MegaCortex

MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]

ID: S0576
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 17 February 2021
Last Modified: 26 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

MegaCortex can enable SeDebugPrivilege and adjust token privileges.[1]

Enterprise T1531 Account Access Removal

MegaCortex has changed user account passwords and logged users off the system.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

MegaCortex has used .cmd scripts on the victim's system.[1]

Enterprise T1486 Data Encrypted for Impact

MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[1][4]

Enterprise T1140 Deobfuscate/Decode Files or Information

MegaCortex has used a Base64 key to decode its components.[1]

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

MegaCortex can wipe deleted data from all drives using cipher.exe.[1]

Enterprise T1083 File and Directory Discovery

MegaCortex can parse the available drives and directories to determine which files to encrypt.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

MegaCortex was used to kill endpoint security processes.[1]

Enterprise T1490 Inhibit System Recovery

MegaCortex has deleted volume shadow copies using vssadmin.exe.[1]

Enterprise T1112 Modify Registry

MegaCortex has added entries to the Registry for ransom contact information.[1]

Enterprise T1106 Native API

After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.[1]

Enterprise T1588 .003 Obtain Capabilities: Code Signing Certificates

MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.[1]

Enterprise T1489 Service Stop

MegaCortex can stop and disable services on the system.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

MegaCortex has used rundll32.exe to load a DLL for file encryption.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[1]

References