Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

New WastedLocker Variant Exploits Internet Explorer Flaws

Bitdefender: Malware Loader Doesn't Contain Ransomware
New WastedLocker Variant Exploits Internet Explorer Flaws
WastedLoader exploitation chain (Source: Bitdefender)

A new WastedLocker malware variant, dubbed WastedLoader, is exploiting two vulnerabilities in Internet Explorer to insert malicious advertisements into legitimate websites, the security firm Bitdefender reports.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

Bitdefender says that unlike the previous version of WastedLocker, the new variant doesn't contain ransomware capabilities and only acts as a malware downloader.

The ongoing campaign, which began in February, is exploiting unpatched Visual Basic Script vulnerabilities in Internet Explorer to target victims in Europe and the U.S, the report notes.

"The exploitation chain starts with a malicious advertisement delivered from a legitimate website," Bitdefender says. "The malicious advertisement redirects to the landing page of 'RIG EK.' That page then serves two exploits and, if one is successful, it executes the malware."

Attack Tactics

Bitdefender notes the malware begins by blocking JavaScript in the targeted website. The hackers then proceed to exploit CVE-2019-0752, a remote code script engine vulnerability in Internet Explorer, the report notes.

The hackers then execute a long command line that downloads and decrypts the malware. The Rig Kit exploit for this vulnerability has been available since last year after a proof of concept was released by a security researcher.

The second VBScript exploit delivered by RIG Kit builds on a proof of concept for exploiting CVE-2018-8174, which is a vulnerability caused in the way VBScript engine handles objects in memory, the Bitdefender report notes.

The attackers then download WastedLocker malware to enable further exploit. "The delivered malware looks like a new variant of WastedLocker, but this new sample is missing the ransomware part, which is probably downloaded from the C&C servers. Because it works like a loader for the downloaded payload, we named it WastedLoader," the report notes.

The malware then performs such tasks as anti-debugging and anti-hooking and also attains persistence.

Past Attacks

Since May 2020, WastedLocker has been used to target many larger organizations, with the attackers demanding a ransom of $10 million or more, according to Palo Alto's Unit 42.

Between June and September 2020, WastedLocker targeted the information technology, legal, pharmaceutical, manufacturing and transportation and logistics sectors in the U.S. and U.K., the Unit 42 report said.

In July 2020, smartwatch maker Garmin was targeted by WastedLocker. The company paid a ransom after its systems were encrypted, according to news reports (see: Garmin Reportedly Paid a Ransom).

In the same month, WastedLocker targeted dozens of newspaper websites operated by a U.S. media company, according to the security firm Symantec (see: WastedLocker Ransomware Targets US Newspaper Company).

Links to Evil Corp

WastedLocker has been used by threat group Evil Corp since May 2020. The group has targeted banks, financial institutions, retailers and other businesses.

Evil Corp has been implicated in several large-scale spam and phishing campaigns that have been used to distribute Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to security researchers.

In December 2019, two members of the cybercrime group, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges (see: Two Russians Indicted Over $100M Dridex Malware Thefts).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.