[MART] - Daily Diary #550 - Meet HavanaCrypt
CTAS-MAT
ctas-mat at appgate.com
Tue Jul 12 20:18:48 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
07/12/2022 - Daily Diary #550
This week, a new in-development ransomware family was disclosed. Dubbed HavanaCrypt, it's a .NET written ransomware.
HavanaCrypt was found disguised as a Google-Chrome update. Attackers can distribute such fake updates through spam messages or malvertising, hosting a fake page advertised on Google or social media platforms, to convince users to install the malicious application.
Before executing, the malware implements a heavy anti-analysis routine, checking through different methods if it's being executed in a virtual environment. Then, it contacts the C2 server and receives a batch (.bat) file to disable Windows Defender. Curiously, the malware doesn't implement an encryption routine. Instead, it uses the QueueUserWorkItem function from Keepass, a trusted password management software. As the malware doesn't present yet a ransom message, researchers believe it's still under development.
By using a trusted software to encrypt files, rather than implementing their own encryption routine, Havana can bypass behavioral detections implemented by security solutions, as it becomes hard to differentiate the API calls from the trusted software to the malware ones.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Manager, MART
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220712/3c627b4e/attachment.htm>
More information about the MART
mailing list