MegaCortex ransomware attacks spike

A spike in activity surrounding the relatively new ransomware MegaCortex was detected on May 1 hitting North America and several European nations.

MegaCortex, a take on Metacortex from The Matrix, first surfaced in late January when it was uploaded to VirusTotal from the Czech Republic. Since February there have been 76 confirmed attacks using the malware with 47 happening on May 1 and 2, in each case targeting a large enterprise and impacting hundreds of end points, Sophos reported.

“The convoluted infection methodology MegaCortex employs leverages both automated and manual components, and appears to involve a high amount of automation to infect a greater number of victims,” the report said.

Not all of the attack details are known, but Sophos sees some correlation between MegaCortex and Emotet and possibly Qbot/Qakbot as all have been seen on the same network. This hints to Sophos that the systems hit with MegaCortex may have a preexisting situation where Emotet or Qbot/Qakbot are already on board.

“If you are seeing alerts about Emotet or Qbot infections, those should take a high priority,” Sophos warned.

Brandon Levene, head of applied intelligence at Chronicle, VirusTotal’s parent company, said there is evidence MegaCortex is being used by the same actors as those behind Rietspoof.

“While there are no earlier samples of MegaCortex available, the same signer certificate (CN) is used in both the Rietspoof loader and MegaCortex samples dating back to at least Jan. 22, 2019. This means it is highly likely that the people using Rietspoof with that signature are also using MegaCortex," he said. "I can't say definitively that the same threat actors are behind both Rietspoof and Megacortex, but this finding solidifies a correlation.”

What is known for certain is the attacker, using stolen admin credentials execute a heavily obfuscated PowerShell script that covers a Cobalt Strike script that opens a Meterpreter reverse shell into the victim’s network.

The ransom note is written as if spoken by the Matrix character Morpheus.

The attack command is issued through the compromised domain controller, which Sophos said, “uses WMI to push the malware — a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file — to the rest of the computers on the network that it can reach, and then runs the batch file remotely via PsExec.”

The malware then kills 44 processes, issues stop commands to 189 different services and switch the Startup Type for 194 different services to disabled. Next on the strike list is the security software, where it tries to set improperly configured such software to disabled.

The final step launches the already downloaded winnit.exe which drops and executes a DLL payload with an eight-digit alphanumeric filename that actually performs the encryption.  

At this point the rather snarky ransom note appears, which Sophos said goes back to the Matrix theme and is written in the same cadence in which Morpheus speaks in the film.

The ransom amount is not mentioned; instead, the attacker demands the victim send a message to one of two email addresses provided and ask to pay up.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.