Threat Research

Cyble – Threat Actor Targets Russian Gaming Community With WannaCry-Imitator

Securonix

Cyble researchers tracked phishing campaigns that use gaming sites to distribute ransomware to Russian-speaking gamers, featuring fake Enlisted pages that resemble legitimate sites. The payload, WannaCry 3.0, is a Python-based Crypter variant distributed via a fake installer, encrypts files with a .wncry extension, deletes shadow copies via a scheduled task, and uses a Telegram bot for ransom negotiations. #WannaCry3.0 #Crypter #EnlistedGame #RussianGamingCommunity #wncry_support_bot

Keypoints

  • Phishing campaigns using gaming sites target Russian-speaking gamers to distribute ransomware.
  • The ransomware is WannaCry 3.0, a Python-based Crypter variant open-sourced on GitHub by user ‘@sithis993’.
  • The installer drops two executables (ENLIST~1.EXE and enlisted.exe) into the Temp directory.
  • Configuration is driven by a runtime.cfg file that defines how encryption and UI behave.
  • Files are encrypted with AES to a .wncry extension after building a target file list with whitelists.
  • Shadow copies are deleted via a scheduled task, followed by cleanup; ransom notes are shown via a GUI and a Telegram bot is used for negotiation.

MITRE Techniques

  • [T1566] Phishing – ‘phishing pages designed to closely resemble the legitimate Enlisted Game website.’
  • [T1204] User Execution – ‘When a user runs the “enlisted_beta-v1.0.3.115.exe” file, it shows an installation wizard to install the game.’
  • [T1083] File and Directory Discovery – ‘creates a list of files to be encrypted by the malware. … checks the system to find files to encrypt and create a list of files with full path names.’
  • [T1547] Boot or Logon Autostart Execution – ‘whether the ransomware needs to be added to the startup programs.’
  • [T1562] Impair Defenses – ‘disable_task_manager’ (config option) and related startup checks imply defense evasion considerations.
  • [T1490] Inhibit System Recovery – ‘deletes shadow copies from the system using the task scheduler.’
  • [T1486] Data encrypted for impact – ‘the ransomware proceeds to encrypt the files … AES encryption … adds a “wncry” extension.’

Indicators of Compromise

  • [Hash] enlisted_beta-v1.0.3.115.exe – 65fdd5e706d45e8bb83bc13311fb4da4, 6515911679fdb3d6267ab44b67415dc32e587440, c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2
  • [Hash] enlisted.exe – 77873f29f166fd64350be2a1391ce9f9, dfaab002eca691708228846e0d16905290031d48, c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce
  • [Hash] enlisted.exe – 55fac3a480c154fd5f2344992db4c5b0, 31278826e062d0a8b4ffe52caf1aa5c2804f3441, 444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790
  • [Hash] enlisted.exe – 84c613a151449be56b5afb0291fc0cca, 9b43fdfd6ddb70a7418158c33d4c9a41f341a4e2, 51aeac86371a1dafe7601b40a1b897f1c5c62ed6aa6fcdb3fe39e6ebf480763f
  • [Hash] enlisted.exe – 66742054e5ba484ef06d7cc2b52bd6c3, 0dc36a78cb251f6272991d541b7dffb438e2eb36, dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005
  • [URL] Download URL – hxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exe
  • [URL] Download URL – hxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exe

Read more: https://blog.cyble.com/2023/06/13/threat-actor-targets-russian-gaming-community-with-wannacry-imitator/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint