{"id":2614,"date":"2020-05-25T07:24:14","date_gmt":"2020-05-25T05:24:14","guid":{"rendered":"https:\/\/xopero.com\/blog\/?p=2614"},"modified":"2020-05-25T07:24:16","modified_gmt":"2020-05-25T05:24:16","slug":"ragnarlocker-can-hide-its-presence-in-a-very-neat-way","status":"publish","type":"post","link":"https:\/\/xopero.com\/blog\/en\/ragnarlocker-can-hide-its-presence-in-a-very-neat-way\/","title":{"rendered":"RagnarLocker can hide its presence in a very neat way"},"content":{"rendered":"\n

Welcome to the next episode of the\u00a0Xopero Security Center<\/a>! There is a curious case of\u2026 RagnarLocker ransomware. Its operators are running Oracle VirtualBox to hide its presence on infected computers inside a VM. Does it do the trick? Are they successful? Check below.<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

RagnarLocker ransomware runs Oracle VirtualBox to hide its presence from antivirus software<\/strong><\/h2>\n\n\n

RagnarLocker is not your typical ransomware. Its operators carefully select targets, avoiding home users, and goes strict after corporations and government organizations. They usually gain access by abusing internet-exposed RDP endpoints and has compromised MSP tools to breach targeted companies.<\/p>\n\n\n\n

In the past RagnarLocker group deployed a version of their ransomware customized per each victim but recently attackers come up with a novel strategy to avoid detection. Instead of running the ransomware directly on the vulnerable computer, they download and install Oracle VirtualBox. The group then configures the virtual machine to give it full access to all local and shared drives, allowing the VM to interact with files stored outside its own storage. In the next step attackers boot up the virtual machine, load the ransomware inside and run it. And because the ransomware runs inside the VM, the antivirus software won’t be able to detect any malicious process.<\/p>\n\n\n\n

The end? Files on the local system and shared drives are suddenly replaced with their encrypted versions. End the best part – all the file modifications appear to come from a legitimate process. Brilliant. <\/p>\n\n\n\n

Read more<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

There is a new Bluetooth vulnerability which exposes a wide range of devices to the BIAS attack<\/strong><\/h2>\n\n\n

A team of researchers tested the security weakness on a variety of devices, including laptops, tablets, and smartphones from popular consumer brands that were equipped with different versions of the Bluetooth protocol. This is still work in progress but there are at last 28 unique Bluetooth chips vulnerable to the Bluetooth Impersonation AttackS (BIAS).<\/p>\n\n\n\n

What is exactly a BIAS attack? This type of attack is able to bypass Bluetooth\u2019s authentication procedures that take place during the establishment of a secure connection. Attackers exploit few flaws such as lack of integrity protection, encryption, and mutual authentication.<\/p>\n\n\n\n

During the pairing of two devices, a long-term key is generated that connects the devices together. Once they have done that: each time a secure connection is established, it uses a different session key that is extrapolated from the long-term key and other public factors. Using the flaw, the attacker is then able to impersonate one of the devices that has gone through the authentication process and paired with the other device, without knowing the long-term key. The attacker can then take control of or steal sensitive data from the other device.<\/p>\n\n\n\n

\n