![]() "Unlike in previous variants where there was a 'help' menu, in the new variant, the attacker must know the parameters beforehand. "Overall, it appears different versions have different parameters that are constantly updated," they wrote. MSTIC researchers found a range of supported parameters across different samples in the latest variant. #HIVE DEFENDER BACK HOW TO#If an analyst gets a sample executable by itself, they won't know how to access the ransom site and nose around it.Ĭommand-line parameters give attackers flexibility when running the payload by adding or removing functionality. These details are then included in the generated ransom note. #HIVE DEFENDER BACK PASSWORD#That is to say, the username and password are specified by the miscreants when they run Hive on a victim's machine. In the latest variant, such credentials need to be supplied in the command line via a particular parameter, keeping analysts from obtaining them from samples of the code. In previous strains, the username and password used to access the Hive ransom payment site were embedded in the executable. Likewise, the variant's command-line interface hinders analysis by threat hunters, to a degree. To indicate which key was used, the name of the file containing the corresponding encryption key is added to the name of the encrypted file on disk. "Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with. Hive's method is unique, according to MSTIC. It uses a fresh set of algorithms: Elliptic Curve Diffie-Hellman with Curve25519 and XChaCha20-Poly1305, which provides authenticated encryption with a ChaCha20 symmetric cipher. The data encryption mechanism in the variant also is significant, the researchers wrote. ![]() Hive now also includes features to stop security services and processes, such as Microsoft Defender Antivirus, that might otherwise slow the attack chain. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection." rdata section and are decrypted during runtime by XORing with constants. "The new Hive variant uses string encryption that can make it more evasive," the researchers wrote, referring to the malware's executable. But protecting and healing hospitals needs machines
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |