🚨 #WormLocker Returns with New Builds. First detected in 2021, this #ransomware remains active, with new samples recently identified.
👨‍💻 With #ANYRUN Sandbox, analysts can trace the full execution chain and uncover #malware behavior without the need for reverse engineering or manual debugging. Let’s see it in action.

📥 Upon execution, WormLocker 2.0 creates worm_tool.sys files in both the Desktop and Downloads folders.

It uses the ‘takeown’ and ‘icacls’ commands to take ownership of system files and modifies their access control lists. Malware then unpacks its resources into the System32 folder.

🚫 To disrupt system recovery, it disables Task Manager, deletes hidden files, and terminates the Explorer process. The Shell settings are set to empty, keeping the Explorer disabled even after reboot.

WormLocker 2.0 employs #AES-256 in CBC mode with a fixed salt. The key is generated from the hardcoded static password ‘LUC QPV BTR’ by applying SHA-256.

🔑 Entering this key restores system settings and decrypts the affected data.

Finally, the ransomware runs a VBS script to play audio containing its ransom demand.

👨‍💻 Analysis session: https://app.any.run/tasks/5a6eb571-5fb2-45cc-b498-6a4ce17fc510/?utm_source=mastodon&utm_medium=post&utm_campaign=wormlocker20&utm_term=170425&utm_content=linktoservice
With ‘LUC QPV BTR’ password entered: https://app.any.run/tasks/5bb3af51-5d60-452d-a0c8-c1ee8593fedd/?utm_source=mastodon&utm_medium=post&utm_campaign=wormlocker20&utm_term=170425&utm_content=linktoservice

Improve your SOC operations with #ANYRUN 🚀
#ExploreWithANYRUN

🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.

👨‍💻 Analysis session: https://app.any.run/browses/50395c46-41f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

📍 URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake “Windows Defender Security Center” popup.

🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.

Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.

🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: https://app.any.run/tasks/e83a5861-6006-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com

Streamline threat analysis for your SOC with #ANYRUN 🚀
#ExploreWithANYRUN