Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
AhnLab’s research revealed a ransomware campaign they referred to as “TZW” with victims in South Korea. The name is derived from the first 3 characters of the TOR-based victim portal. A closer look suggests that “TZW” samples represent a new variant of the GlobeImposter family.
The “GlobeImposter” malware family is known for its ability to plant its own Tor hidden service and encrypt files if the victims pay the ransom. The leaks revealed that this group is constantly evolving, and now an additional discovery shows that they are branching out to other countries.
The first insight into GlobeImposter was observed in 2016 by Symantec, where they disovered a large campaign using a variety of malware samples, including an exploit pack and RAT with exploits against Adobe Reader and Flash Player.
AhnLab expanded their research in 2017 into 14 campaigns, which are likely related with the same criminal entity. This group continued to develop their attack series through the use of various ransomware samples, which were first observed in 2014, namely “GroveLocker”, “Gpcode.A”, “TorrentLocker 2.0”, and “FileShack-Piercing”. The payload of this malware family is a dropper [MSIL] that downloads a Tor hidden service and then creates a second hidden service. The second Tor hidden service is used by the malware to fetch the final payload from an attacker-controlled server via HTTP protocol.
Source: Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family - AlienVault - Open Threat Exchange