Cyber-security researchers at Intezer Labs and IBM X-Force have discovered an unusual ransomware that’s reportedly being used for targeted attacks against enterprise servers. Named PureLocker because its written in PureBasic, the malware has apparently been traced back to a well-known Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack groups.
According to the official blog post from Intezer Labs malware researcher, Michael Kajiloti, code reuse analysis shows that the malware is closely related to the ‘more_eggs’ backdoor malware, which is sold on the dark web and has been used by multiple threat actors already. As per the report, the attack is targeted at both Windows and Lixus servers, but the malware has evaded detection for weeks by copying some of the code from the aforementioned backdoor.
Together with @IBMSecurity we have identified a new, undetected #ransomware being used in targeted attacks against enterprise production servers. Code reuse analysis points its origins to a MaaS provider utilized by #CobaltGang & #FIN6 attack groups. https://t.co/S9U4X2dlQi
— Intezer (@IntezerLabs) November 12, 2019
As mentioned already, the ransomware is written in the PureBasic programming language, which makes it a rather uncommon phenomenon in the malware domain. However, according to Kajiloti, the unusual choice poses advantages for the attacker, because “AV vendors have trouble generating reliable detection signatures for PureBasic binaries”. In addition, PureBasic code is portable between Windows, Linux, and OS-X (macOS), making it easier to target different platforms.
It’s not immediately clear as to how exactly the malware is being delivered to victims, but systems infected with it are receiving ransom notes that contain an email address to negotiate a fee for decrypting the files. The victims are apparently also being told that they have only seven days to pay the ransom, failing which, the private key will be deleted, rendering the locked files unrecoverable.
Intezer Labs has published a detailed, technical post about the malware and its MO, and you can access all that info via the link above.