Within two days of news that GandCrab 4.0 ransomware was being distributed by compromising websites disguised as download sites for cracked applications, a newer version (v4.1) was found using the same method, according to Fortinet’s FortiGuard Labs.
A distinction not observed in the previous version is that GandCrab now includes an additional network communication tactic, as well as an unusually long hard-coded list of compromised websites to which it connects. “We found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab,” researchers wrote.
One binary reportedly has the ability to include almost a thousand unique hosts that have been compromised. Upon connecting to a URL, the malware then sends encrypted data of its victims, some of which included IP address, user name, computer name, network domain and a list of installed AVs .
“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes," said the researchers. "With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor."
Concerning reports from this week that alleged an “SMB exploit spreader” threat prompted researchers – who did not observe this functionality in their previous analysis – to return to their analysis, particularly since rumor suggested that this new version of GandCrab malware could self-propagate.
In the aftermath of global ransomware attacks, security experts fear such a threat. Their investigation found “a module that is now being called 'network f**ker' is supposed to be responsible for performing the said exploit...we could not find any actual function that resembles the reported exploit capability."
"We have provided this analysis to help prevent the possibility of unnecessary panic in the community," they wrote. "It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative."