A new ransomware sample with very low anti-virus detections was recently discovered, according to researchers at IBM X-Force IRIS and Intezer. The ransomware, dubbed “PureLocker” because it is written in the PureBasic programming language, has attributes that suggest it is designed for highly targeted, strategic attacks against servers. The ransomware only runs if it has been executed as a DLL or OCX file from the command line via regsrv32.exe using particular command-line switches, suggesting that attackers plan to first gain remote access to a victim network and then deploy the ransomware strategically against a chosen target server, rather than randomly spreading it as widely as possible. Although the PureBasic programming language allows the ransomware to be compiled for Windows, Linux and macOS targets, all of the PureLocker samples analyzed have targeted only Windows; it is possible that a Linux variant may be discovered in the future. By analyzing portions of code in PureLocker and noting similarities with other malware samples, researchers believe it is likely that PureLocker shares a significant amount of code with the “more_eggs” malware, which is sold on the dark web by a threat actor who is believed to have provided malware as a service to two major cyber-criminal groups: FIN6 and Cobalt Gang.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In