A Fileless Ransomware “SOREBRECT” Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.
SOREBRECT developed with more stealthy and self-destruct routine capability make it as Fileless Malware. Before terminating the main Binary it executes the encryption routine to inject the code into legitimate process called svchost.exe
It’s Evasion Technique Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.
These stealthy functions help to SOREBRECT activities from being tracked.
Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence
Attack Chain
Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.
SOREBRECT’s attack chain {Credit: Trend Micro}
Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.
According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya Ransomware family already misuses this Function.
“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”
It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.
RDP vs PsExec Performance
The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.
Also Read Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept
Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.
This attack performs more evasive by its code injection capability.
“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”
Finally, SOREBRECT encrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR anonymously communicate with Command & Control server (C&C Server).
