AnsweredAssumed Answered

GandCrab V5 Malware RSA NW coverage

Question asked by Yuvaraj Gullappa Employee on Oct 5, 2018

Does RSA has coverage for the below adversary with respect to Netwitness and please help in providing alerting rules for the same 


@GandCrab V5
GandCrab v5 has been released with a few noticeable changes. The first change is that the ransomware now uses a random 5 character extension for encrypted files and a new HTML ransom note. 

Security researcher nao_sec has discovered that the GandCrab v5 ransomware is currently being distributed via malvertising that redirects to sites hosting the Fallout exploit kit. As the exploit kit utilizes vulnerabilities in the visitors software to install the software, a victim will become infected without knowing about it until they find the encrypted files and ransom note. 

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer. This vulnerability was recently patched by Microsoft in the September 2018 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates. 

The Task Scheduler ALPC vulnerability is a 0day exploit that was revealed by a security researcher on Twitter. When used, the vulnerability will allow executables to be executed using System privileges, which allows commands to be executed with full administrative privileges. 

GandCrab's use of this vulnerability was first discovered by a malware analyst named Valthek, who posted about it on Twitter. Valthek has told Bleeping Computer that this vulnerability appears to be the same one that security researcher Kevin Beaumont posted in his GitHub repository. 

Ref https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/ 

Outcomes