Wednesday, May 24, 2017

#Wannacry & the Virut Botnet


A new variant of Wannacry appears to be making a bad situation worse. Wapack Labs has recently identified a new malware specimen that is 75% similar to Wannacry. Instead of leveraging a “kill-switch” domain, the program uses a combination of several static domains as well as a domain generation algorithm (DGA) so as to bypass network based mitigations. Furthermore, the domains appear to be related to Virut (medium confidence), a cybercrime botnet in operation since 2006. A more detailed analysis on this development is pending.

Indicators:
424b76cb70c037c71e5c8fb14f2b29bbeace23451e8faa29ba78a6b2afd54014
eliors.com
olmbra.com
jlhrcv.com
pidmed.com
dlapgb.com
totoja.com

Wapack Labs has cataloged and reported on Wannacry ransomware in the past.  An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM