New Type of Carrier “Sophosencrypt” Discovered by Researchers
July 17, researchers from Malwarehunterteam discovered a new type of carrier called “Sophosencrypt”. This carrier is operating under the good name of the well-known cybersecurity company Sophos.
In the beginning, it was initially thought that this was part of the Red Team exercises by SOPHOS. However, the X-OPS team quickly denied any involvement in this software and released a full-fledged report analyzing the malicious program.
According to the researchers, Sophosencrypt functions according to the RAAS model and has a convenient web panel for control. The encoder itself is written in Rust and uses the path “C:UsersDubinin” on Windows to store its libraries. This is why the researchers named it “Sophos_encrypt”.
Image of the executable file icon for the Mount Program
During launch, the encoder prompts an attacker with paid access to the program infrastructure to remotely enter a token related to the victim, probably obtained from the mallet web.
Upon entering a valid token, the cipher requests additional information for encryption, including an email, Jabber address, and a 32-symbolic password that will be used in the algorithm. The software then offers the criminal the option to selectively encrypt certain files or the entire computer.
The encrypted files have the token, email, and extension “.sophos” added to them. In each system folder, a note with the ransom amount is created and named “Information.hta”. This note is automatically launched after successful encryption. Additionally, the desktop wallpaper changes to the SOPHOS logo, further discrediting the company.
Wallpaper that is set after the completion of encryption
Sophos researchers state that based on the identified capabilities, the harmfulness of Sophosencrypt is more likely to correspond to a