Free Phone Consultation For New Clients | CONTACT NOW

Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server

TrendMicro recently found a new ransomware family, dubbed as HavanaCrypt, that disguises itself as a legitimate Google Software Update application and uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.

Infection Chain

When a victim executes the malicious Google Software Update installer, it downloads another file named "GoogleUpdateSetup_6-0-5.msi". This particular file is a legitimate installer for Microsoft Windows that is used to install and update Google programs, such as Google Chrome. If a user downloads this file from the legitimate Google Chrome download page, it will be digitally signed by Google. However, in this case, because of its payload, it is not signed.

The name displayed on this page is "Google Update.exe". However, when running this file, it executes a newly-developed program named "GOGO-Google Update Application". Furthermore, this first-stage installer checks if the user is using Google Chrome or Firefox browser. If a user who enabled automatic updates on Google Chrome is detected, it will display a message that advises the user to enable auto updates for one of those browsers.

Once the malware has been executed, it downloads a second-stage executable file named "unins000.exe" and executes it. This file is also an installer for Windows, and it copies an executable file of the same name that is stored inside a ".dat" resource to the path "\Windows\System32\rundll32.exe". This particular executable file is another installer for Windows with the same purpose as mentioned before–to install legitimate Google programs like Google Chrome or Mozilla Firefox.

Source: Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?