1. Home
  2. Software
  3. MegaCortex

MegaCortex

MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]

ID: S0576
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 17 February 2021
Last Modified: 26 April 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

MegaCortex can enable SeDebugPrivilege and adjust token privileges.[1]
Enterprise T1531 Account Access Removal

MegaCortex has changed user account passwords and logged users off the system.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

MegaCortex has used .cmd scripts on the victim's system.[1]

Enterprise T1486 Data Encrypted for Impact

MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[1][4]
Enterprise T1140 Deobfuscate/Decode Files or Information

MegaCortex has used a Base64 key to decode its components.[1]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

MegaCortex can wipe deleted data from all drives using cipher.exe.[1]
Enterprise T1083 File and Directory Discovery

MegaCortex can parse the available drives and directories to determine which files to encrypt.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

MegaCortex was used to kill endpoint security processes.[1]
Enterprise T1490 Inhibit System Recovery

MegaCortex has deleted volume shadow copies using vssadmin.exe.[1]
Enterprise T1112 Modify Registry

MegaCortex has added entries to the Registry for ransom contact information.[1]
Enterprise T1106 Native API

After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.[1]
Enterprise T1588 .003 Obtain Capabilities: Code Signing Certificates

MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.[1]
Enterprise T1489 Service Stop

MegaCortex can stop and disable services on the system.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

MegaCortex has used rundll32.exe to load a DLL for file encryption.[1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[1]

References

  1. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  2. Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.
  1. Brubaker, N. Zafra, D. K. Lunden, K. Proska, K. Hildebrandt, C.. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved February 15, 2021.
  2. ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.