On Tuesday, Trend Micro released a case study analyzing Nefilim, a ransomware gang that the researchers believe is or was once linked with Nemty as a ransomware-as-a-service (RaaS) outfit.
Nemty first surfaced in 2019 together with Sentinel Labs, Trend Micro claims that Nefilim first surfaced in March 2020. Both actors, named "Water Roc" by the firm, offered RaaS subscription services with a 70/30 split, with margins dropping to 90/10 when high-profile victims were snatched by affiliates.
According to Trend Micro, Nefilim looks for vulnerabilities in exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code. The two known vulnerabilities, CVE-2019-19781 and CVE-2019-11634 in Citrix gateway devices were patched in 2020. When unpatched services are discovered, however, exploit code is run and first access is gained. Nefilim starts by downloading a Cobalt Strike beacon, Process Hacker (for terminating endpoint security agents), Mimikatz credentials dumper, and other tools.
Nefilim was also able to exploit CVE-2017-0213, an outdated weakness in Windows Component Object Model (COM) software, in one case reported by the researchers. Even though a patch was released in 2017, the problem remained, allowing the group to raise their powers to administrator levels.
For lateral movement and access to corporate networks, ransomware operators may use stolen or easily forced credentials and MEGAsync could be used to steal data during an assault. The ransomware Nefilim will then be installed and begin encrypting data. Although the extensions differ, the group has been related to the extensions .Nephilim, Merin, and .Off-White.
For each file queued for encryption, a random AES key is produced. The malware will then use a fixed RC4 key to decrypt a ran ..
Support the originator by clicking the read the rest link below.
