CVE-2018-0896 Used by Latest GandCrab Versions (GANDCRAB v5.0.1)
THREAT REMOVAL

CVE-2018-0896 Used by Latest GandCrab Versions (GANDCRAB v5.0.1)

Judging by the speed at which new iterations are introduced into the wild, whoever is behind the GandCrab ransomware is not going to stop any time soon. The ransomware was just updated in two new versions – GANDCRAB v5.0.1 and GANDCRAB v5.0.2 that are currently being deployed against victims worldwide.




CVE-2018-0896 Used in Latest GandCrab Ransomware Campaigns

Security researchers were able to uncover that the ransomware operators are using several known vulnerabilities, including the Fallout exploit kit which was also used in September 2018 campaigns. This EK was unearthed by security researcher nao_sec at the end of August 2018 and is once again part of the operators’ distribution arsenal.

As for the vulnerabilities, it appears that GandCrab operators are increasingly using CVE-2018-0896 which is known as a “Windows Kernel Information Disclosure Vulnerability”. Here’s its official description:

The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka “Windows Kernel Information Disclosure Vulnerability”.

Analysis by 360 Total Security researchers also reveals that the ransomware is commonly distributed via the following technique:

  • Software bundlers, or presenting itself as normal software in download sites;
  • By cracking weak passwords;
  • By using the Apache Tomcat exploit;
  • By using Jboss and WebLogic server flaws;
  • By using Struts vulnerabilities.

GandCrab September campaigns were extensively relying on the Fallout EK. The EK was being installed on compromised websites and was attempting to exploit vulnerabilities present in the potential victim’s system. The EK was detected exploiting two known exploits – one for Adobe Flash Player (CVE-2018-4878) and one for the Windows VBScript engine (CVE-2018-8174).

Make sure to read our detailed articles about GANDCRAB v5.0.1 and GANDCRAB v5.0.2. Also spread the word among your friends and families that ransomware operators are once again on the loose!

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...