FBI Flash Alerts on MSIL/Samas.A Ransomware and Indicators of Compromise

The following documents were obtained from the public website of a data security company.

FBI MSIL/Samas.A Ransomware Flash Alerts

Page Count: 6 pages
Date: March 25, 2016
Restriction: TLP: GREEN
Originating Organization: Federal Bureau of Investigation, Cyber Divison
File Type: zip
File Size: 775,199 bytes
File Hash (SHA-256): AFF6B13256C8E0FE9A67F2F2E80C5AB337AF95F018104BA5CBC15FD093A1D8A9

Download File

File Contents

  • FBI Flash Alert MC-000068-MW, February 18, 2016
  • FBI Flash Alert MC-000070-MW, March 25, 2016
  • Samas Indicators of Compromise

The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.

FBI indicators based on an ongoing investigation:

The JexBoss tool, publicly available on GitHub.com, prompts attackers to input the target URL for JexBoss to check for any of three vulnerable JBoss services: web-console, jmx-console, and JMXInvokerServlet. Depending on which vulnerabilities are detected, the tool then prompts the user to initiate corresponding exploits. The tool’s exploits are collectively effective against JBoss versions 4, 5, and 6. The payload of each exploit is a Web application Archive (.war) file, “jbossass.war”. A successful exploit results in unpackaging the .war file and utilizing jbossass.jsp to deploy an HTTP shell for the attacker.

Following initial infection of the network with MSIL/Samas.A, the actor(s) connect via RDP sessions. An open source tool, known as reGeorg, is used to tunnel the RDP traffic over the established HTTP connection. The actors use the Microsoft tool csvde.exe to determine the hosts reporting to the active directory. A list of all hosts found in the directory is compiled into a .csv file or other similar file type. Finally, the actor(s) distribute the ransomware to each host in the network using a copy of Microsoft’s psexec.exe.

Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
• Ensure anti-virus software is up-to-date.
• Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
• Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
• Only download software – especially free software – from sites you know and trust.
• Enable automated patches for your operating system and Web browser.

Share this: