Threat Research

Makop Ransomware Identified in Attacks in South Korea

Ahnlab
Makop Ransomware Identified in Attacks in South Korea

Makop ransomware attacks in South Korea have increasingly exploited Remote Desktop Protocol (RDP) to gain initial access, using brute force attacks to compromise accounts. The threat actor also deploys credential-stealing tools similar to those used in Crysis and Venus ransomware attacks, suggesting a possible connection between these campaigns. #Makop #RDP #Mimikatz

Keypoints

  • Makop ransomware has targeted South Korean users by exploiting RDP with brute force and dictionary attacks to gain system access.
  • Threat actors install various credential-stealing tools, primarily from NirSoft and Mimikatz, after gaining access via RDP.
  • The tactics, tools, and installation paths used resemble those observed in Crysis and Venus ransomware attacks, indicating a possible shared threat actor.
  • Makop ransomware encrypts files with a unique extension format incorporating a hexadecimal string and an email address, leaving certain system files and folders unencrypted.
  • The ransomware deletes volume shadow copies and backup catalogs to prevent recovery and terminates multiple processes to facilitate file encryption.
  • Ransom notes include contact emails such as [email protected], and the ransomware changes the desktop background post-encryption.
  • Disabling RDP or using strong, regularly changed passwords is critical to preventing such attacks.

MITRE Techniques

  • [T1076] Remote Desktop Protocol – Used as an initial access vector by scanning and brute forcing RDP-enabled systems (“…the fact that the threat actors use ransomware in GUI form, execute malware through the explorer process, and use RDP as an attack vector…”).
  • [T1110] Brute Force – Accounts are compromised through brute force and dictionary attacks against weak credentials on RDP services.
  • [T1003] Credential Dumping – Deployment of Mimikatz and other NirSoft tools to extract system and network credentials (“…a Mimikatz command used by the threat actor to extract various credentials…”).
  • [T1083] File and Directory Discovery – Scanning networks to identify other systems on the network after initial access to enable lateral movement.
  • [T1486] Data Encrypted for Impact – Makop ransomware encrypts files using AES-256 and RSA-1024 algorithms and deletes backups (“…encrypts the entire system… deletes volume shadow and backup catalog…”).
  • [T1562] Impair Defenses – Terminates backup and database processes to maximize encryption impact (“…the following processes are terminated to encrypt more files…”).

Indicators of Compromise

  • [File Paths] Locations of credential stealing and ransomware executables – e.g., %USERPROFILE%documentsair_visual.exe (Makop ransomware), %USERPROFILE%documentsmimikmimikx64mimik.exe (Mimikatz tool).
  • [File Hashes] MD5 hashes linked to malware samples – 157a22689629ec876337f5f9409918d5, 1dfe0e65f3fb60ee4e46cf8125ad67ca, and others.
  • [Email Addresses] Contact emails in ransom notes – xueyuanjie@onionmail[.]org, xueyuanjie@mail2tor[.]com, xueyuanjie@exploit[.]im.

Read more: https://asec.ahnlab.com/en/89397/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint