A new variant of Mobef Ransomware targeted Italian users
Security researchers at CSE Cybsec-ZLab recently analyzed an analysis of the new variants of Mobef ransomware, noting that Internet users in Italy will be their primary targets of attack.
Like typical ransomware, this new variant of Mobef encrypts all user files without changing the file extension and places a file containing instructions on how to pay the ransom. In addition, it will pop up a warning window for displaying ransom notes.
The analysis shows that it is written in Delphi 4 and does not contain any useful strings. Interestingly, some of the words that appear in the file reveal that it is very likely that developers of that variant will come from countries that use Arabic as their mother tongue. For example, “salam,” “bismillah,” and “mutaween.”
The variant’s import address list is empty, which means it’s not as trivial as it seems because it uses some technique to avoid being analyzed.
To make it more difficult to analyze, its encryption phase is done in a particular thread, which is not visible to the debugger the researcher uses. The main thread waits for the encryption thread to use the “waitformultipleobjects” API call before displaying the ransom ticket.
After execution, ransomware creates three files:
- READ.4YOU: It contains ransom notes as shown in the pop-up window and is stored in each folder with the encrypted files;
- Bismillah.KEI: It contains a personal key used to identify the victim, also stored in each encrypted file folder;
- 286490.log: It contains a list of encrypted files and is stored in the Windows folder under the C drive.
Once the encryption phase is complete, the variant will try to contact the external server “mutaween[.]sa” in order to upload a series of information, including the infected device’s ID, device name, and other unknown information.
Curiously, the domain name “mutaween [.] Sa” does not exist, indicating that it is not currently resolved by the DNS server. The researchers believe that the variants of the developers may be introduced after the registration of some other domain name features.
After an in-depth analysis, the researchers concluded that this variant of Mobef has many features and is very capable. Encrypted files, for example, can not only encrypt files on the local hard drive but also files stored on removable storage devices such as USB sticks and network shares.
Source: securityaffairs