Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.
I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.
Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.
The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.
After the execution, the ransomware creates three files:
Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.
It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.
A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.
Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.
You can download the full ZLAB Malware Analysis Report at the following URL:
http://csecybsec.com/download/zlab/20180228_CSE_Mobef_ransomware_new_variant.pdf
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Mobef ransomware, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Researchers at cybersecurity firm Resecurity detected a rise in cyberattacks targeting UAV and counter-UAV technologies.…
A November 2024 RA World ransomware attack on an Asian software firm used a tool…
A subgroup of the Russia-linked Seashell Blizzard APT group (aka Sandworm) ran a global multi-year…
The Sarcoma ransomware group announced a breach of the Taiwanese printed circuit board (PCB) manufacturing…
Russian cybercriminal Alexander Vinnik is being released from U.S. custody in exchange for Marc Fogel,…
Microsoft Threat Intelligence has observed North Korea-linked APT Emerald Sleet using a new tactic, tricking…
This website uses cookies.