The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating a recent campaign, which is specifically targeting victims based in the EMEA region. The campaign is associated with the N3tw0rm threat actor, suspected to be based in Iran. The campaign involves ransomware and a disk space filler utility. This utility fills hard disk volumes with junk data until no free disk space is available.
The disk space filler utility, observed as part of the recent ransomware campaign orchestrated by N3tw0rm, fills hard disk volumes with data, leaving no free disk space available. The utility then deletes the files it wrote, after which the utility shuts down the operating system. The overall activity of the disk space filler utility can be summarized as follows:
Contents of log.txt
Files written by the disk filler utility
The disk space filler utility displaying operation progress on the console screen
The disk space filler utility refreshing the console screen
By using the Cybereason Cross Machine Correlation (CMC) engine and collection abilities, you can detect the indicators of compromise (IOCs) that pertain to this attack. Cybereason recommends the following:
MalOp generated by the Cybereason Defense Platform for the ransomware associated with N3tw0rm
Aleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC
Aleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC (GSOC) team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD degree in the area of system security. Prior to Cybereason, his work was focusing on research in the area of intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.
Eli Salem, Senior Security Analyst, Cybereason Global SOC
Eli Salem is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber security industry for a couple of years now. In his free time he publishes articles about malware research and threat hunting.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
Raspberry Robin involves a worm that spreads over USB devices or shared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers and an old but still effective method of using “LNK” shortcut files to lure its victims...
How do we secure the Private Infrastructure Protection (PIP) space? By providing virtualized containers, allowing customers to re-use their own hardware and making it easier to add in new capabilities as the cyber security world evolves.
