Ransomware gangs join attacks targeting Microsoft SharePoint servers www.bleepingcomputer.com/news/secu…

Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide. Security researchers at Palo Alto Networks' Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).

The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.

“Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said. The 4L4MD4R ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems.