On Monday, Security researcher MalwareHunterTeam mentioned on Twitter that the MountLocker ransomware was being updated and has recently added a worm feature to spread through corporate networks. Vitali Kremez of Advanced Intel later detailed this, showing that the ransomware now made use of the Active Directory Service Interfaces (ADSI) API to query the domain controller for computer objects within the domain. For each computer found, MountLocker attempts to copy itself to that machine’s “C:\ProgramData” directory, remotely create a new service and execute. Two other groups are currently known to use custom versions of MountLocker: Astro Locker and XingLocker. When reached out to by Bleeping Computer, the Astro Locker team said, “It’s not a rebranding, probably we can define it as an alliance.”
Using Microsoft Sentinel to Detect Confluence CVE-2022-26134 Exploitation
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is