BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Fake Sophos encrypts user files under the guise of antivirus software

    Insidious ransomware takes advantage of users' faith in a well-known brand.

    On July 17, researchers from the MalwareHunterTeam discovered "SophosEncrypt," a new type of ransomware that takes advantage of the good name of Sophos, a well-known cybersecurity company.

    This was initially assumed to be part of the Red Team exercises of Sophos specialists. However, the X-Ops team quickly denied any involvement in this software and released a comprehensive report that included an analysis of the malware.

    SophosEncrypt, according to the researchers, operates on the RaaS model and has an easy-to-use web-based management panel. The encoder is written in Rust and stores its libraries in the directory "C:\/Users\Dubinin" on Windows. The sophos encrypt programme is located within this directory, which is why the researchers gave it this name.

     

    Icon of ransomware executable

    When activated, the encryptor requests that an attacker who has paid for access to the program's infrastructure remotely enter a token associated with the victim, which is most likely obtained from the malware's web shell.

    When you enter a valid token, the encryptor requests additional information for encryption: an email address, a Jabber address, and a 32-character password to be used in the algorithm. Furthermore, the software allows the criminal to encrypt specific files or the entire computer.

    After successful encryption, a token, an email, and a ".sophos" extension are added to the encrypted files, and a ransom note "information.hta" is created in each folder of the system, which is also automatically launched. Furthermore, the desktop wallpaper is changed to the Sophos logo, further discrediting the company.

      

    After encryption is complete, this wallpaper is set.

     According to the Sophos researchers, the malware is more like a generic remote access Trojan than a specifically targeted ransomware. These capabilities include keylogging and system profiling via WMI commands, for example.

    Interestingly, the malware also checks the language settings in the system and refuses to start if they are set to Russian, raising questions about the program's authorship.

    Sophos experts discovered several malware samples, some of which did not contain any ransomware at all. All instances, however, were connecting to the IP address used by the Cobalt Strike malware framework.

    Sophos researchers provided the necessary indicators of compromise (IoC) to block malware in their report, and they have already added it to their own antivirus software's database.

    This incident demonstrates that attackers frequently use deception and manipulation to mislead users. Using the well-known and respected Sophos brand to spread malware is a devious move that preys on people's trust. Such attacks are dangerous because people may launch a malicious programme without hesitation when they see a familiar name or logo.

    Users must be vigilant and cautious to avoid such incidents. Even seemingly trustworthy sources should not be trusted blindly. Before running any files or programmes, double-check their origin. Be cautious and don't fall for scammers' tricks. Only a critical and rational approach will aid in the protection of your data and devices.

    Author DeepWeb
    Cyber Typhoon DESORDEN hits Malaysia's water supply
    What hackers learned about English voters from a cyber attack on the heart of British democracy

    Comments 0

    Add comment