ShrinkLocker ransomware hits corporations via BitLocker exploit
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Ransomware group targets Windows admins through PuTTY & WinSCP malvertising
A recent search engine ad campaign has targeted users searching for “download PuTTY” or “download WinSCP,” using typosquatting domains like puutty.org, wnscp[.]net, and vvinscp[.]net to display ads for fake sites. These sites impersonated the legitimate WinSCP site and falsely represented the PuTTY site, leading users to download a ZIP archive containing a trojanized Setup.exe installer. This installer, a renamed legitimate Python for Windows executable (pythonw.exe), included a malicious python311.dll file that executed an encrypted Python script via DLL sideloading.
The script installed the Sliver post-exploitation toolkit, providing threat actors with initial access to corporate networks. They could then deploy further payloads, including Cobalt Strike beacons, and perform data exfiltration and ransomware deployment. To mitigate this threat, users should be educated about typosquatting risks and verify URLs before downloading software, ensure robust ad filtering, deploy comprehensive endpoint security solutions, and implement network monitoring and intrusion detection systems to detect and respond to unusual activities.
2. ShrinkLocker ransomware exploits BitLocker for file encryption
A new ransomware variant dubbed ShrinkLocker utilizes Windows BitLocker to encrypt corporate systems by creating a new boot partition, shrinking available non-boot partitions to maximize attack damage. Developed in Visual Basic Scripting (VBScript), ShrinkLocker employs diskpart utility to resize partitions, BCDEdit for reinstalling boot files, and modifies registry entries to disable remote desktop connections and enable BitLocker encryption. Rather than dropping a ransom note, the attacker provides a contact email address, deleting BitLocker protectors to prevent recovery.
ShrinkLocker employs an inconspicuous email label on recovery screens, potentially aiming for destruction over financial gain. Multiple variants have targeted government entities and companies, prompting recommendations to secure backup strategies, manage BitLocker recovery keys, deploy Endpoint Protection Platforms (EPP), and enforce access controls.
3. Hackers exploit Foxit PDF Reader vulnerability to spread malware
Several threat actors are exploiting a design flaw in Foxit PDF Reader to distribute malware such as Agent Tesla, AsyncRAT, and Remcos RAT, according to a recent report. This exploit leverages misleading security warnings to prompt users into running malicious commands, a vulnerability not present in Adobe Acrobat Reader, resulting in low detection rates. The flaw involves Foxit PDF Reader displaying “OK” and “Open” as default options in pop-ups, which, when clicked, execute commands to download malware from sources like Discord’s CDN.
Recommended by LinkedIn
The malware can steal data, execute remote access tools, and deploy cryptocurrency miners. Recommendations include using secure PDF readers like Adobe Acrobat Reader, educating users on pop-up security, deploying antivirus and endpoint protection, implementing network security measures, and restricting script execution permissions in PDF readers.
4. GhostEngine exploits vulnerable drivers to bypass EDR in cryptojacking campaign
Cybersecurity researchers have identified a new cryptojacking campaign, dubbed REF4578 and HIDDEN SHOVEL, that uses vulnerable drivers to disable security solutions (EDRs) and evade detection. The main payload, GHOSTENGINE, exploits drivers such as aswArPots.sys (Avast) and IObitUnlockers.sys (IObit) to terminate EDR software and deploy XMRig for cryptocurrency mining. The attack starts with a file named ‘Tiworker.exe’ that downloads a PowerShell script ‘get.png’ from the attacker’s server, which in turn downloads and executes ‘smartsscreen.exe,’ the main payload.
For persistence, it uses scheduled tasks and a DLL named ‘oci.dll’ to maintain control. Researchers recommend updating and patching drivers, enabling driver signature enforcement, using robust EDR solutions, implementing application whitelisting, and monitoring driver installations to mitigate such threats.
5. RustDoor malware infiltrates JAVS courtroom recording software
Malicious actors compromised the installer for Justice AV Solutions’ (JAVS) courtroom video recording software, distributing malware linked to the RustDoor implant in a supply chain attack identified as CVE-2024-4978. The affected software, JAVS Viewer v8.3.7, enables digital recording of courtroom proceedings and other events. The compromised installer, downloaded from the official JAVS website, contained an unexpected Authenticode certificate and an executable named “fffmpeg.exe,” which executed encoded PowerShell scripts.
This malware, once executed, connects to a command-and-control server, bypasses security measures, and downloads additional payloads. RustDoor, previously targeting macOS, has similar functionalities to GateDoor, a Windows variant, and may be associated with the ransomware affiliate ShadowSyndicate. JAVS responded by removing the affected version, conducting security audits, and advising users to verify software authenticity before installation, conduct regular audits, and enhance endpoint security.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.