Researchers at Sophos Labs discovered that Maze ransomware group has evolved with an old technique to encrypt systems using a VirtualBox. This method was previously used by Ragnar Locker group, who used Window XP VirtualBox. This technique works by loading the attacker’s malicious files through virtualization software, where the antivirus softwares aren’t available to detect the malicious code.
An Old But Effective Technique
Alongside the improving threat detection by antivirus softwares, threat actors too evolve with new techniques to evade detection. One of the clever methods used by malicious actors in recent times is by Ragnar Locker group, who have used the VirtualBox Windows XP to take over a system and encrypt it. This was no shared by Maze group, which is also a prominent name in the ransomware space.
As Sophos researchers detected in an incident response operation to one of their customers, Maze ransomware group is found to be using VirtualBox Windows 7 to encrypt systems. They said the first two attacks were blocked by their Intercept X software, which used several scheduled tasks’ tricks like “Google Chrome Security Update”, “Windows Update Security” and “Windows Update Security Patches.”
While these two attempts were failed by the Maze group, they achieved in the third trail by deploying an MSI file that installs a customized Windows 7 virtual machine along with the VirtualBox VM software. Also, a batch file named “startup_vrun.bat” will also be loaded into the virtual environment. Since this virtualization works by resembling the actual drives in shares, attackers can try hijacking these too replicate the actual system.
Also, a big advantage of using virtualization softwares like VirtualBox is avoiding the antivirus softwares. Absence of them means the free passage of any malwares without being detected. Thus, the Maze group here have shut down the system after deploying the Windows 7 VirtualBox, which upon restarting, runs the malicious script to encrypt the machine.
Other Trending News:- News