MegaCortex
MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation |
MegaCortex can enable |
|
| Enterprise | T1531 | Account Access Removal |
MegaCortex has changed user account passwords and logged users off the system.[1] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
MegaCortex has used |
| Enterprise | T1486 | Data Encrypted for Impact |
MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[1][4] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
MegaCortex has used a Base64 key to decode its components.[1] |
|
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
MegaCortex can wipe deleted data from all drives using |
| Enterprise | T1083 | File and Directory Discovery |
MegaCortex can parse the available drives and directories to determine which files to encrypt.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
MegaCortex was used to kill endpoint security processes.[1] |
| Enterprise | T1490 | Inhibit System Recovery |
MegaCortex has deleted volume shadow copies using |
|
| Enterprise | T1112 | Modify Registry |
MegaCortex has added entries to the Registry for ransom contact information.[1] |
|
| Enterprise | T1106 | Native API |
After escalating privileges, MegaCortex calls |
|
| Enterprise | T1588 | .003 | Obtain Capabilities: Code Signing Certificates |
MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[1] |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
MegaCortex loads |
| Enterprise | T1489 | Service Stop |
MegaCortex can stop and disable services on the system.[1] |
|
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
MegaCortex has used |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[1] |
References
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.
- Brubaker, N. Zafra, D. K. Lunden, K. Proska, K. Hildebrandt, C.. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved February 15, 2021.
- ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.