Megacortex; Boogyman De Jour

Scary new attacks spike!  Be afraid!  Buy stuff!  It’s complicated, hire expensive help!

Well, it is scary if you have poor posture.   Complex, expensive software is necessary without a proper stance.  Need proof?  Of course, that’s why you are here, right? Let’s take a look at the big, bad boogyman we’re now told to fear…

In the beginning of May 2019, UK Security firm Sophos reported a sudden spike in detections of “Megacortex”. This new ransomware utilizes authentication servers to propagate through corporate networks and joins a growing list of targeted tools used by hackers to target businesses.

According to Sophos:  “The convoluted infection methodology MegaCortex employs leverages both automated and manual components, and appears to involve a high amount of automation to infect a greater number of victims.”

Sounds scary, right?

These always do seem so sophisticated; the technical write-ups imply that to fight such you need sophisticated security as well.  The truth, however, is that Megacortex, like every other breach toolset, would be rendered inert with proper security posture.

Every attack with lateral movement, meaning all which are used as stepping stones to gain access to a network and move laterally within for any purpose, utilizes tools to do the job.  If you remove their tools, the hackers are as effective as engine mechanics working with only their bare hands.

Let’s take a look at this one and see where proper Execution Control would play a role.  We’ll reference Sophos’ excellent deconstruction of the malware published on May 10, 2019.  

They note that in one case, the attack was orchestrated from a domain controller using six batch files, numbered 1 through 6, to distribute the malware payloads: wininit.exe and stop.bat. The latter payload appeared to be the launcher of the former. The article also notes Megacortex drops a DLL module onto the victim machine which is launched by WMI or Powershell remotely using the Windows built-in RUNDLL32.EXE binary.  This DLL contains the code which actually encrypts the files and wipes out restore points. Sophos did not note how the control files arrived on the domain controller, but we can assume this was done through a payload dropper malware, as is common.

So how does proper Default-Deny security posture stop such an attack?

With Execution Control, untrusted batch (.bat) and powershell scripts (.ps1) cannot execute.  They cannot issue commands to drop malware payloads on local or remote machines. With Execution Control, untrusted DLL files cannot execute.  In a Default-Deny posture, even the payload dropper which initially downloaded all these malware tools could not have delivered as it must be executed to accomplish. The sophisticated mechanics behind Megacortex would be left with no tools.  You would be SAFE!

White Cloud Security provides Execution Control using a Trust-List  secured by spoof-proof Cyber-Metric Handprint Identification. These Handprints  use five secure hash algorithms concurrently and the file length, thus effectively preventing a successful hash collision attack like the SHAttered Attack to spoof an Apps identity and bypass the Execution Control’s protection..

Our solution is simple and effective. The methods we employ are recommended by the most respected authorities in cybersecurity.  We require zero knowledge of a threat to stop it in its tracks. Our patented Handprint technology stops all executable malware, including zero-day threats.  Our Trust Lockdown stops active infections without needing to download signatures.

Unless posture is addressed, compromise of all computers is a matter of “when”, not “if”.  We are here to help when you are ready.  Visit White Cloud Security today to learn more.

Leave a Reply

Your email address will not be published. Required fields are marked *