Hacker News new | ask | show | jobs
by Memosyne 2055 days ago
> Each sample of the malware contains a hardcoded name of the victim organization.

> Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.

> Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.

Seems pretty amateurish...
4 comments
teruakohatu 2055 days ago
> Seems pretty amateurish...

It is for manually targeted attacks. Once it is deployed, the damage is done and the victim is notified. They don't need C&C. The hardcoded victim name is probably just a big FU.

You can have excellent perimeter security but this organisation might just bribe an employee to gain access.

It is far more scary than some automated bot scanning for ports.

link
Memosyne 2055 days ago
I'm not denying its effectiveness, just remarking on its technical merit as a topic of discussion. Once the system is already compromised it becomes less about the payload and more about the attack vector involved. If the payload in question was using novel techniques then it would be a different story but the analysis shows the program to be relatively rudimentary.
link
jlgaddis 2055 days ago
Well, no point in over-engineering a solution, right?

To put it another way, sounds like they moved fast (and maybe broke a few things?), put together an MVP that meets their needs, rolled it out, and are now likely learning and gathering feedback for their next iteration... sounds like they fit right in around here!

(This thread reminded me of something a cow-orker used to say: "If it's stupid but it works, it's not stupid".)

link
cutemonster 2055 days ago
Keeping things simple can be a good judgement decision? (This time in a weird context)

> ELF binary contains some debug information

But that sounds weird to me

link
Memosyne 2055 days ago
Hm, I possibly misused the term "amateurish" when I meant "simple". My apologies for the confusion.
link
stevefan1999 2055 days ago
FU in terms of Fear & Uncertainty or f*ck you?
link
jand 2055 days ago
I read it as f* up.
link
Drakim 2055 days ago
Maybe it's for debugging the software out in the wild?
link
mobilio 2055 days ago
Seems that they forgot to strip debug information. Clearly this is lack of *nix dev skills.
link
nostoc 2055 days ago
Most ransomwares don't do C&C. They don't need to, and it's stealthier that way.

Actors that do exfil typically have other malware in their toolkit to do just that.

link