JavaScript-based BlueCrab Ransomware Has Stopped?

The distribution of BlueCrab (Sodinokibi and REvil) ransomware exploiting JavaScript has stopped since July 13th, 2021. There have been many cases of the distribution being stopped and then resumed after going through changes, but this is the first time to have it stopped for such a long period.

BlueCrab ransomware is distributed through forum posts disguised as file download pages. When users download and run the JS file, the script downloaded through C2 is executed, infecting the system with ransomware.

Because it targeted Korean users and created changes constantly aimed at AhnLab’s anti-threat products, AhnLab has been focusing on monitoring this ransomware. The ASEC analysis team is quickly responding to changes by establishing an automated monitoring system. This blog has multiple posts related to the changes as well.

As for the distribution of the BlueCrab ransomware, the feature of redirection to malicious websites has not been working since July 13th, 2021. As such, accessing a malicious post now directs the user to a normal post.

Based on the sample of the last distribution date, there is no response from C2 at the moment. The ransom page that appears when the system is infected cannot be connected as well. Among domains for the ransom page, “decoder.re” which is not the onion domain, shows no response for the DNS query.

As websites related to BlueCrab (REvil) ransomware in the dark web were all reported to be shut down after attacks on US companies’ supply chains and ransomware infection incidents, it appears that the halted distribution may be related to the situation as well.

Since thousands of malicious posts created by the attacker stealing normal web servers still exist, distribution can resume at any time again.

Analyzing detection logs of the past 1 year yields the following list of keywords that are detected most often. Users usually download ransomware files when they search for games and utility programs. The distribution of BlueCrab has halted, malware programs being distributed in a similar method are multiplying, therefore, users need to take caution.

Free Minecraft official version, Roblox hack, Free Super Bunny Man, Minecraft Pokémon mod, Canon service tool, The Binding of Isaac latest version, Key Viewer, Minecraft PortMiner, Chunjae Education textbook pdf, Windows 7 professional k iso, GOM player integrated codec, Geometry Dash 2.0 pc, The Binding of Isaac Afterbirth Plus, miplatform activex, kidszzang market play, Minecraft parkour map, Hanshow powerpoint, Free Tekken 7, LG smart font ttf, Windows 10 Adobe Flash manual download, Minecraft city map, Free Steam games, Free Google SketchUp, Free moving backgrounds, Spacedesk, Nintendo wii games, Only I Level Up pdf, Free Hancom Word, AutoCAD 2019 x force, DDoS attack program, Free Hancom Word 2010, Romance of the Three Kingdoms XI pk no install, hevc codec, ink Sans boss fight, pmbok Korean version pdf, Five Nights at Freddy’s, StarCraft remastered map, Pokémon Alpha Sapphire rom file, SketchUp 2017 crack, StarCraft remastered maphack, Adobe Illustrator no install, Electrical installation guide, JavaScript file, Songs from 70s and 80s, Dishonored 2 Korean version, AutoCAD 2014 keygen, Free Sims 4 Korean version, InDesign cs6 Korean version, and Free Yoondesign fonts

[IOC Information]

http[:]// http://www.archivalladolid.org/web/%ED%95%9C%EA%B8%80-%EC%9B%8C%EB%93%9C-%EB%AC%B4%EB%A3%8C-%EB%8B%A4%EC%9A%B4%EB%A1%9C%EB%93%9C/
http[:]// http://www.mict.it/?p=14023
http[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion
http[:]// decoder.re


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments