Scarab ransomware is distributed to targets through phishing emails being served by the Necurs botnet. The malicious code arrives disguised as a scanned image or similarly plausible file attachment. Its goal: to entice unsuspecting targets to click the file and trigger the attack.
VIDEO: Watch Cylance go head-to-head with Scarab ransomware:
VIDEO: Cylance vs. Scarab Ransomware
Scarab Burrows In
Within the attachment lies a VBS downloader which is used to download the ransomware payload.
Scarab nests in the system registry where it hides from traditional security software. It launches a Microsoft HTA application which then executes a script that hooks Scarab into the following Windows registry key:
Figure 2: mshta.exe executes a script that hooks Scarab into HKEYLOCAL_MACHINEMICROSOFTWINDOWSCURRENTVERSIONRUNONCE
After hooking itself into the Windows registry, Scarab calls another script to erase its tracks. It uses the same trick, launching a Microsoft HTA application which executes the script:
Figure 3: One simple call to DeleteFile and this culprit will be well hidden in your infrastructure
Once embedded in your system, Scarab goes on the offensive. It crawls through the target system encrypting personal files and appending them with support(at)protonmail(dot)com(dot)scarab.
The following ransom note displays once the files are hostage:
Figure 4: If you see this note, SCARAB has won.
With Script Control enabled, CylancePROTECT prevents the VBS downloader Script from downloading the payload, as seen below:
Figure 5: Scarab never had a chance against CylancePROTECT.
Even without Script Control enabled, the payload – should it find its way into the environment – is quarantined prior to execution:
Indicators of Compromise (IOCs)
Malware Harvesting Websites:[miamirecyclecenters].[com]/JHgd476
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog