Skip to main content

Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers

posted onNovember 4, 2021
by l33tdawg
Tech Republic
Credit: Tech Republic

Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware. The security researchers discovered the campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique.

Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post. The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Babuk can affect several hardware and software platforms but this version is targeting Windows. The ransomware encrypts the target's machine, interrupts the system backup process and deletes the volume shadow copies.  According to the researchers, the infection chain works like this: A DLL or .NET executable starts the attack on the victim's system. The DLL is a mixed mode assembly. The .NET executable version of the initial downloader is a modified variant of the EfsPotato exploit with code to download and trigger the next stage

Source

Tags

Security

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th