Fake Sophos

12159288877?profile=RESIZE_400xThis week, Rust-based file-encrypting ransomware was found to be impersonating the cybersecurity firm Sophos https://www.sophos.com as part of its operation.  The malware named ‘SophosEncrypt’, the malware is being offered under the Ransomware-as-a-Service (RaaS) business model and appears to have already been used in malicious attacks.  After several security researchers warned of the new RaaS, Sophos said it was aware of the brand's impersonation and was investigating the threat.

See:  https://redskyalliance.org/xindustry/ficker-stealer-debuts-rust

After analyzing a SophosEncrypt sample, Sophos revealed that the threat has capabilities beyond those typically observed in ransomware, making it “a general-purpose remote access trojan (RAT)” that can encrypt files and generate ransom notes.

The malware, Sophos says, can communicate with its operators over email and using the Jabber instant messenger platform and can hook the keyboard driver to log keystrokes. It also abuses WMI commands to profile the system.  “Like many other ransomware, it excludes a list of directories that would either impede the system from booting or contain unimportant files if they were encrypted. The ransomware also checks the language settings on the system and refuses to run if it is set to use the Russian language,” Sophos explains.

Because of the operators using the vendor's name and disguising the malware's true identity, security researchers originally believed that the ransomware was part of a red-team exercise conducted by Sophos itself.  Now that the truth is revealed and an investigation is underway, Sophos has begun working on a "targeted detection rule for Sophos endpoint security products."

In its report, Sophos also noted that the ransomware executable is a bit dated regarding its functionality and acts more as a "general-purpose remote access trojan (RAT)" that also has the "capacity to encrypt files and generate these ransom notes."  The ransomware encryptor is written in Rust, has multiple references to a Tor website that leads to an affiliate panel for the ransomware operation, and has a command-and-control server (C2) that is linked to Cobalt Strike C2 servers that have been used in past attacks.

According to Sophos, another SophosEncrypt sample it has identified lacks some of these non-ransomware features.  Both samples, however, contain references to the same Tor (.onion) address related to a command-and-control (C&C) server, albeit none of them uses that connection.  The cybersecurity firm also discovered that both samples connect to a hardcoded IP address previously associated with a Cobalt Strike C&C and malicious attacks distributing crypto-miners.

The malware, executed using the Windows command line, appends the ‘.sophos’ extension to the encrypted files and drops a ransom note into each affected directory as an HTML Application (.hta) file.  “The ransomware also retrieves a graphic from a public image library website and uses that to change the Windows desktop wallpaper to a screen which reads ‘Sophos.’  Notably, this does not replicate Sophos logos, colors, or branding. Instead, it presents a green padlock logo and instructions on how the target can find and use the ransom note to contact the attackers,” Sophos explains.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!