S0576 MegaCortex
MegaCortex is ransomware that first appeared in May 2019. 1 MegaCortex has mainly targeted industrial organizations. 23
| Item | Value |
|---|---|
| ID | S0576 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 February 2021 |
| Last Modified | 26 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | MegaCortex can enable SeDebugPrivilege and adjust token privileges.1 |
| enterprise | T1531 | Account Access Removal | MegaCortex has changed user account passwords and logged users off the system.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | MegaCortex has used .cmd scripts on the victim’s system.1 |
| enterprise | T1486 | Data Encrypted for Impact | MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.14 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | MegaCortex has used a Base64 key to decode its components.1 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | MegaCortex can wipe deleted data from all drives using cipher.exe.1 |
| enterprise | T1083 | File and Directory Discovery | MegaCortex can parse the available drives and directories to determine which files to encrypt.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | MegaCortex was used to kill endpoint security processes.1 |
| enterprise | T1490 | Inhibit System Recovery | MegaCortex has deleted volume shadow copies using vssadmin.exe.1 |
| enterprise | T1112 | Modify Registry | MegaCortex has added entries to the Registry for ransom contact information.1 |
| enterprise | T1106 | Native API | After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.003 | Code Signing Certificates | MegaCortex has used code signing certificates issued to fake companies to bypass security controls.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.1 |
| enterprise | T1489 | Service Stop | MegaCortex can stop and disable services on the system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | MegaCortex has used rundll32.exe to load a DLL for file encryption.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.1 |
References
-
Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021. ↩
-
Brubaker, N. Zafra, D. K. Lunden, K. Proska, K. Hildebrandt, C.. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved February 15, 2021. ↩
-
ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021. ↩