Page 4 - Cyber Byte August 2023
P. 4
creation of a new user account dubbed “SystemHelp” and added with “net.exe” to the
“Remote Desktop Users” and “Administrators” groups, commands used to move laterally
and evade detection. The “Remote Desktop Users” and “Administrators” groups, registry
settings are modified using “reg.exe” to allow Remote Desktop Protocol (RDP) connections
to the target machine.
The ransomware is also responsible for deactivating recovery options using
BCDedit. The BCDedit command can be used to disable the error recovery option on Windows
to make malware harder to remove from the system. Adversary deletes file backups by using
“vssadmin.exe” and generates the ransom note “FILE RECOVERY.txt” which is dropped across
multiple folders, including Program Files and the Recycle Bin. The encrypted files aregiven
the “.mallox” file extension.
Recommendations:
•Install update and patches regularly.
•Conduct regular data backup practices and keep those backups offline.
•Firewall and other network solutions should be adjusted to prevent traffic from being
allowed on non-conventional ports.
•Organizations should implement email protection solutions to filter out malicious emails.
•Implement Multi-Factor Authentication (MFA).
•Enforce use of strong passwords and limit user access through the principle of least privilege.
•Establish a Sender Policy Framework (SPF), Domain Message Authentication Reporting and
Conformance (DMARC), and Domain Keys Identified Mail (DKIM) for your domain, which is
an email validation system designed to prevent e-mail spoofing.
•Never click and execute email attachments from unknown sources.
•Users should take care when enabling macros for internal office files.
•Never run unknown files with exaggerated titles.
•Never open links shared on social media from unknown sources.
COMN. & IT DIRECTORATE, CRPF Design By : Ajay Tomar 4
