomware first compromises administrator credentials (i.e. by brute forcing attacks), then leverage Microsoft Sysinternals PsExec command-line utility to encrypt files.

“Why PsExec? While attackers can both use Remote Desktop Protocol (RDP) and PsExec to install SOREBRECT in the affected machine, its code injection capability makes the attack more effective. Compared to using RDP, utilizing PsExec is simpler and can take advantage of SOREBRECT’s fileless and code injection capabilities.” continues the analysis.

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs,” Trend Micro says.

The fileless ransomware was first spotted in Middle Eastern countries like Kuwait and Lebanon, recently experts observed attacks against systems in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

Below the best practices for securing systems and networks suggested by TrendMicro.

Restrict user write permissions.
Limit privilege for PsExec.
Back up files.
Keep the system and network updated.
Deploy multilayered security mechanisms.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SOREBRECT, fileless ransomware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.