Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.
I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.
Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.
The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.
After the execution, the ransomware creates three files:
Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.
It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.
A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.
Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.
You can download the full ZLAB Malware Analysis Report at the following URL:
http://csecybsec.com/download/zlab/20180228_CSE_Mobef_ransomware_new_variant.pdf
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Mobef ransomware, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Security Affairs Malware newsletter includes a collection of the best articles and research on malware…
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best…
Vulnerabilities in McDonald’s McHire chatbot exposed data from 64 million job applicants due to insecure…
Russian basketball player arrested in France over alleged ties to a ransomware group accused of…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds U.S. CISA adds Citrix NetScaler ADC and…
NCA arrested four people in UK, including three teens, over cyberattacks on M&S, Co-op, and…
This website uses cookies.