Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.
Seems it's a new version of Mobef (or maybe not even a new version, just a new note). Note that most of Mobef victims we seen in past year also were from Italy.
For this, we only seen victims from Italy till now. 1st on 16th this month.
The above sample also seen from Italy…
— MalwareHunterTeam (@malwrhunterteam) February 24, 2018
Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.
The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.
After the execution, the ransomware creates three files:
Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.
It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.
A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.
Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.
You can download the full ZLAB Malware Analysis Report at the following URL: