GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP

GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP

DOWNLOAD PDF

SUMMARY
ASEC (AhnLab Security Emergency response Center) identified GlobeImposter ransomware being spread by the same threat actors behind MedusaLocker. Evidence gathered by ASEC from infection logs and other artifacts point to the ransomware being distributed via RDP.

TECHNICAL DETAILS
Typical IOCs include a new “skynet work” subdirectory within the “Music” directory to house the malware. The compromised system is then infected with shared folder scanners, Mimikatz, a network password recovery tool, and port scanners. In some instances, XMRig CoinMiner was installed to mine cryptocurrency. Internal reconnaissance is performed after gaining control of the system through RDP.

The same email and onion addresses reported by the CISA as being utilized by the MedusaLocker group are also among those listed in the ransom note of the GlobeImposter ransomware.

INDICATORS OF COMPROMISE (IOCs) MD5
715ddf490dbaf7d67780e44448e21ca1
646698572afbbf24f50ec5681feb2db7
70f87b7d3aedcd50c9e1c79054e026bd
f627c30429d967082cdcf634aa735410
597de376b1f80c06d501415dd973dcec
4fdabe571b66ceec3448939bfb3ffcd1
6a58b52b184715583cda792b56a0a1ed

Port Scanner
4edd26323a12e06568ed69e49a8595a5
a03b57cc0103316e974bbb0f159f78f6

mimispool.dll
ddfad0d55be70acdfea36acf28d418b3

mimilib.dll
21ea77788aa2649614c9ec739f1dd1b8
5e1a53a0178c9be598edff8c5170b91c
bb8bdb3e8c92e97e2f63626bc3b254c4

mimikatz.exe C&C
hxxp://46.148.235[.]114/cmd.php

 

REFERENCES
https://asec.ahnlab.com/en/48940/
https://www.hhs.gov/sites/default/files/medusalocker-ransomware-analyst-note.pdf

CONTACT US