Rewterz Threat Alert – New eCh0raix Ransomware Target (NAS) Devices From QNAP

Rewterz Threat Alert – CryptBot Trojan – Active IOCs

August 11, 2021

Rewterz Threat Advisory –CVE-2021-21501 – Apache Security Vulnerability

August 11, 2021

Rewterz Threat Alert – New eCh0raix Ransomware Target (NAS) Devices From QNAP – Active IOCs

Severity

High

Analysis Summary

The eCh0raix ransomware is ransomware used in a targeted attack, named after a string found in the malware. It doesn’t appear to be intended for mass distribution. The examples with a hardcoded public key appear to have been compiled for each target individually. QNAP NAS could allow a remote attacker to bypass security restrictions, caused by an improper authorization vulnerability when running HBS 3 (Hybrid Backup Sync). An attacker could exploit this vulnerability to log in to a device.

Impact

Credential Theft
Unauthorized Access
File Encryption
Security Bypass

Indicators of Compromise

IP

98[.]144[.]56[.]47
64[.]42[.]152[.]46
183[.]76[.]46[.]30

MD5

2b39cbffdabdda37e3d05fc7603183d0
afa284fac9382378497744e41ae24cca
1b2952d6ccb473fb24e820cdd60c49dd
461117f3dda072abc055ba080f6b21d4
ca1432fadc3b4bef8d582d57ac0e6f5a
516291d10b370c7be3863335cf5d57eb
effe75ab4e438e916c5ea012c450ae23
f628f663871689fb277a83544cc9a798
88e4805cb7e08ffb870d72c56f455b2e
7dfed656ca6a4a14a4e40e2865ba7697
f7f82b546377bb7cacb87b03220a8f8b
10930e9b91df2c91ca6606e8cf304d1f
db9596e7c022bdc053698d31fbdba579
38bdb0cd9d08144d096362ac1a1e4116
91e7c89e6373419c0147dda3f4ba32a9
e5dbaec74d7aa31e0e1af6a56e7a4fce
da34c9a18d9693accc477b12695bcf37
0f43c8c411edff20933370d0a4648ec8
e4acad02236bb70c0150d9e733869cf1
73f329ccdc6abeaada5c187f72fc3dc9
1175c093b7b008cf13a5bc7b93eb9421

SHA-256

fedcce505a5e307c1d116d52b3122f6484b3d25fb3c4d666fe7af087cfe85349
d2ebe2a961d07501f0614b3ba511cf44cb0be2e8e342e464a20633ed7f1fc884
bb3b0e981e52a8250abcdf320bf7e5398d7bebf015643f8469f63d943b42f284
a8accaab01a8ad16029ea0e8035a79083140026e33f8580aae217b1ef216febc
9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422
7fa8ebcccde118986c4fd4a0f61ca7e513d1c2e28a6efdf183c10204550d87ce
6df0897d4eb0826c47850968708143ecb9b58a0f3453caa615c0f62396ef816b
670250a169ba548c07a5066a70087e83bbc7fd468ef46199d76f97f9e7f72f36
551e03e17d1df9bd5b712bec7763578c01e7bffe9b93db246e36ec0a174f7467
3c533054390bc2d04ba96089302170a806c5cdb624536037a38c9ecb5aeea75d
36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1
2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce
2e3a6bd6d2e03c347d8c717465fec6347037b7f25adae49e9e089bc744706545
21d5021d00e95dba6e23cee3e83b126b068ad936128894a1750bbcd4f1eb9391
19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b
154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357
0e4534d015c4e6691ff3920b19c93d63c61a0f36497cb0861a149999b61b98e1
0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04
039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c
230d4522c2ffe31d6facd9eae829d486dfc5b4f55b2814e28471c6d0e7c9bf49

SHA1

2c0aaaf0e536160d232e9a66ebb5a3ea6993a124
67c40c4d11480eae0933c8da4d9a9b45ea214e51
a43cb9204bc5e1b7efb97549715cb8152246e546
583d05411aea34eac3399cf8fd505a8eb93b8f75
987674651a905eeb2905a4e45fc260eaec170b95
52291b1660e73d69ca84175735d49a2b3d771845
c47baef1eef20ac0e5b90a8431296843e6c6c2f8
955db50f05fbf2b96c0e0f0ca860f1d7b67bf2b0
8c634b67265ddf7ea86cb6e4f3a29d8e97ddf5ad
48399aec25e5f5940517a761ff85a542515345ad
90926cb9d4cc98e823b0eb17942e07787a2af620
6b0374473e8ce0cae9c26f7b44351e3339a08a7b
4645ab9178c9cf7330f5b50ddb6b627d58dfd43d
22923202faa4b53629b987d041aeca3e830c99d8
898253ff973fd125e0eb6eb94198f75d5b99f324
6eecf8581c28c083ef65ceff46b3f17e574a08eb
7f67427e9821d846842bd30e19fa3f353b4a1f74
addd8ca06427d8dc7ffa5a16c3746cd61256f196
4f2b535040f466777d333cee8ae4580f3e5d7bda

URL

http[:]//2[.]37[.]149[.]230/1/crp_linux_arm
http[:]//2[.]37[.]149[.]230/1/crp_linux_386

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails.
Search for IOC in your environment.