Language: rus ukr eng


Monday, 16 June
Mobile version  | RSS
News Ukraine Russia Peace Business Society Artistic and Culture Sports Policy PE Science and Health Photo Report Video

CyberSpies used extortion software to hide their actions

03 November 2017, 18:24 | Technologies
photo InternetUA
Text Size:

Cybercriminals used the ONI extortion software to hide the complex targeted campaign Night of the Devil ("Night of the Devil") using exploits of the US National Security Agency. For several months, the attacks went unnoticed until one day the attackers pulled the strings and encrypted data on hundreds of computers. Their true goal was not to obtain ransom, but to destroy traces of their presence.

The campaign was directed against several organizations in Japan. Investigating the attacks experts from Cybereason came to the conclusion that with the help of the extortioner, the attackers tried to destroy all traces of the operation and data about the attacks.

Vredoinos got its name from the oni extension, added to the encrypted files and specified in the redemption request to the email address. In Japanese, ONI means "Night of the Devil". As experts found out, most of the malware code was borrowed from the extortion software GlobeImposter.

ONI has been repeatedly used in attacks on Japanese organizations, but in the last campaign, researchers discovered a new version - MBR-ONI, equipped with a bootkit functionality. The extortioner works on the basis of a legitimate tool for encrypting DiskCryptor. Both ONI and MBR-ONI get to victim computers through targeted phishing emails. Contained in letters a malicious Office document loads on the system for remote access tool Ammyy Admin.

Once on the attacked system, the attackers created an internal network map and collected credentials. Advancing on the network they were assisted by the exploit of the ANB EternalBlue. Having compromised critical assets, including the domain controller, hackers obtained full control over the network and could steal any information they were interested in.

At the end of the operation, cybercriminals launched ONI and MBR-ONI to hide their tracks.

ONI displays on the infected computer a note with a demand for redemption and allows you to decrypt files. However, unlike it, MBR-ONI does not provide a key for decryption. Its main purpose is the destruction of any evidence of a spy campaign.

The use of extortion software to hide cyber-spy campaigns is a very rare practice. Nevertheless, attacks on Japanese organizations are an example of the emergence of new trends.

Bootkit - malware (the so-called MBR rootkit) that modifies the MBR boot sector - the first physical sector on the hard disk.




Add a comment
:D :lol: :-) ;-) 8) :-| :-* :oops: :sad: :cry: :o :-? :-x :eek: :zzz :P :roll: :sigh:
 Enter the correct answer 
News archive "Technologies"
Ad
TOP   | 
  
Ethnicity sophistic Ethnicity sophistic
10 June 2025, 14:11 (e-news.com.ua)
More TOP
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: