Kaspersky Lab specialists have discovered two new extortionate hack groups. The malware of these attackers can attack different operating systems without resorting to multiplatform languages. Previously, experts noted that the creators of ransomware malware are developing its cross-platform capabilities. But this time we are talking about malware written in simple languages, but capable of attacking different systems.
The first of the new groups uses the RedAlert malware (aka N13V) written in C. The second, discovered in July 2022, is Monster malware written in Delphi.
A distinctive feature of Monster is the presence of a GUI (graphical user interface). The researchers note that such a component has never been introduced by ransomware before, and the authors of Monster use it as an additional command line parameter.
The rest of the malware is pretty typical: it uses RSA + AES, and multiple threads help speed up the encryption and decryption process.
The company’s report also states that attackers use so-called first-day exploits for their attacks on Windows (from 7 to 11). Unlike 0-day, these are exploits that exploit vulnerabilities for which patches have recently been released. One example is the CVE-2022-24521 vulnerability (pointer dereference in the CLFS driver). It allows you to gain system privileges on an infected device. Two weeks after creating a patch for this flaw, the attackers developed two new exploits that support different versions of Windows.