InfoSecBulletin Cybersecurity for mankind
A new ransomware named Eldorado appeared in March and has locker versions for VMware ESXi and Windows. The gang has claimed 16 victims, mostly in the U.S., in various sectors including real estate, education, healthcare, and manufacturing.
Researchers from Group-IB observed the activity of Eldorado. They found that the operators of Eldorado were advertising their harmful service on RAMP forums and looking for experienced affiliates to join their program.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
Encrypting Windows and Linux:
Eldorado is a ransomware that can encrypt both Windows and Linux platforms. The researchers got an encryptor from the developer. The user manual says that there are 32/64-bit versions for VMware ESXi hypervisors and Windows.
Group-IB says that Eldorado is a unique development “and does not rely on previously published builder sources.”
The malware uses the ChaCha20 algorithm to encrypt files, with a unique 32-byte key and 12-byte nonce for each file. These keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
Files are given a new extension “.00000001” after being encrypted. Ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are placed in the Documents and Desktop folders.
Eldorado encrypts network shares using the SMB protocol to maximize its impact and deletes shadow volume copies on compromised Windows machines to prevent recovery.
The ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories related to system boot and basic functionality to prevent rendering the system unbootable/unusable.
Finally, it’s set by default to self-delete to evade detection and analysis by response teams.
The researchers from Group-IB discovered that affiliates can personalize their attacks. They can choose specific directories to encrypt and avoid encrypting local files. Moreover, they can target network shares on certain subnets and make sure the malware cannot delete itself. Linux only allows customization up to setting encryption directories.
