It first made an appearance near the start of the year but it wasn’t widely employed by hackers, and as such, it was barely a blip on the radar.
That changed on May 1st of this year, according to the UK digital security company Sophos, which detected a massive usage spike.
Since the start of the year, there have been 76 MegaCortex attacks, with 47 of them occurring since the first of May. This may be an indication that the group behind the software is gearing up for a large-scale assault. So far, corporate networks in France, Italy, the Netherlands, Ireland, Canada, and the United States have been targeted.
Organizations that have fallen victim to MegaCortex report that the attacks come from a compromised domain controller, which the hackers likely seized via stolen credentials.
Andrew Brandt, of Sophos, had this to say about the matter:
“The attacker issues commands via the compromised DC, which the attacker is remotely accessing using the reverse shell. The DC uses WMI to push the malware – a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file – to the rest of the computers on the network that it can reach, and then runs the batch file remotely via PsExec.”
It’s a cunning, well-designed piece of software that terminates 44 different processes and 189 different services. It disables 194 other services in a bid to prevent anything from stopping its spread.
To counter this newly emergent threat, Sophos recommends putting any machine on your corporate network that uses RDP behind a VPN and enable two-factor authentication for all admin passwords.