MBR-ONI ransomware involved in targeted attacks against Japanese organizations

MBR-ONI is a new ransomware that is being used for targeted attacks in Japan, experts speculate it was used to cover larger hacking campaigns.

MBR-ONI is a new ransomware that is being used for targeted attacks in Japan, it is a bootkit ransomware that uses a modified version of the legitimate open-source disk encryption utility DiskCryptor to encrypt the file.

DiskCryptor is the same utility that was used by the recently discovered Bad Rabbit ransomware that targeted systems worldwide, mostly in Russia and Ukraine.

Experts from security intelligence firm Cybereason who analyzed the MBR-ONI malware speculate it has been used as wipers delete any track of targeted attacks against Japanese organizations.

“For several months Cybereason has been following the concerning rise of ONI, a family of ransomware involved in targeted attacks against Japanese companies.” states the analysis published by Cybereason.

“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation. These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. “

The MBR-ONI was used by attackers in conjunction with ONI, that appears to be an earlier strain of ransomware developed by the same threat actors.

While ONI was used against most of the computers on targeted networks, MBR-ONI was used on only a limited number of endpoints. These endpoints were critical assets (Active Directory server, file servers, etc).

In the recent years, other wipers were used in targeted attacks including NotPetya, Mamba, SamSam, Shamoon and Bad Rabbit.

In the string of attacks against Japanese organizations, attackers leveraged on spear-phishing emails carrying weaponised Office documents that were used to deliver the Ammyy Admin RAT.

All the attacks that involved the ONI ransomware against Japanese companies across different industries shared the same pattern.

“The penetration vector used in the observed attacks consisted of spear-phishing emails that carried password-protected zip files containing weaponized Office documents.” continues the analysis.

“Once the victims extracted the zip file and opened the document, they were lured into enabling a macro. That launched a VBScript that downloaded and executed the Ammyy Admin RAT.”

Experts observed Ammyy Admin RAT installs on the compromised environment dated from December 2016 to September 2017, a circumstance that suggests that the attacks were carried over a period at least nine months.

Once the attackers penetrated the target’s environment, they will try to spread compromising critical assets such file servers, application servers and the domain controller (DC).

Researchers suspect that the threat actor used the NSA-leaked exploit EternalBlue, in conjunction with other tools to spread throughout the network.

ONI appears to share code with GlobeImposter ransomware, some routines are identical, while MBR-ONI shares a large portion of its code from DiskCryptor.

“While the ONI attacks presented in this blog are specific to Japan, we believe they also point to a concerning global trend. Using ransomware in targeted hacking operations is still quite uncommon compared to the popularity of ransomware in the overall cyber threat landscape.” concluded the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MBR-ONI,  malware)

[adrotate banner=”5″]

[adrotate banner=”13″]