Earlier this week, a new variant of MegaCortex ransomware was found encrypting files and changing victims’ passwords on Windows-based computers. Victims who fail to pay the ransom were as usual threatened that their personal data would be released.

How does the attack work? In short, MegaCortex is executed through other malware files and scripts. Once a system is successfully infected with the malware, MegaCortex is installed through an active directory controller or a post-exploitation kit.

According to Vitali Kremez of Bleeping Computer, MegaCortex variants use the .m3g4cortx extension name. Here is a summary of his technical analysis:

• When MegaCortex is executed, it extracts two files and three scripts into the users’ Temp folder. The first file (the “launcher”) that is used to launch the ransomware itself (which is the second file of the attack) comes with a Sectigo certificate signed for an Australian company, MURSA PTY LTD. Note that this certificate was deemed unreliable by Sectigo (a major SSL certificate provider).
• The scripts then carry out commands to eliminate all copies (even incomplete ones) of the files that the ransomware is set to encrypt and take hostage.
• Once the ransomware installation is done, the affected user sees the ransom note on his/her desktop screen.

Cybercriminal undertakings like this one underline the importance of taking the right cybersecurity measures. Apart from blocking all files sporting the .m3g4cortx extension from computers, said measures involve monitoring all the domains, including subdomains, that are accessing an organization’s networks. Failure to identify unauthorized access and block malicious domains that may possibly bring malware on board can result in system or worse network infection.

As part of their threat identification activities, users can use tools like Domain Research Suite and its components for cybersecurity analysis. Or they can, for example, integrate other tools like Reverse WHOIS API into their existing security solutions to identify potential sources of threats for domain blocking.

Our Investigative Tools: Reverse WHOIS Search and Others

We know from the MegaCortex case that the attackers used emails containing the domain “mail.com”—i.e., MckinnisKamariyah91@mail[.]com and ThomassenVallen1999@mail[.]com.

A quick run of “mail.com” on Domain Research Suite allowed us to pull out the WHOIS record for the domain. As seen below, most of the information is redacted for privacy, indicating the registrant certainly used a WHOIS privacy service not to disclose his personal information:

Despite the little found from the WHOIS record, we then ran a reverse WHOIS search on the registrant’s name, which returned 9 domains. As this number is low, it might be worth looking into each of them to see if these may have ties to malicious activities possibly as victims or perpetrators (note that this can’t be concluded from this brief analysis alone):

Finally, we ran a query for “mail.com” domain on the Threat Intelligence Platform and saw a couple of violations that may require further action:

In fact, given that the domain “mail.com” appears to have ties to malicious activity, as indicated by listings on a botnet command-and-control (C&C) and a spam blacklist, it may be safe to block communications coming from and going to it.

* * *

Allowing threat actors to gain access to your network is synonymous with giving them control over your systems. URL filtering is an effective means to prevent unauthorized system and network access. To avoid threats like MegaCortex, organizations can enable URL filtering on their network with the aid of reverse WHOIS search and other domain research and monitoring tools.