New WastedLocker Variant Exploits Internet Explorer FlawsBitdefender: Malware Loader Doesn't Contain Ransomware
A new WastedLocker malware variant, dubbed WastedLoader, is exploiting two vulnerabilities in Internet Explorer to insert malicious advertisements into legitimate websites, the security firm Bitdefender reports.
See Also: 2022 Unit 42 Incident Response Report
Bitdefender says that unlike the previous version of WastedLocker, the new variant doesn't contain ransomware capabilities and only acts as a malware downloader.
The ongoing campaign, which began in February, is exploiting unpatched Visual Basic Script vulnerabilities in Internet Explorer to target victims in Europe and the U.S, the report notes.
"The exploitation chain starts with a malicious advertisement delivered from a legitimate website," Bitdefender says. "The malicious advertisement redirects to the landing page of 'RIG EK.' That page then serves two exploits and, if one is successful, it executes the malware."
The hackers then execute a long command line that downloads and decrypts the malware. The Rig Kit exploit for this vulnerability has been available since last year after a proof of concept was released by a security researcher.
The second VBScript exploit delivered by RIG Kit builds on a proof of concept for exploiting CVE-2018-8174, which is a vulnerability caused in the way VBScript engine handles objects in memory, the Bitdefender report notes.
The attackers then download WastedLocker malware to enable further exploit. "The delivered malware looks like a new variant of WastedLocker, but this new sample is missing the ransomware part, which is probably downloaded from the C&C servers. Because it works like a loader for the downloaded payload, we named it WastedLoader," the report notes.
The malware then performs such tasks as anti-debugging and anti-hooking and also attains persistence.
Since May 2020, WastedLocker has been used to target many larger organizations, with the attackers demanding a ransom of $10 million or more, according to Palo Alto's Unit 42.
Between June and September 2020, WastedLocker targeted the information technology, legal, pharmaceutical, manufacturing and transportation and logistics sectors in the U.S. and U.K., the Unit 42 report said.
In July 2020, smartwatch maker Garmin was targeted by WastedLocker. The company paid a ransom after its systems were encrypted, according to news reports (see: Garmin Reportedly Paid a Ransom).
In the same month, WastedLocker targeted dozens of newspaper websites operated by a U.S. media company, according to the security firm Symantec (see: WastedLocker Ransomware Targets US Newspaper Company).
Links to Evil Corp
WastedLocker has been used by threat group Evil Corp since May 2020. The group has targeted banks, financial institutions, retailers and other businesses.
Evil Corp has been implicated in several large-scale spam and phishing campaigns that have been used to distribute Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to security researchers.
In December 2019, two members of the cybercrime group, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges (see: Two Russians Indicted Over $100M Dridex Malware Thefts).