Security researchers Trend Micro discovered a new subjugation of the extortionists, which they called Mimic. The virus uses API-interfaces of a third-party search program for Windows called “ EVERYTHING “.
The harmful program was first seen by specialists in June 2022. Apparently, it is mainly aimed at English-speaking and Russian-speaking users. And part of its code is similar to the Conti Conti-Monk.
The Mimic attack begins with the victim receives an executable file, presumably by e -mail. This file extracts four more files in the target system: the main useful load, auxiliary files and tools for disconnecting the defender Windows.
files that MIMIC leaves in a hacked system
Mimic has the following capabilities:
- collection of system information;
- bypassing control of user accounts (UAC);
- Disabling the defender Windows;
- disconnection of Windows telemetry;
- activation of protection measures against disconnecting and removing the malicious;
- promoting virtual discs;
- Completion of processes and services;
- Disabling the sleeping mode and completion of the system;
- removal of indicators;
- obstacle to the restoration of the system.
Such an extensive list of malicious actions is achieved by disconnecting some Windows system processes. So the virus weakens the protection of the system and accelerates encryption.
“EVERYTHING” is a popular program for searching for Windows, developed by Voidtools. The utility is lightweight and fast, uses a minimum of system resources and allows you to almost instantly find files and folders by their names, sizes, dates, attributes, etc.
MIMIC MIMIC Mimic Mimic Mimic Mimic using the EVERYTHING32.DLL file, extracted at the infection stage. The file is necessary to determine the names and extensions of files in the compromised system.
EVERYTHING helps MIMIC to find user files that can be encrypted by avoiding system files, in the case of blocking which, the system would simply not start after rebooting the computer.
MIMIC function using the EVERYTHING API
Files encrypted using MIMIC receive an extension “.quietPlace.” The extortionist also puts on the desktop, a recording file with the requirement of a ransom, which reports all the requirements and information on how to restore data after the payment of the ransom for a crypto-cooler.
a note on the redemption of MIMIC
Thus, MIMIC is a new subdivist of extortionists using CONTI achievements and the EVERYTHING API interface. This approach proves that its authors are competent software developers who clearly understand how they can achieve their goals.