Accounts, including breaches and hacked open the dialog box to Emotet

Posted by

While the botnet has been closed, the operators of ransomware have had difficulties in transferring their programs on the systems of the victims.

Those who follow us will remember that, at the beginning of the year, we spoke about the botnets Emotet, as to how it was wiped out Europol, but now seems to be returning to give signs of life. As it turned out, the former operator of the botnet began its recovery due to the high demand, in particular from the group of cyber ransomware Accounts.

According to the specialists of the company, information security, Advanced Intelligence (AdvIntel), the resumption of the project, in particular, has been facilitated by the lack of offers on the market, initial access, built after the settlement of Emotet. During the ten months in which the botnet has been closed, the operations of the decentralized distribution of ransomware have had trouble downloading their programs.

Since Emotet was one of the most malicious types of malware spread, he also had the role of a downloader for other malware, while providing operators with the initial access to the infected systems. In particular, the main client of Emotet were Qbot and TrickBot, downloading ransomware (Ryuk, Accounts, ProLock, Egregor, DoppelPaymer, etc) on the computer under attack.

The operators of the botnet which provided initial access to the industrial scale, therefore a lot of harmful actions on Emotet, in particular from the so-called triad Emotet-TrickBot-Ryuk.

Ryuk is the predecessor of the ransomware Accounts, which started to grow in activity last year, after which the activity of the Novel is decreased.

According to the researchers of AdvIntel, after disabling Emotet, the main groups of cyber ransomware such as Accounts (downloaded via TrickBot and BazarLoader) and DoppelPaymer (downloaded via the Dridex) are left without a source of initial access qualified.

The researchers believe that one of the reasons for the closure this year of operations the RaaS that use ransomware (Babuk, DarkSide, BlackMatter, REvil, Avaddon), was the low level of access (RDP, VPN, vulnerable, spam low quality) of brokers and dealers.

The group ransomware Accounts, including at least one former member of the Novel, together with the largest customer of Emotet, TrickBot, has asked the operators of Emotet to bring the project to life.

Accounts is in trouble

The group of ransomware computer Accounts in addition, he was the victim of a data breach after security researchers were able to determine the real IP address of one of its most important servers, and maintain console access to the system for more than a month.

The compromised server is the place where Accounts discusses the payment of the ransom with his victims.

“Our team has discovered a vulnerability in the server startup Accounts and used to determine the true IP address of a hidden service which is hosted in the site recovery”, according to a report of 37 pages oflcompany cyber security switzerland Prodaft.

This is the address IP, which belongs to the company hosting ukraine ITL LLC. Within a month, the specialists Prodaft have had access to this server, which has allowed them to monitor the network traffic.

Although the majority of connections to the server come from the victims ' Accounts, were also recorded on SSH connections, that appear to be related to the Accounts of the same. However, luck was not on the part of the researchers here, because the IP addresses for SSH belonged to the nodes of the output of the Tor. In other words, could be used to identify the operators behind the Accounts.

Other valuable information provided in the report also include information on the server operating system of Accounts and its file htpasswd, which contains the hashed password to access the server.

After the publication, the report has immediately caught the attention of the group. He was particularly concerned about the publication of the IP address of the server, and the hash of the password to access it, because a group of ransomware in competition with the Accounts they would have been able to take advantage of this information. In the end he had to close his payment portal to find a new hosting, which prevented victims all over the world to contact the ransomware and has had to suffer extended downtime.

Researchers AdvIntel think that once Emotet will grow and you will become the player's dominant in the arena of cyber ransomware, the Accounts will provide its payload to the attacked systems through this malware, there is no way to think otherwise, it will happen almost surely this scenario.

Want to comment on? Turn on the discussion